Java Keystores and Truststores

Java Keystore File for TLS

Access to the openLooKeng coordinator must be through HTTPS when using Kerberos and LDAP authentication. The openLooKeng coordinator uses a Java Keystore <server_java_keystore> file for its TLS configuration. These keys are generated using keytool and stored in a Java Keystore file for the openLooKeng coordinator.

The alias in the keytool command line should match the principal that the openLooKeng coordinator will use. You'll be prompted for the first and last name. Use the Common Name that will be used in the certificate. In this case, it should be the unqualified hostname of the openLooKeng coordinator. In the following example, you can see this in the prompt that confirms the information is correct:

keytool -genkeypair -alias openlookeng -keyalg RSA -keystore keystore.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  openlookeng-coordinator.example.com
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=openlookeng-coordinator.example.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

Enter key password for <openlookeng>
        (RETURN if same as keystore password):

Java Truststore File for TLS

Truststore files contain certificates of trusted TLS/SSL servers, or of Certificate Authorities trusted to identify servers. For securing access to the openLooKeng coordinator through HTTPS the clients can configure truststores. For the openLooKeng CLI to trust the openLooKeng coordinator, the coordinator's certificate must be imported to the CLI's truststore.

You can either import the certificate to the default Java truststore, or to a custom truststore. You should be careful if you choose to use the default one, since you may need to remove the certificates of CAs you do not deem trustworthy.

You can use keytool to import the certificate to the truststore. In the example, we are going to import openlookeng_certificate.cer to a custom truststore openlookeng_trust.jks, and you will get a prompt asking if the certificate can be trusted or not.

$ keytool -import -v -trustcacerts -alias openlookeng_trust -file openlookeng_certificate.cer -keystore openlookeng_trust.jks -keypass <truststore_pass>

Troubleshooting

Java Keystore File Verification

Verify the password for a keystore file and view its contents using keytool.

$ keytool -list -v -keystore /etc/openlookeng/openlookeng.jks

有奖捉虫

“有虫”文档片段

0/500

存在的问题

文档存在风险与错误

● 拼写,格式,无效链接等错误;

● 技术原理、功能、规格等描述和软件不一致,存在错误;

● 原理图、架构图等存在错误;

● 版本号不匹配:文档版本或内容描述和实际软件不一致;

● 对重要数据或系统存在风险的操作,缺少安全提示;

● 排版不美观,影响阅读;

内容描述不清晰

● 描述存在歧义;

● 图形、表格、文字等晦涩难懂;

● 逻辑不清晰,该分类、分项、分步骤的没有给出;

内容获取有困难

● 很难通过搜索引擎,openLooKeng官网,相关博客找到所需内容;

示例代码有错误

● 命令、命令参数等错误;

● 命令无法执行或无法完成对应功能;

内容有缺失

● 关键步骤错误或缺失,无法指导用户完成任务,比如安装、配置、部署等;

● 逻辑不清晰,该分类、分项、分步骤的没有给出

● 图形、表格、文字等晦涩难懂

● 缺少必要的前提条件、注意事项等;

● 描述存在歧义

0/500

您对文档的总体满意度

非常不满意
非常满意

请问是什么原因让您参与到这个问题中

您的邮箱

创Issue赢奖品
根据您的反馈,会自动生成issue模板。您只需点击按钮,创建issue即可。
有奖捉虫