Infogix Assure, Insight, Perceive and ER utilize both democert and cacerts keystores, depending on the action performed in the product.
The democert within Infogix installation files is used in the following scenarios :
- Inter-product processing
- Server-util script executions triggered by the product
The cacerts within Java's installation directory is used in the following scenarios
- Server-util script executions triggered by a user (command prompt / terminal)
- Assure Client script executions
Without having the necessary certificates in the correct locations, you will run across the following error message when connecting to an HTTPS endpoint :
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
For certificates signed by a Certificate Authority, both democert and cacerts will require three certificates: the root, intermediate and CA signed certificate. The CA signed certificate must include each of the application servers being utilized as a "subject alternative name" along with any applicable load balancers and/or web servers.
The CA signed certificate may be replaced by a .pfx file ( which includes all three of the aforementioned certificates ) depending on the team's applications server setup ( i.e. WebSphere's "node default personal keystore" hosts the CA signed certificate ).
Updating democert with new certificates
Assure, Insight, Perceive and ER servers have their own copy of democert stored within the following location :
Please note that the file within the directory above is utilized during the deployment process and will not be overwritten when running the "clean" script. The deployment process will place this keystore within the locations below. You do not need to individual update these keystores - a deploy will perform this task for you.
Configuring server installations to leverage democert
By default, the server JVMs will use the local Java installation's cacerts. Scripts triggered within Assure, Insight, Perceive and ER's server-util directory.
For Wildfly deployments, this controlled by the WILDFLY_JAVA_OPTIONS within appserver.properties. For WebSphere, this is controlled by the JVM arguments within the WebSphere admin console.
For the Wildfly and WebSphere, the following JVM argument will need to be added, with the hard-coded path to the Infogix democert:
Server-side script executions
By default, script triggered within Assure, Insight, Perceive and ER's server-util directory point to the Infogix democert. This is controlled by the CLIENT_JAVA_OPTIONS setting within appserver.properties. No action is required if the default truststore argument is in place:
CLIENT_JAVA_OPTIONS=-Djavax.net.ssl.trustStore=%CONFPATH%/democert.keystore -Djavax.net.ssl.trustStorePassword=democert -Xmx128m
Updating cacerts with new certificates
This is required for server installations that do not override the truststore location from Java's default cacerts to the Infogix democert.
This is also required for Assure client and ER client installations.
This is important as end-users who utilize clients will be required to update their cacerts to allow communication to a SSL server setup.
Java's cacerts is located within the following location :
To update cacerts with new certificates, please utilize the following article for details regarding how to import certificates. A redeploy of the Infogix products is not required for this change to take effect.