Add certificate to truststore to enable SSL communication

Question

How do I add a certificate to the trust store when application is running in bluemix. Is there any way to update cacert, either programmatically or using cli?

Any documentation or link on the same will be greatly appreciated.

Answer 1

You could try using the spring-boot-ssl-truststore-gen which adds the certificate to the system truststore inside the buikdpack:

First you need this in your pom.xml (or alternative):

<repositories>
   <repository>
      <id>jcenter</id>
      <url>http://jcenter.bintray.com </url>
      <snapshots>
        <enabled>true</enabled>
        <updatePolicy>never</updatePolicy>
        <checksumPolicy>warn</checksumPolicy>
      </snapshots>
       <releases>
         <enabled>true</enabled>
         <checksumPolicy>warn</checksumPolicy>
      </releases>
   </repository>
</repositories> 

and

<dependency>
    <groupId>com.orange.clara.cloud.boot.ssl-truststore-gen</groupId>
    <artifactId>spring-boot-ssl-truststore-gen</artifactId>
    <version>2.0.21</version>
</dependency>

Next declare the certificate in your manifest.yml:

env:
    TRUSTED_CA_CERTIFICATE: |-
        -----BEGIN CERTIFICATE-----
        changeme
        -----END CERTIFICATE-----

That's it. When you cf push your application, the certificate will get added to the truststore.

Answer 2

You can push a packaged server to the Liberty buildpack. With the packaged server, you can package the cert and configure the server.xml accordingly (see https://www-01.ibm.com/support/knowledgecenter/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/rwlp_sec_keystores.html). The server.xml will be part of the packaged server.

If you need to update the cert, the standard way in Bluemix Cloud Foundry runtime is to repush the application.