When you make Nuxeo discuss with other servers through different APIs, you need to add the authentication certificate and your trust store because:
- Establishing connection requires to expose the certificate to the remote server,
- the remote server exposes a self-signed certificate or a certificate signed by a certification authority not known by the standard Key Store.
When your Nuxeo server establishes a remote connection, the remote server exposes a certificate that is his ID card on the network so the Nuxeo server is assured to communicate with a trusted server. Instead passing through detector to trust it, this certificate has been signed by an authority of certification. The trust store contains all certificates of the authorities that will be trusted by the JVM, especially for SSL connections and more particularly HTTPS connections.
The Key Store will contains all the keys needed by the JVM to be authenticated to a remote server.
There are 2 ways to configure these:
- setting the Trust Store and the Key Store statically
- setting it dynamically
If you set a custom trust store with your authorities exclusively, Marketplace, Studio and hot fix distribution integration will not work anymore since these servers expose certificates available in the default trust store. So I suggest that you add your certificates to the default one.
Static Trust Store and Key Store
To set the trust store and key store statically, you just have to add the following parameter into the environment variable:
Trust Store Path
Trust Store Type
JKS for instance
Key Store Path
Key Store Password
So if you want to set them at start time, you can add the following parameter either:
or into your Java code:
Dynamic Trust Store
Adding Your Certificates into the Default Trust Store
You will find the default trust store delivered with your JVM in:
For instance in Mac OS, it is in:
By default the password for this Trust Store is "changeit".
So to add your certificates to the default trust store:
- Copy the default trust store.
Launch the following command line to add your certificate to the default trust store copy:
- Set the trust store copy as your either statically or dynamically.
- Restart your Nuxeo instance.
If your Nuxeo instance cannot access to Connect anymore, the Marketplace and Hot Fixes are no longer automatically available (through the Update Center for instance), this can mean that the trust store does not contain the certificates from the authority that signed Nuxeo Servers certificates.
If you have the following error in your logs during the connection establishment:
It means that the remote certificate is not trusted.
The following messages mean there is no trust store or key store set for your JVM:
This means you must have broken at least the default configuration.
If you have one of the following error, the remote server has been trusted but it asks for authentication and there is no key for that:
The following error can mean that the set key store is not available: