Platform
RedHat Enterprise Linux 7
WebSphere Liberty Profile 8.5.5.8
Issue
I have several Liberty instances / applications connected to a Liberty Collective Controller, and therefore have ssl and keystores specific to each instance.
At the same time many of the applications connect externally / outbound to different https:// and are in the need of storing root certificates from Commodo, Buypass, Thawte, etc. to avoid The signer might need to be added to local trust store and could not build a valid CertPath, etc.
Goal
Use server (Java / RedHat) provided CA root certificate stores unchanged, and use a "pr-instance" truststore where private certificates are imported - in combination.
Question
Is it possible to combine a "personal" truststore with a server provided truststore (or two), i.e. from the Java installed /opt/Liberty/java/java_1.8_64/jre/lib/security/cacerts file or the RPM package ca-certificates
And if so - how?
My current ssl configuration looks like this:
<!-- Connection to the collective controller -->
<collectiveMember controllerHost="<server>"
controllerPort="<port>" />
<!-- clientAuthenticationSupported set to enable bidirectional trust -->
<ssl id="defaultSSLConfig"
keyStoreRef="defaultKeyStore"
trustStoreRef="defaultTrustStore"
clientAuthenticationSupported="true" />
<!-- inbound (HTTPS) keystore -->
<keyStore id="defaultKeyStore" password="******"
location="${server.config.dir}/resources/security/key.jks" />
<!-- inbound (HTTPS) truststore -->
<keyStore id="defaultTrustStore" password="*****"
location="${server.config.dir}/resources/security/trust.jks" />
<!-- server identity keystore -->
<keyStore id="serverIdentity" password="******"
location="${server.config.dir}/resources/collective/serverIdentity.jks" />
<!-- collective truststore -->
<keyStore id="collectiveTrust" password="*******"
location="${server.config.dir}/resources/collective/collectiveTrust.jks" />
