On 11/28/2017 12:01 PM, Markovich via FreeIPA-users wrote:
Hello FreeIpa community!

I'm a bit confused about JKS "/etc/pki/java/cacerts".
Am I right, that default password for this JKS is "changeit"?
Can I change this password? If yes, shoud it be the same on all hosts connected 
to FreeIpa?
Will it be problem later for FreeIpa? Should I somehow tell FreeIpa this 
password?

Also what is the best practice to tell java to trust FreeIpa CA?

Regards,
Andrey
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi,

in order to configure your truststore in a java application, you can either
- launch the java app with -Djavax.net.ssl.trustStore=/path/to/keystore
- define the value in the java code with System.setProperty("javax.net.ssl.trustStore", "/path/to/keystore") - if javax.net.ssl.trustStore is not defined, then java will look in $java-home/lib/security/jssecacerts or $java-home/lib/security/cacerts (see JSSE Reference Guide [1]).

If you are using openJDK for instance, $java-home/lib/security/cacerts is a link to /etc/pki/java/cacerts. The default password is "changeit", and this keystore can be modified using update-ca-trust(8).

I don't think that FreeIPA is relying on this file. For instance Dogtag (the CA component) is running inside Tomcat and is using /etc/pki/pki-tomcat/alias which is a NSS database.

Flo

[1] https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to