We recommend switching to the latest versions of Edge, Firefox, Chrome or Safari. Using Internet Explorer will result in a loss of website functionality.
Our Support systems migrated on Saturday, May 21. We'll automatically forward you to the new location for this content.

Articles in this section

See more

Where to import certificates into Assure, Insight, Perceive and ER

Avatar
Matthew Kennedy
  • Updated
Follow

Infogix Assure, Insight, Perceive and ER utilize both democert and cacerts keystores, depending on the action performed in the product. 

The democert within Infogix installation files is used in the following scenarios :

  • Inter-product processing
  • Server-util script executions triggered by the product

The cacerts within Java's installation directory is used in the following scenarios

  • Server-util script executions triggered by a user (command prompt / terminal)
  • Assure Client script executions

Without having the necessary certificates in the correct locations, you will run across the following error message when connecting to an HTTPS endpoint :

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

For certificates signed by a Certificate Authority, both democert and cacerts will require three certificates: the root, intermediate and CA signed certificate. The CA signed certificate must include each of the application servers being utilized as a "subject alternative name" along with any applicable load balancers and/or web servers.

The CA signed certificate may be replaced by a .pfx file ( which includes all three of the aforementioned certificates ) depending on the team's applications server setup ( i.e. WebSphere's "node default personal keystore" hosts the CA signed certificate ).

Updating democert with new certificates 

Assure, Insight, Perceive and ER servers have their own copy of democert stored within the following location :

<install_home>/components/system/conf/democert.keystore

To update the democert with new certificates, please utilize the following article for details regarding how to import certificates, followed by a redeploy of each product updated. 

Please note that the file within the directory above is utilized during the deployment process and will not be overwritten when running the "clean" script. The deployment process will place this keystore within the locations below. You do not need to individual update these keystores - a deploy will perform this task for you. 

<install_home>/igx-data/<jvm>/IA/config/democert.keystore
<install_home>/igx-data/<jvm>/II/config/democert.keystore
<install_home>/igx-data/<jvm>/IV/config/democert.keystore
<install_home>/igx-data/<jvm>/ER/config/democert.keystore

Configuring server installations to leverage democert

Application JVMs

By default, the server JVMs will use the local Java installation's cacerts. Scripts triggered within Assure, Insight, Perceive and ER's server-util directory.

For Wildfly deployments, this controlled by the WILDFLY_JAVA_OPTIONS within appserver.properties. For WebSphere, this is controlled by the JVM arguments within the WebSphere admin console.

For the Wildfly and WebSphere, the following JVM argument will need to be added, with the hard-coded path to the Infogix democert:

-Djavax.net.ssl.trustStore=/opt/Infogix/components/system/conf/democert.keystore

Server-side script executions

By default, script triggered within Assure, Insight, Perceive and ER's server-util directory point to the Infogix democert. This is controlled by the CLIENT_JAVA_OPTIONS setting within appserver.properties. No action is required if the default truststore argument is in place:

CLIENT_JAVA_OPTIONS=-Djavax.net.ssl.trustStore=%CONFPATH%/democert.keystore -Djavax.net.ssl.trustStorePassword=democert -Xmx128m

Updating cacerts with new certificates

This is required for server installations that do not override the truststore location from Java's default cacerts to the Infogix democert. 

This is also required for Assure client and ER client installations.

This is important as end-users who utilize clients will be required to update their cacerts to allow communication to a SSL server setup.

Java's cacerts is located within the following location :

<java_home>/lib/security/cacerts

To update cacerts with new certificates, please utilize the following article for details regarding how to import certificates. A redeploy of the Infogix products is not required for this change to take effect. 

Related articles

Comments

0 comments

Please sign in to leave a comment.