Secure the Connection to the RCS With SSL

The SSL configuration for an RCS depends on whether you are running the RCS in server mode or in client mode:

  • In server mode, Identity Cloud initiates the connection to the RCS.

    The RCS needs a public/private key pair and a certificate (either self-signed or CA-signed). The RCS sends its certificate to the client (Identity Cloud) during the SSL handshake.

    If you are using a CA-signed certificate, Identity Cloud will trace the certificate back to the root certificate. If you are using a self-signed certificate (or a certificate that depends on an unreachable issuer in the chain from the root certificate), you must import the certificate into the Identity Cloud truststore.

  • In client mode, the RCS initiates the connection to Identity Cloud. Identity Cloud sends its certificate during the SSL handshake. If you are using the Identity Cloud self-signed certificate, you must import the certificate into the RCS truststore.

    If you are using TLS Mutual Authentication, the RCS needs a public/private key pair and a certificate. Identity Cloud requests the certificate from the RCS during the SSL handshake.

On the RCS, edit the conf/ConnectorServer.properties file to specify a secure connection between Identity Cloud and the RCS:

RCS in server mode
  • Set connectorserver.useSSL=true.

  • Specify the RCS keystore and truststore. For example:

    connectorserver.trustStoreFile=security/truststore.pkcs12
    connectorserver.trustStoreType=PKCS12
    connectorserver.trustStorePass=changeit
    connectorserver.keyStoreFile=security/keyStore.pkcs12
    connectorserver.keyStoreType=PKCS12
    connectorserver.keyStorePass=changeit
    connectorserver.keyPass=changeit
RCS in client mode
  • Connection security is determined by the value of the connectorserver.url property. Use the wss protocol to establish a WebSocket over an encrypted TLS connection; for example, wss://my-tenant.forgeblocks.com/openicf.

    The connectorserver.useSSL property is not used in client mode.

  • Specify the RCS keystore and truststore. For example:

    connectorserver.trustStoreFile=security/truststore.pkcs12
    connectorserver.trustStoreType=PKCS12
    connectorserver.trustStorePass=changeit
    connectorserver.keyStoreFile=security/keyStore.pkcs12
    connectorserver.keyStoreType=PKCS12
    connectorserver.keyStorePass=changeit
    connectorserver.keyPass=changeit

In your conf/provisioner.openicf.connectorinfoprovider.json file, set "useSSL" : true.

  1. Generate the RCS private/public key pair and create a new PKCS12 keystore:

    keytool \
    -genkeypair \
    -keyalg EC \
    -alias icf-rcs \
    -dname "CN=icf.example.com,O=Example Corp,C=FR" \
    -keystore rcsKeystore \
    -storetype PKCS12 \
    -storepass changeit \
  2. Verify the contents of the new keystore:

    keytool \
    -list \
    -v \
    -keystore rcsKeystore
    Enter keystore password:  changeit
    Keystore type: PKCS12
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    
    Alias name: icf-rcs
    Creation date: Jul 13, 2020
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=icf.example.com, O=Example Corp, C=FR
    Issuer: CN=icf.example.com, O=Example Corp, C=FR
    Serial number: 611e093d
    Valid from: Mon Jul 13 23:58:49 SAST 2020 until: Sun Oct 11 23:58:49 SAST 2020
    Certificate fingerprints:
    SHA1: Fingerprint
    SHA256: Fingerprint
    Signature algorithm name: SHA256withECDSA
    Subject Public Key Algorithm: 256-bit EC key
    ...
  3. Export the RCS certificate:

    keytool \
    -export \
    -alias icf-rcs \
    -file rcs.cert \
    -keystore rcsKeystore.pkcs12
    Enter keystore password: changeit
    Certificate stored in file <rcs.cert>
  4. If you are not using a self-signed certificate, have the certificate signed by a Certificate Authority (CA):

    1. Create a Certificate Signing Request (CSR):

      keytool \
      -keystore rcsKeystore.pkcs12 \
      -certreq \
      -alias icf-rcs \
      -file rcs.csr
      more rcs.csr
      -----BEGIN NEW CERTIFICATE REQUEST-----
      
      MIIEKTCCA9QCAQAwVzELMAkGA1UEBhMCRlIxCzAJBgNVBAgTAkZSMQswCQYDVQQH
      xZ47rzcY6OrElh8+/TYG50NRqcQYMzm4CefCrhxTm6dHW4XQEa24tHmHdUmEaVys
      A1UdDgQWBBSivxV9AzgbrIo3gG6vCBlNaXf3wjANBglghkgBZQMEAwIFAANAADA9
      ...
      AhxL791/ikf1hqxOD3uttV7qumg+TNednsgtk6uOAh0AlINk+1LBeyUkQA7iUHy/
      3KLYWog/Npu5USdCeA==
      
      -----END NEW CERTIFICATE REQUEST-----
    2. Submit the CSR to your CA for signature.

  5. Import the signed certificate into the RCS keystore:

    keytool \
    -importcert \
    -trustcacerts \
    -file rcs.cert \
    -keystore rcsKeystore.pkcs12 \
    -storetype pkcs12 \
    -alias icf-rcs
    Enter keystore password: changeit
    Certificate reply was installed in keystore

    Note

    If your CA certificate is not trusted, you might need to import the CA certificate into the keystore too.

