Some policy information providers might use MTLS, in which a client presents a client certificate to establish TLS communications with a server. In such cases, the policy engine can use a client certificate contained in a Java KeyStore (JKS) or PKCS12 key store. The key store details are then configured in an options file in the keystores section. A JKS key store file should use the extension .jks, while a PKCS12 key store file should use the extension .p12.


Given a JKS key store named my-client-cert-keystore.jks with the password password123 and a client certificate with the alias my-cert, create an options file with details about the key store.

To set up this key store, complete the following steps.
  1. Make a copy of the default options file.
    $ cp config/options.yml my-options.yml
  2. Edit the new options file and define the key store details by adding an item under the keystores section.
      - name: MyClientCertKeystore
        resource: /path/to/my-client-cert-keystore.jks
        password: password123
    # Other options omitted for brevity...
  3. Stop the Policy Administration GUI.
    $ bin/stop-server
  4. Run setup using the --optionsFile argument. Customize all other options as appropriate for your needs.
    $ bin/setup demo \
      --adminUsername admin \
      --generateSelfSignedCertificate \
      --decisionPointSharedSecret datagovernance \
      --hostname <pap-hostname> \
      --port <pap-port> \
      --adminPort <admin-port> \
      --licenseKeyFile <path-to-license> \
      --optionsFile my-options.yml
  5. Start the Policy Administration GUI.
    $ bin/start-server

After you define the policy information provider in the Trust Framework, you can refer to the key store that you configured using the name MyClientCertKeystore.

Screen capture illustrating a configured trust store.