...
Optionally adjust components (e.g. DFC) which use different certificates internally and externally to support the same truststore and keystore on both traffics.
Truststore merger properties:
| Property name | Example | Description |
|---|---|---|
| TRUSTSTORES | /etc/dcae/truststore.jks:/etc/dcae/truststore2.p12:/etc/dcae/cacert.pem | List of truststores to be merged |
| TRUSTSTORES_PASSWORDS | /etc/dcae/truststore.pass:/etc/dcae/truststore2.pass:/etc/dcae/cacert.key | List of passwords to provided truststores - order must be the same as in truststores |
Flow:
| Gliffy | ||||||
|---|---|---|---|---|---|---|
|
First provided truststore has to be backuped up (e.g. by adding extension .bak)
Open first truststore
If no PEM read all aliases and put in unique list
Keep it opened as we will add all other trust anchors to this truststore
For every other provided truststore:
Open it (in case of reading error or incorrect password exit with error code)
If not PEM
If destination format is not PEM
Read all aliases
If there is any conflict with already available aliases in unique list - cancel operation and exit with error code
If no conflicts - proceed
Convert to destination format if needed, e.g. PEM to Java certificate or vice versa
Put every entry into first truststore (we don't care - the same certificate can be saved multiple times under different alias - need to check if keytool allows that 
)
IF PEM
Convert to destination format if needed, e.g. PEM to Java certificate or vice versa
If destination format is not PEM
generate aliases according to policy and make sure to not have any conflict with aliases from unique list
Put every entry into first truststore (we don't care - the same certificate can be saved multiple times under different alias - need to check if keytool allows that )
Close truststore
Save first truststore
Option 2 (Adjust DCAE components to support two internal and external truststores and keystores)
...