We're having a WLS server, on top of which is sitting an Aqualogic Server.
The clients have to hit our Aqualogic servers first, their requests are routed to the weblogic tier and from there onwards some requests are forwarded to other services downstream of the weblogic tier.
So we have SSL certs on both tiers. I followed the steps below to get my identity and trust keystores.
-For better intra cluster communication, I import the identity certs of other managed servers into the trust.jks keystore.
using the keytool -list -keystore trust.jks/identity.jks confirms that all of the above has worked. All certs are present in the respective keystores.
Now, I use the console on both Aqualogic and Weblogic tiers to specify that I wish to move from demoidentity and demotrust to my custom identity and trust
Testing shows me that the managed server logs correctly pull info from the custom keystores. However, when I check the logs for the services, I find that it's saying that it cannot pull trusteds sources/cannot find trusted sources.
This is confirmed in testing.
The workaround is that I imported the downstreamservices.cer into the cacerts file in jdk/jre/lib/security. Now it works!
so what is my trust store? is it cacerts or is it trust.jks? if it is cacerts, why is it pulling from cacerts and not my trust.jks
I narrowed it down to using the -trustcacerts option when I imported the root CA certificate into the keystore "identity.jks"
But all the trustcacerts option is supposed to do is have a list of DN's that are trusted. My understanding is that is used only as an additional source for trusted certificates (after the trust.jks).
What options do I have to narrow this down further?