  6. Import the RCS certificate into the Identity Cloud truststore:

    keytool \
    -import \
    -alias icf-rcs \
    -keystore /path/to/openidm/truststore \
    -file rcs.cert
    Enter keystore password: changeit
    Owner: CN=icf.example.com, O=Example Corp, C=FR
    Issuer: CN=icf.example.com, O=Example Corp, C=FR
    Serial number: 611e093d
    Valid from: Fri Apr 05 16:04:04 CEST 2019 until: Mon Aug 17 16:04:04 CEST 2020
    Certificate fingerprints:
    MD5:  Fingerprint
    SHA1: Fingerprint
    SHA256: Fingerprint
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit DSA key
    Version: 1
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
  1. Generate the RCS private/public key pair and create a new PKCS12 keystore:

    keytool \
    -genkeypair \
    -keyalg EC \
    -alias icf-rcs \
    -dname "CN=icf.example.com,O=Example Corp,C=FR" \
    -keystore rcsKeystore \
    -storetype PKCS12 \
    -storepass changeit \
  2. Verify the contents of the new keystore:

    keytool \
    -list \
    -v \
    -keystore rcsKeystore
    Enter keystore password:  changeit
    Keystore type: PKCS12
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    
    Alias name: icf-rcs
    Creation date: Jul 13, 2020
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=icf.example.com, O=Example Corp, C=FR
    Issuer: CN=icf.example.com, O=Example Corp, C=FR
    Serial number: 611e093d
    Valid from: Mon Jul 13 23:58:49 SAST 2020 until: Sun Oct 11 23:58:49 SAST 2020
    Certificate fingerprints:
    SHA1: Fingerprint
    SHA256: Fingerprint
    Signature algorithm name: SHA256withECDSA
    Subject Public Key Algorithm: 256-bit EC key
    ...
  3. Export the RCS certificate:

    keytool \
    -export \
    -alias icf-rcs \
    -file rcs.cert \
    -keystore rcsKeystore.pkcs12
    Enter keystore password: changeit
    Certificate stored in file <rcs.cert>
  4. If you are not using a self-signed certificate, have the certificate signed by a Certificate Authority (CA):

    1. Create a Certificate Signing Request (CSR):

      keytool \
      -keystore rcsKeystore.pkcs12 \
      -certreq \
      -alias icf-rcs \
      -file rcs.csr
      more rcs.csr
      -----BEGIN NEW CERTIFICATE REQUEST-----
      
      MIIEKTCCA9QCAQAwVzELMAkGA1UEBhMCRlIxCzAJBgNVBAgTAkZSMQswCQYDVQQH
      xZ47rzcY6OrElh8+/TYG50NRqcQYMzm4CefCrhxTm6dHW4XQEa24tHmHdUmEaVys
      A1UdDgQWBBSivxV9AzgbrIo3gG6vCBlNaXf3wjANBglghkgBZQMEAwIFAANAADA9
      ...
      AhxL791/ikf1hqxOD3uttV7qumg+TNednsgtk6uOAh0AlINk+1LBeyUkQA7iUHy/
      3KLYWog/Npu5USdCeA==
      
      -----END NEW CERTIFICATE REQUEST-----
    2. Submit the CSR to your CA for signature.

  5. Import the signed certificate into the RCS keystore:

    keytool \
    -importcert \
    -trustcacerts \
    -file rcs.cert \
    -keystore rcsKeystore.pkcs12 \
    -storetype pkcs12 \
    -alias icf-rcs
    Enter keystore password: changeit
    Certificate reply was installed in keystore

    Note

    If your CA certificate is not trusted, you might need to import the CA certificate into the keystore too.

  6. Import the RCS certificate into the Identity Cloud truststore:

    keytool \
    -import \
    -alias icf-rcs \
    -keystore /path/to/openidm/truststore \
    -file rcs.cert
    Enter keystore password: changeit
    Owner: CN=icf.example.com, O=Example Corp, C=FR
    Issuer: CN=icf.example.com, O=Example Corp, C=FR
    Serial number: 611e093d
    Valid from: Fri Apr 05 16:04:04 CEST 2019 until: Mon Aug 17 16:04:04 CEST 2020
    Certificate fingerprints:
    MD5:  Fingerprint
    SHA1: Fingerprint
    SHA256: Fingerprint
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit DSA key
    Version: 1
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
  7. Export the Identity Cloud self-signed certificate:

    keytool \
    -export \
    -alias openidm-localhost \
    -keystore keystore.jceks \
    -storetype jceks \
    -file idm.cert \
    Enter keystore password: changeit
    Certificate stored in file <idm.cert>
  8. Import the Identity Cloud self-signed certificate into the RCS truststore:

    keytool \
    -import \
    -alias openidm-localhost \
    -keystore /path/to/rcs/security/truststore.pkcs12 \
    -storetype pkcs12 \
    -file idm.cert
    Enter keystore password: changeit
    
    Owner: CN=openidm-localhost, O=OpenIDM Self-Signed Certificate, OU=None, L=None, ST=None, C=None
    Issuer: CN=openidm-localhost, O=OpenIDM Self-Signed Certificate, OU=None, L=None, ST=None, C=None
    Serial number: 16981c79d8d
    Valid from: Wed Feb 13 15:35:36 CET 2019 until: Thu Mar 15 15:35:36 CET 2029
    Certificate fingerprints:
    MD5:  fingerprint
    SHA1: fingerprint
    SHA256: fingerprint
    Signature algorithm name: SHA512withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 3
    Trust this certificate? [no]:  yes
    
    Certificate was added to keystore
Read a different version of :