[FRS-422] FusionReactor Cloud: Importing our Certificate Provider into a custom keystore

[FRS-425] FusionReactor On-Premise Firewall DNS and Static IP address rules (FusionReactor 5.0.x – 7.4.x)
[FRS-397] “This server is suffering from clock drift!” warning message

If you’re using FusionReactor with a Cloud license, the client connects to our services via encrypted SSL connections.

The certificate used to secure these connections is issued by DigiCert. Some older operating systems and some Java EE servers which supply their own keystores don’t have DigiCert’s current certificate in.

In these cases, you’ll see an SSL error in the console, when FusionReactor tries to connect to the Cloud. Java may also complain about being “unable to build a certificate chain“.

Previously we included our own keystore, but this was problematic as in some cases, it supplanted the JEE container’s own store. The certificates we supplied would also expire eventually, necessitating a forced-update of FusionReactor.

In order to fix this, simply import DigiCert’s certificate into your own keystore. As an example, here’s how to do it for IBM WebSphere, which supplies its own keystore. Adapt the path to your own keystore.

IBM WebSphere Liberty Profile 9.

Download the certificate:

Import the certificate into the JKS keystore for your server. On our system, for the default WebSphere server, this is done as follows:

keytool -import -alias digicert-global-root-ca -file /tmp/digicert.crt -keystore /opt/IBM/WebSphere/Liberty/usr/servers/defaultServer/resources/security/key.jks

Issue Details

Type Technote
Issue Number FRS-422
Components Cloud
Resolution Fixed
Last Updated 2019-11-25T11:08:31.293+0000
Fix Version(s) 7.0.0