1. Security Guide
  2. About Generating Keystore and Truststore Files

About Generating Keystore and Truststore Files

The keystore and truststore files are JKS files containing certificates. These files are necessary for the application container to be able to use secure two-way communications when connecting with other Siebel modules, as occurs during Siebel Management Console configuration and in normal operation. Note the following about generating the keystore and truststore files:

  • The keystore and truststore files must contain the server certificate chain and an imported CA certificate.

  • Generate your files so that the keystore file references both the private key and the public key, while the truststore file references the public key only.

  • Generate your certificates using the Java Runtime Environment (JRE) provided with your release.

  • Specify the password that was previously configured to open the certificate files.

  • Use the same password for the keystore and truststore files.

    Note: It is recommended that you create all keystores with the same password as the one entered in the installer. The ability to have different passwords for the truststore and keystore is not currently supported by the installer. However if different passwords are required, then you can modify the keystore password by editing the server.xml file and all the relevant properties files in the webapps directory.
    Note: Siebel installer does not ask for a keypass value which means that it uses the keystore password for everything including, for example, retrieving the keypass. When creating certificates, the password for keystore and keypass should be the same. If you change the keystore password, then you must also change the keypass password.

  • Use the fully qualified domain names rather than IP addresses.

    Note: If you use IP address instead of FQDN, then certificates must be created with both FQDN and IP address as two separate SAN entries and in such cases, the Siebel Server fails. As a result, it is recommended that you use the FQDN rather than IP address.

    If you do not configure the keystore and truststore files correctly, then you will not be able to configure the Siebel Business Applications, as described in Configuring Security Adapters Using the Siebel Management Console, Authentication Related Configuration Parameters and Siebel Installation Guide.