FT

5.8 5.6

Skip to end of metadata
Go to start of metadata

Introduction

When you make Nuxeo discuss with other servers through different APIs, you need to add the authentication certificate and your trust store because:

  • Establishing connection requires to expose the certificate to the remote server,
  • the remote server exposes a self-signed certificate or a certificate signed by a certification authority not known by the standard Key Store.

When your Nuxeo server establishes a remote connection, the remote server exposes a certificate that is his ID card on the network so the Nuxeo server is assured to communicate with a trusted server. Instead passing through detector to trust it, this certificate has been signed by an authority of certification. The trust store contains all certificates of the authorities that will be trusted by the JVM, especially for SSL connections and more particularly HTTPS connections.

The Key Store will contains all the keys needed by the JVM to be authenticated to a remote server.

There are 2 ways to configure these:

  • setting the Trust Store and the Key Store statically
  • setting it dynamically
In this section
Icon

If you set a custom trust store with your authorities exclusively, Marketplace, Studio and hot fix distribution integration will not work anymore since these servers expose certificates available in the default trust store. So I suggest that you add your certificates to the default one.

Static Trust Store and Key Store

To set the trust store and key store statically, you just have to add the following parameter into the environment variable:

What for

Parameter name

Comment

Trust Store Path

javax.net.ssl.trustStore

 

Trust Store Type

javax.net.ssl.keyStoreType

JKS for instance

Key Store Path

javax.net.ssl.keyStore

 

Key Store Password

javax.net.ssl.keyStorePassword

 

So if you want to set them at start time, you can add the following parameter either:

  • into your JAVA_OPTS:
    $NUXEO_HOME/bin/nuxeo.conf
  • or into your Java code:
    MyClass.java

Dynamic Trust Store

...TODO...

Adding your Certificates into the default Trust Store

You will find the default trust store delivered with your JVM in:

$JAVA_HOME/lib/security/cacerts

For instance in Mac OS, it is in:

/System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts

By default the password for this Trust Store is "changeit".

So to add your certificates to the default trust store:

  1. Copy the default trust store.
  2. Launch the following command line to add your certificate to the default trust store copy:
    keytool -import -file /path/to/your/certificate.pem -alias NameYouWantToGiveOfYourCertificate -keystore /path/to/the/copy/of/the/default/truststore.jks -storepass changeit
    
  3. Set the trust store copy as your either statically or dynamically.
  4. Restart your Nuxeo instance.

Troubles

If your Nuxeo instance cannot access to Connect anymore, the Marketplace and Hot Fixes are no longer automatically available (through the Update Center for instance), this can mean that the trust store does not contain the certificates from the authority that signed Nuxeo Servers certificates.

If you have the following error in your logs during the connection establishment:

It means that the remote certificate is not trusted.

The following messages mean there is no trust store or key store set for your JVM:

or

This means you must have broken at least the default configuration.

If you have one of the following error, the remote server has been trusted but it asks for authentication and there is no key for that:

or

The following error can mean that the set key store is not available:

2 Comments

  1. Hello,

    IMHO the correct path to cacerts is : $JAVA_HOME/jre/lib/security/cacerts (add "jre" folder)

    As requirements told that Nuxeo needs a JDK : Hardware and Software Requirements

    Regards 

  2. An other error IMHO :

    Trust Store Type

    javax.net.ssl.keyStoreType javax.net.ssl.trustStoreType

    see : http://docs.oracle.com/cd/B19306_01/java.102/b14355/sslthin.htm#sthref521