Menu Search

7.13. Truststores

Truststores have a number of roles within the Broker.

  • A truststore is required by a Port in order to support SSL client authentication.

  • Truststores have a optional role in end to end message encryption. The Broker acts as a Key Server so that publishing applications have convenient access to recipient's public keys.

  • Some authentication providers also use a truststore when connecting to authentication systems that are protected by a private issuer SSL certificate.

7.13.1. Types

The following truststore types are supported.

  • File Trust Store. This type accepts the standard JKS truststore format understood by Java and Java tools such as keytool.

  • Non Java Trust Store. A non java trust store accepts key material in PEM and DER file formats. Either a path to the certificate on the server can be specified using the file:// protocol or the certificate can be uploaded with the data:// protocol

  • Managed Certificate Store. This type accepts key material in PEM and DER file formats. Contrary to the Non Java Trust Store this store allows the user to add multiple certificates and stores them in the broker configuration.

  • Site Specific Trust Store. This type will download a certificate from the provided SSL/TLS enabled URL. Note that you must specify both the protocol and the port. Example: https://example.com:443

7.13.2. Attributes

  • Name the truststore. Used to identify the truststore.

  • Exposed as Message Source. If enabled, the Broker will distribute certificates contained within the truststore to clients. Used by the end to end message encryption feature.

  • Trust Anchor Validity Enforced. If enabled, authentications will fail if the trust anchor's validity date has not yet been reached or already expired.

Revocation attributes.

  • Enabled. If set to true certificate revocation check is performed when client tries to connect.

  • Only End Entity. If enabled, check only the revocation status of end-entity certificates.

  • Prefer CRLs. If enabled, prefer CRL (specified in certificate distribution points) to OCSP, if disabled prefer OCSP to CRL.

  • No Fallback. If enabled, disable fallback to CRL/OCSP (if Prefer CRLs set to true, disable fallback to OCSP, otherwise disable fallback to CRL in certificate distribution points).

  • Ignore Soft Failures. If enabled, revocation check will succeed if CRL/OCSP response cannot be obtained because of network error or OCSP responder returns internalError or tryLater.

  • Server CRL Path Or Upload. Path to Certificate Revocation List file. If set, certificate revocation check uses only set CRL file and ignores CRL Distribution Points in certificate.

The following attributes apply to File Trust Stores only.

  • Path. Path to truststore file

  • Truststore password. Password used to secure the truststore

    Important

    The password of the certificate used by the Broker must match the password of the keystore itself.

  • Certificate Alias. An optional way of specifying which certificate the broker should use if the keystore contains multiple entries.

  • Manager Factory Algorithm. In keystores the have more than one certificate, the alias identifies the certificate to be used.

  • Key Store Type. Type of Keystore.

  • Peers only. When "Peers Only" option is selected for the Truststore it will allow authenticate only those clients that present a certificate exactly matching a certificate contained within the Truststore database.

The following attributes apply to Non Java Trust Stores only.

  • Certificates. The cerificate(s) in DER or PEM format.

7.13.3. Children

None

7.13.4. Lifecycle

Not supported