Connector GuidesJava Connector Server Implementation GuideConfiguring Java CS › How JCS uses the Keystore File

Previous Topic: Set the TLS Store Certificate Password

Next Topic: Adjust Java CS Service Start Parameters

How JCS uses the Keystore File

By default the Java CS uses the same keystore file for each of these three purposes:

  1. To secure inbound TLS connections between an LDAP client (for example, Connector Xpress, Provisioning Server) and the Java CS. This involves adding public certificates used by the Java CS to any client-specific keystore (or allowing the clients to connect without verifying trust status of JCS certificate).

    The default JDK certs (from file <JDK>\jre\lib\security\cacerts) can be imported into the keystore of the third-party client to authenticate with JCS.

    Note: Currently the client SSL authentication is not available in ApacheDS. As a result, mutual inbound SSL authentication is not possible.

  2. As the value of the javax.net.ssl.trustStore property for the Java Virtual Machine in which the Java CS runs. This is because some connector implementations (for example, AS400) implicitly use this keystore and cannot be configured to do otherwise.
  3. To secure outbound SSL / TLS connections between the Java CS and endpoint systems. This involves adding certificates for endpoint systems to this keystore, so that they see the Java CS as trusted..

    Note: If you want to use a separate keystore to secure outbound SSL / TLS connections between the Java CS and endpoint systems, the relevant Java CS configuration properties are connectorClientCertStore*, as opposed to the ldapsCertificate* properties that configure the keystore used for the other purposes.