PhenixID

PSD1170 – How to make JRE trust Windows Cert

Summary

PhenixID products is based on Java, which uses JRE’s trust store by default. This article explains how to configure PhenixID products to use Windows trust store when it is running on a Microsoft Windows system.

Prerequisite

PhenixID product installed on Windows OS.

Overview

JAVA default trust store

In most cases, we use a truststore when our application needs to communicate over SSL/TLS. Java has bundled a truststore called cacerts and it resides in the $JAVA_HOME/jre/lib/security directory.

Make JAVA use Windows trust store

When the PhenixID products is running on a Microsoft Windows environment, you can configure them to use the Windows environment’s trust store, so that the Windows administrators can manage the trusted certificates.
Configure the property javax.net.ssl.trustStoreType with value Windows-ROOT to instructs Java to refer to the native Windows ROOT keystore for trusted certificates, which includes root CAs.

Configuration

PhenixID Identity Provisioning (PIP)

Configure PIP use Windows keystore.

  1. Open Windows Explorer and find files:
    1. Provisioning Configurator.vmoptions
    2. Provisioning Service.vmoptions
  2. Open the files with an text editor
  3. Add the following JAVA option to both files
    1. -Djavax.net.ssl.trustStoreType=Windows-ROOT
  4. Save and close both files
  5. Restart PIP service and/or PIP Configurator

NOTE: An upgrade of PIP should keep this setting. But good practice is to verify the setting after an upgrade!

PhenixID Identity Manager (PIM)

Configure PIM use Windows keystore.

  1. Open Windows Explorer and find file:
    1. PhenixIDIMw.exe
      (\..\PhenixID\IM\server\bin)
  2. Launch PhenixIDIMw.exe
  3. Click JAVA tab
  4. Add in JAVA options:
    1. -Djavax.net.ssl.trustStoreType=Windows-ROOT
  5. Click OK
  6. Restart PIM service

NOTE: An upgrade of PIM should keep this setting. But good practice is to verify the setting after an upgrade!

PhenixID Authentication Server (PAS)

Please add the following java option to “phenixidservice.vmoptions”

-Djavax.net.ssl.trustStoreType=Windows-ROOT

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se