Use of custom key store and trust store

In case of configuring a rest touchpoint for secure Rest API i.e. the API with url that starts with [https://|https:], a need might arise to configure ssl key-certificates depending on the implementation of third party rest API.

Usually, ssl certificates can be configured in java installation folder or can be configured in entirely different folder. In later case, system administrator needs to make following settings in the application.properties of journey engine i.e. in the file <installation location of journey application>\Engine\application.properties
  • ssl.restclient.custom.store

    true: If the trust store and keystore of journey application are present at some custom location (or folder) and the certificates of journey and 3rd party system are to be imported in that location instead of in the installation directory of java runtime.

    false: If the certificates are to be imported in the installation directory of java runtime.

  • ssl.restclient.truststore.defaultalgorithm

    The standard name of the requested trust management algorithm.

    Refer https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html to get more information on the standard algorithm names.

    Specimen value SunX509

  • ssl.restclient.keystore.defaultalgorithm

    The standard name of the requested algorithm. Refer https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html to get more information on the standard algorithm names.

    Specimen value SunX509

  • ssl.restclient.truststore.type

    Represents the type of trust store (defaults to JKS)

    A trust store is a repository or storage location for digital certificates, specifically public key certificates, that are used to establish trust in secure communications.

    Trust stores store public key certificates of trusted entities, such as certificate authorities (CAs) and trusted servers.

    They are used to verify the authenticity of remote entities (such as websites or servers) during the SSL/TLS handshake process.

  • ssl.restclient.truststore.location

    A folder or a directory on the file system which represents the truststore of journey application.

  • ssl.restclient.truststore.password

    Usually, the truststores are password protected. This parameter represents the trust store password.

  • ssl.restclient.keystore.type

    Represents the type of keystore (defaults to JKS)

    A keystore represents a storage facility for cryptographickeys and certificates. Keystores often store private keys, which are essential for encrypting and decrypting data, creating digital signatures, and establishing secure communications.

  • ssl.restclient.keystore.location

    A folder or a directory on the file system which represents the keystore of journey application.

  • ssl.restclient.keystore.password

    Usually, the keystores are password protected. This parameter represents the key store password.

  • ssl.restclient.key.password

    Usually, the keys inside a keystore are also password protected. This parameter represents the key password.

  • ssl.restclient.protocols

    comma separated list of supported cryptographic protocols which are designed to provide secure communication over a network

    Recommended values TLSv1.2

  • ssl.restclient.truststore.password.encrypted

    When set to true or missing, specify the encrypted value of the password in ssl.restclient.truststore.password

    When set to false, specify plain text value of the password in ssl.restclient.truststore.password
    Note: If the password is going to be blank, then set this flag to false.
  • ssl.restclient.keystore.password.encrypted

    When set to true or missing, specify the encrypted value of the password in ssl.restclient.keystore.password

    When set to false, specify plain text value of the password in ssl.restclient.keystore.password
    Note: If the password is going to be blank, then set this flag to false.
  • ssl.restclient.key.password.encrypted

    When set to true or missing, specify the encrypted value of the password in ssl.restclient.key.password

    When set to false, specify plain text value of the password in ssl.restclient.key.password
    Note: If the password is going to be blank, then set this flag to false.

    To encrypt the password, Please execute following utility which is present in the <Journey install location>/tools folder JourneyEncryptionUtility.bat(or .sh)

    Usage : JourneyEncryptionUtility.bat(or .sh) <plaintext password>

    Example

    If the plain text password is 'abcd', then JourneyEncryptionUtility.bat(or.sh) abcd

    It will output something similar to the one given below

    Entered String is : abcd

    Encrypted String is : MIuFcm7mkspvIMEx7XywAA==

    Set the encrypted value MIuFcm7mkspvIMEx7XywAA== in the application.properties for the parameter in question. If you are using different password values for all the above-mentioned three parameters, then run this utility thrice and use the values accordingly.