Skip to main content
Version: Release 24.3

Trust an Deploy server's certificate

This topics provides information about creating and configuring a truststore, importing certificates, and adjusting Release settings to ensure secure communication with the Deploy server.

If you configured your Deploy server to use a self-signed certificate and then added the server to Release, you will notice that testing the connection fails with the following error: The Deploy server is not available.

To instruct Release to trust the Deploy server certificate, you must configure a truststore for Release.

To create a dedicated truststore for Release:

  1. Export the self-signed server certificate from XL_DEPLOY_SERVER_HOME/conf:

    keytool -export -keystore keystore.jks -alias jetty -file XLDeployServerCert.cer

    For more information on the keytool utility, see the Oracle documentation.

  2. Import the certificate, as a trusted certificate, into a separate truststore for Release:

    keytool -import -alias XLDeployServerCert -file XLDeployServerCert.cer -keystore XLRTruststore.jks

  3. Import all certificates from the JRE global truststore:

    keytool -importkeystore
    -srckeystore /etc/ssl/certs/java/cacerts -srcstoretype JKS \
    -destkeystore keystore.jks -deststoretype JKS \
    -srcstorepass changeit -deststorepass changeit
note

changeit is the default password for Java system trustStore.

important

If you do not import all certificates from the JRE global truststore, you may lose HTTPS connectivity with other applications.

  1. Move the truststore XLRTruststore.jks from XL_DEPLOY_SERVER_HOME/conf to XL_RELEASE_SERVER_HOME/conf.

  2. Depending on your system, open the following in a text editor :

    • Unix based system: XL_RELEASE_SERVER_HOME/conf/xlr-wrapper-linux.conf
    • Microsoft Windows: XL_RELEASE_SERVER_HOME/conf/xlr-wrapper-win.conf

  3. Configure Release to use the truststore by adding the following line, where 'X' is the next number in the wrapper.java.additional list:

    wrapper.java.additional.X=-Djavax.net.ssl.trustStore=conf/XLRTruststore.jks
        wrapper.java.additional.X+1=-Djavax.net.ssl.trustStorePassword=password
note

Disable the verification of SSL for Deploy servers under XL_RELEASE_SERVER_HOME/conf/deployit-defaults.properties by adding the following line:

xldeploy.XLDeployServer.verifySSL=false

In order to verify the self-signed certificates for Release and Deploy, a certificate (.crt) or a PEM (.pem) file containing the Deploy Server certificate must be supplied. You can do this by specifying the location of the public certificate or pem file as value for REQUESTS_CA_BUNDLE system environment variable.

For Windows System:

  1. Go to Advance System Properties > Environment Variables > New(System Variables) > REQUESTS_CA_BUNDLE.
  2. Add the required value to the REQUESTS_CA_BUNDLE.
  3. Now, restart the CMD prompt used for starting the Release server, and restart the server.

For Unix System:

  1. Edit the /etc/environment file
  2. Add the export REQUESTS_CA_BUNDLE=path/to/cabundle environment variable.
  3. Now, restart the session used for starting the Release server, and restart the server.

  1. Start Release

    Operating systemCommand
    Microsoft Windowsrun.cmd
    Unix-based systemsrun.sh

  2. Add the Deploy server.