Managing Custom Keystore

It's possible to use custom keystore and truststore jks files during initial deployment and also during incremental changes.

For initial deployment (using payload for REST call to Cloud Manager API), an optional subsection keystore can be used under the siebel section. If it's not specified, a self-signed certificate is created by SCM which is propagated to all SES/SAI/CGW containers during environment provisioning.

Usage:

Copy the necessary certificates to the SCM instance at any path and provide the path of the file in the respective payload parameters. You can also copy the certificates to SCM using File Sync Utility, for more information see Uploading Files to the SCM Container Using File Sync Utility.

Here's a sample of the section in the initial deployment payload:

"keystore" : 
          {
             "siebel_keystore_path" : "/home/opc/test/ca/siebelcerts/keystore.jks",    
             "siebel_truststore_path": "/home/opc/test/ca/siebelcerts/truststore.jks"  
          }

During environment provisioning, the JKS certificates are pushed to the Helm charts Git repository in the siebel-config/keystore directory, which will be used in Siebel applications.

You need to follow these rules while creating custom keystore and truststore files:

• The file extensions for keystore and truststore should be .jks, and the storeType should be JKS.
• Configure the he keystore certificate with the DNS as "*.*.svc.cluster.local" along with other DNS entries.
• Create the certificates with a password. The password value must be "siebel".
• The keystore file should contain ca, intermediate if any, and csr certificate information.
• The truststore file should contain ca certificate information.

For more information about updating Keystore file as part of incremental changes, see Use Cases for Updating Keystore File as Part of Incremental Changes.