ActiveGate connects to third-party systems like VMware, Cloud Foundry, and cloud infrastructures using SSL-secured channels. The root CA certificate store shipped with Java is sometimes insufficient to cover all required use cases. The solution is to provide a customized list of trusted root certificates.
You can choose from one of two options:
- You can use a set of Java system properties to indicate a single place for your trusted store that won't be overwritten with the next ActiveGate update.
- You can provide your own certificates, and ActiveGate will combine them with the defaults.
Java trusted store configuration
By default, Java looks for trusted certificates in three locations:
- The location defined by the
- Two files in the
jssecacertsfile (initially, this file is absent).
cacertsfile (by default, shipped with Java).
The ActiveGate installer replaces the Java directory with every update. As a result, any modifications to the
cacerts files will be overwritten. To preserve a customized list of trusted root certificates in Java, use the
javax.net.ssl.trustStore system property in the
launcheruserconfig.conf file. The
launcheruserconfig.conf file is preserved during ActiveGate updates.
To modify the root CA certificate store in Java so that it's preserved during ActiveGate updates
cacerts file to a location outside the
launcheruserconfig.conf file located in:
javax.net.ssl.trustStorePassword to specify the root certificate file location and its password using a set of Java system properties with the
-D option after
-vmargs -Djavax.net.ssl.trustStore=/etc/MyJavaStore/cacerts -Djavax.net.ssl.trustStorePassword=changeit
Create PKCS12 or JKS trusted file from CA certificate
Java can use PKCS12 certificate files created using the Java keytool utility but not certificate files created with OpenSSL. You can create a PKCS12 or JKS trusted file from CA certificate. Execute the following command on either Linux or Windows (depending on your installation).
- To create a PKCS12 trusted file from CA certificate:
keytool -import -noprompt -alias myCertAuthority -keystore mytrust.p12 -storetype pkcs12 -file CA.crt
- To create a JKS trusted file from CA certificate:
keytool -import -noprompt -alias myCertAuthority -keystore mytrust.jks -storetype jks -file CA.crt
ActiveGate custom trusted store configuration
This feature is only available with ActiveGate version 1.169+.
The custom Java configuration requires the system administrator to keep all root CAs up to date. An alternative solution is to merge root CA certificates provided with the Java installation with a list of root CA certificates managed by your organization. This can be configured in ActiveGate by configuring a custom trust store file.
Configuring custom trust store file
To configure ActiveGate to use a custom trust store file
trusted.jks file to the SSL directory.
Add the following entries to the
[collector] trustedstore = trusted.jks # the following entries are optional trustedstore-password = changeit trustedstore-type = JKS
ActiveGate always logs its actions related to the above configuration. The configured trust store won't be used (and the trust store configuration will be left unchanged) if any of the following is true:
javax.net.ssl.trustStoresystem property is specified.
If this property is specified, it takes precedence over the ActiveGate configuration.
- The configured trust store can't be read using the configured path, password, and type.
java-home/lib/security/cacertsfile can't be read using the default password
- The merged configuration can't be written to the