By default, the policy engine determines whether it should accept a PIP's server certificate using the Java Runtime Environment's (JRE's) default trust store, which contains public root certificates for common certificate authorities. If your PIP uses a server certificate issued by some other certificate authority, such as a private certificate authority operated by your organization, then you can provide a custom Java KeyStore (JKS) or PKCS12 trust store. Configure details about the trust store in an options file in the truststores section. A JKS trust store file should use the extension .jks, while a PKCS12 trust store file should use the extension .p12.


Given a JKS trust store named my-ca-truststore.jks with the password password123 and a trusted root certificate with the alias my-ca, create an options file with details about the trust store.

To set up this trust store, complete the following steps.
  1. Make a copy of the default options file.
    $ cp config/options.yml my-options.yml
  2. Edit the new options file to define the key store details by adding an item under the truststores section.
      - name: MyCATruststore
        resource: /path/to/my-ca-truststore.jks
        password: password123
    # Other options omitted for brevity...
  3. Run setup using the --optionsFile argument. Customize all other options as needed.
    $ bin/setup demo \
      --adminUsername admin \
      --generateSelfSignedCertificate \
      --decisionPointSharedSecret pingauthorize \
      --hostname <pap-hostname> \
      --port <pap-port> \
      --adminPort <admin-port> \
      --licenseKeyFile <path-to-license> \
      --optionsFile my-options.yml

After you define the policy information provider in the Trust Framework, you can see the trust store that you configured using the name MyCATruststore.

Screen capture illustrating a configured trust store.