Creating and configuring trust - PingCentral

Page created: 3 Feb 2021 |

Page updated: 17 Jun 2021

| 3 min read

Product PingCentral 17 Developer Audience Administrator 1.7

The standard Java Development Kit (JDK) includes a default trust store, which is pre-provisioned with the root certificates of a number of well-known certificate authorities. If you need to store and maintain certificates that are not in the default trust store, you must create a PingCentral-specific trust store.

Without modification, PingCentral is secure by default:

The server certificate chain must be ultimately signed by one of the public certificate authority root certificates present in the Java virtual machine (JVM) default trust store.
Host name verification is performed. The hostname or IP address specified in the URL must match a name defined in the server certificate presented, which encompasses the distinguished name, subject alternative names, and wildcard matching.

If you want to use self-signed server certificates, root certificates, intermediate certificates, and certificates from a private certificate authorities, create a PingCentral-specific trust store and configure PingCentral to access it.

Each time a connection is made, PingCentral checks the remote server's certificate against the PingCentral-specific trust store. If certificate validation fails, PingCentral delegates validation to the default system trust store. If you disable delegation to the default trust store, the only trusted certificates are those in the PingCentral-specific trust store.

In PingCentral, two types of outbound connections perform server certificate validation using the PingCentral-specific trust store. You cannot configure these connections independently:

Admin API access to PingFederate to manage environments and deploy applications.
Backchannel access to the configured OpenID Connect (OIDC) provider when single sign-on (SSO) is enabled.

You can configure PingCentral so that host name verification and certificate validation is disabled. However, you should only disable these options for demonstration or testing purposes.

PingCentral only reads trust store configurations at startup, so restart PingCentral after creating or configuring trust store information.

To create a PingCentral-specific trust store:
1. Run the following built-in Java keytool command.
```
<JAVA_HOME>/bin/keytool -import -trustcacerts -alias <ALIAS> -file <PATH_TO_TRUSTED_AUTHORITY_CERT> -keystore <TRUST_STORE_FILE_NAME>.jks
```
  Note:
  You should store the new trust store in a secure location on the local file system of the PingCentral user and limit access permissions to that user.
2. Run this command for each certificate you need to import and specify a unique alias for each certificate and ensure you refer to the same trust store file name each time you run this command.
3. When the system prompts you, create a password to secure the trust store.
  
  You must provide this password when you configure PingCentral to access the truststore.
4. To view a list of the certificates included in the trust store, run the following command.
```
<JAVA_HOME>/bin/keytool -list -v -keystore <TRUST_STORE_FILE_NAME>.jks
```
  Note:
  Java trusts certificates in the configured trust store even if they are expired.
To configure PingCentral to access the PingCentral-specific trust store:
1. Open <PingCentral intallation directory>/conf/application.properties in a text editor and configure PingCentral to access the PingCentral-specific trust store.
2. Locate the following properties, uncomment them by removing the # from the line, and define each property with your system-specific information:
  - server.ssl.trust-store=<ABSOLUTE_PATH_TO_TRUSTSTORE_JKS_FILE>
    Note:
    If the .jks file is in the PingCentral home/install directory, you can use a relative link instead: ${pingcentral.home}/<PATH_TO_TRUSTSTORE_JKS_FILE>
  - server.ssl.trust-store-password=<TRUSTSTORE_PASSWORD>
    On startup, PingCentral attempts to access the trust store with the password specified here, which must be the password used when the trust store was created.
    Note:
    You should secure the password using the obfuscation script available in bin/obfuscate and by using output ciphertext rather than the cleartext secret.
Configure the following PingCentral properties, as appropriate:
- To force PingCentral to use the PingCentral-specific trust store as the certificate validation authority and not delegate validation to the default system trust store, uncomment the following property and set the value to false: server.ssl.delegate-to-system=false
- To configure PingCentral so that it accepts a valid certificate even if the URL host name does not match the one defined in the certificate, uncomment the following property, and set the value to false: server.ssl.https.verify-hostname=false
- To configure PingCentral so that certificate validation is completely disabled (any certificate presented by a server is trusted), uncomment the following property, and set the value to true: server.ssl.trust-any=true.