PingDirectory

Configuring key and trust manager providers

After you have a key store, you can configure a key manager provider to access it.

The server is preconfigured with key manager providers that can be used with Java KeyStore (JKS) or PKCS #12 key stores, named “JKS” and “PKCS12”, respectively. In most cases, the appropriate key manager provider can be updated to reference the key store that you will use.

dsconfig set-key-manager-provider-prop \
 	--provider-name JKS \
 	--set enabled:true \
 	--set key-store-file:config/keystore \
 	--set key-store-pin-file:config/keystore.pin

Use a similar change to configure a trust manager provider to reference the appropriate trust store.

dsconfig set-trust-manager-provider-prop \
     --provider-name JKS \
     --set enabled:true \
     --set include-jvm-default-issuers:true \
     --set trust-store-file:config/truststore \
     --set trust-store-pin-file:config/truststore.pin

Alternatively, if clients and servers are all expected to use certificates signed by issuers included in the JVM’s default trust store, you can simply use the “JVM-Default” trust manager provider.