4.2.8.3 Adding the OAM Certificate to the Truststore
If you access your OAM server via HTTPS then you must add the OAM certificates to the truststore in order to establish trust between OAA and OAM.
For the purposes of this documentation, the OAM certificate refers to the certificate used when accessing OAM. For example if you access OAM via a HTTPS Load Balancer URL, then OAM certificate refers to the certificate of the load balancer.
In order to import the OAM certificate to the truststore, you will need
the OAM server certficate in PEM format, for example oam.pem
.
This documentation does not explain how to get the OAM certificate, but if you access OAM via Firefox or Chrome then you can export it from the browser.
- Navigate to the
$WORKDIR
where you created your OAA certificates and keystores, and copy the OAM server certificateoam.pem
across. For example:cd $WORKDIR/oaa_ssl cp <PATH>/oam.pem .
- If the OAM certificate is not in PEM format, for example it is
in DER format
oam.der
, it can be converted using the following command:openssl x509 -inform der -in oam.der -out oam.pem
- Export the existing Certificate Authority to a certificate
bundle:
openssl pkcs12 -in trust.p12 -out bundle_export.pem -cacerts -nokeys -passin pass:<password>
- Copy the OAM certificate into the certificate
bundle:
cat oam.pem bundle_export.pem >> bundle_oam.pem
- Create a new trust store from the certificate
bundle:
openssl pkcs12 -export -in bundle_oam.pem -nokeys -out trust_new.p12 -passout pass:<password>
Note:
The newtrust_new.p12
and password is used in the following
properties later in the installOAA.properties
:
common.deployment.trustcert=trust_new.p12
common.deployment.truststorepassphrase=<password>
where<password>
is the password for thetrust_new.p12
common.local.trustcert=<PATH_TO>/trust_new.p12
For more information on these parameters, see Preparing the Properties file for Installation.