Integration with external tools and services may require connections secured with TLS/SSL. DTP will reject connections to external servers if the server's certificate is not trusted or unsigned by a trusted certificate authority.User Administration will reject connections to external servers if the server's certificate is not trusted or unsigned by a trusted certificate authority. To add a new trusted certificate, perform the following steps:
Obtain the trusted certificate to add. These certificates can be in any format accepted by the Java keytool application.
Execute the following command to import the certificate to the truststore:
keytool -import -alias <new unique alias> -file <certificate file> -keystore <DTP_INSTALL>/jre/lib/security/cacerts
keytool -import -alias <new unique alias> -file <certificate file> -keystore <LS_INSTALL>/app/jre/lib/security/cacerts
Enter "changeit" as the password when prompted.
Confirm that you want to import the certificate when prompted.
Restart User Administration to apply the changes.Restart DTP services to apply the changes.
To import a certificate chain, repeat steps 1-4 for each certificate in the certificate chain in order of root certificate first to end entity certificate last.
Truststores and Upgrades
During an upgrade, DTP retains the existing truststore found at <DTP_INSTALL>/jre/lib/security/cacerts
. Because of this, if you have upgraded DTP multiple times, it's possible your truststore might not contain newly trusted certificate authorities. If your DTP requires connecting to an external server with a certificate signed by one of these newly trusted certificate authorities, you may need to manually update the truststore at <DTP_INSTALL>/jre/lib/security/cacerts
.