By default, the policy engine determines whether it should accept a PIP's server certificate using the Java Runtime Environment's (JRE's) default trust store, which contains public root certificates for common certificate authorities. If your PIP uses a server certificate issued by some other certificate authority, such as a private certificate authority operated by your organization, then you can provide a custom Java KeyStore (JKS) or PKCS12 trust store. Configure details about the trust store in an options file in the truststores section. A JKS trust store file should use the extension .jks, while a PKCS12 trust store file should use the extension .p12.


Given a JKS trust store named my-ca-truststore.jks with the password password123 and a trusted root certificate with the alias my-ca, create an options file with details about the trust store.

To set up this trust store, complete the following steps.
  1. Make a copy of the default options file.
    $ cp config/options.yml my-options.yml
  2. Edit the new options file to define the key store details by adding an item under the truststores section.
      - name: MyCATruststore
        resource: /path/to/my-ca-truststore.jks
        password: password123
    # Other options omitted for brevity...
  3. Run setup using the --optionsFile argument. Customize all other options as needed.
    $ bin/setup demo \
      --adminUsername admin \
      --generateSelfSignedCertificate \
      --decisionPointSharedSecret pingauthorize \
      --hostname <pap-hostname> \
      --port <pap-port> \
      --adminPort <admin-port> \
      --licenseKeyFile <path-to-license> \
      --optionsFile my-options.yml

After you define the policy information provider in the Trust Framework, you can see the trust store that you configured using the name MyCATruststore.

Screen capture of the Certificate Validation section illustrating a configured trust store.