How to import a custom CA certificate into Hyperglance's truststore
This guide will show how to import a root CA certificate into Hyperglance's Java truststore.
If you are experiencing "PKIX path building failed" errors then it is likely that you need to add your company's root CA certificate to Hyperglance's truststore.
Note: This is not the same as the SSL/TLS server certificate that Hyperglance presents to web browsers. To change that see [this article]
STEP BY STEP GUIDE:
1) Copy your root CA certificate pem file from your local computer to /var/lib/data/hyperglance/
on the Hyperglance system.
2) Gain terminal access (SSH) to the Hyperglance instance/VM to run the following commands...
3) Copy Java's default cacerts file out from the container:
sudo docker cp wildfly:/opt/wildfly/java/lib/security/cacerts /var/lib/data/hyperglance/
4) Ensure the file is owned by the wildfly user:
sudo chown wildfly:wildfly /var/lib/data/hyperglance/cacerts
5) Sanity check. List the directory and make sure you see a cacerts file and your root CA certificate and that cacerts is owned by wildfly:
ls -la /var/lib/data/hyperglance
6) Add your pem file to the cacerts truststore.
If your root CA file is not called rootca.pem
then adjust the the -v
mapping in the command accordingly.
If you are running this multiple times to add more than one cert then give each one a unique alias.
sudo docker run --rm \
-v "/var/lib/data/hyperglance/cacerts:/tmp/cacerts" \
-v "/var/lib/data/hyperglance/rootca.pem:/tmp/custom.crt" \
--user root --entrypoint bash \
hyperglance/wildfly-v2 -c "\
/opt/wildfly/java/bin/keytool \
-importcert -trustcacerts -noprompt \
-keystore /tmp/cacerts \
-storepass changeit \
-alias hyperglance-user-added-ca \
-file /tmp/custom.crt"
After running this command you should see this message:
Certificate was added to keystore
7) Add a volume mapping for your cacerts truststore:
echo " - /var/lib/data/hyperglance/cacerts:/opt/wildfly/java/lib/security/cacerts:ro" | sudo tee -a /etc/docker-compose.yml
8) Update the service (Note: Hyperglance will restart and re-ingest all data)
sudo docker-compose -f /etc/docker-compose.yml up -d
Hyperglance will now be using your new CA root certificate.