Java TrustStore - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

A truststore is the opposite, while a keystore typically holds onto certificates that identify us (i.e the Alfresco Repository server), a truststore holds onto certificates that identify others (such as the Alfresco Solr client).

In Java, we use it to trust the third party we’re about to communicate with (i.e. Solr).

If the Solr client talks to the Repository server over HTTPS, the Repository server will look up the associated key from its keystore and present the public key and certificate to the Solr client.

We, the Solr client, then look up the associated certificate in our truststore. If the certificate or Certificate Authorities (CA) presented by the external server is not in our truststore, we’ll get an SSLHandshakeException and the connection won’t be set up successfully.

Java has bundled a truststore called cacerts and it resides in the $JAVA_HOME/lib/security directory.

It contains default, trusted Certificate Authorities (CA):

$ keytool -list -keystore $JAVA_HOME/lib/security/cacerts
Warning: use -cacerts option to access cacerts keystore
Enter keystore password:

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 93 entries

verisignclass2g2ca [jdk], 13 Jun 2018, trustedCertEntry,
Certificate fingerprint (SHA-256): 3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F:D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1
...

Here, we can override the default truststore location via the javax.net.ssl.trustStore property. Similarly, we can set javax.net.ssl.trustStorePassword and javax.net.ssl.trustStoreType to specify the truststore’s password and type.