How to Modify Java KeyStore in Docker
This page shows to use a modified Java KeyStore file in a dotCMS Docker container without having to build a custom Docker image.
We use docker-compose in this example but this can be applied in other container deployments like kubernetes. The Java KeyStore file is a repository of security certificates that allows dotCMS to make secure connections to remote servers that use valid SSL/TLS certificates. It may be necessary to add additional certificates to the default Java KeyStore — most commonly when dotCMS needs to connect to HTTPS API servers that use self-signed certificates. Specify the dotCMS release in docker-compose.yml rather than use “latest,” as the included KeyStore file can change when dotCMS releases new Docker images.
``` services: dotcms: image: dotcms/dotcms:21.09 environment: CMS_HEAP_SIZE: '8g' ... volumes: - cms-shared:/data/shared ... ```Copy the default Java KeyStore file from a running container:
``` mkdir keystoredocker cp {container_id}:/java/lib/security/cacerts keystore/cacerts
<p>Add custom cert(s) to the copied KeyStore file using the default password “changeit” Give it a descriptive alias to be nice to future admins, then verify its presence:</p>
keytool -import -trustcacerts -storepass changeit -file /PATH/TO/SELF-SIGNED-CERT.cer -alias doctms-SELF-SIGNED-CERT-YYYY -keystore keystore/cacert
keytool -storepass changeit -list -rfc -keystore keystore/cacerts | grep dotcms
<p>To use the custom KeyStore in `docker-compose.yml`, mount the updated KeyStore file; also specify the custom KeyStore path in `JAVA_OPTS`:</p>
environment: CMS_JAVA_OPTS: '... -Djavax.net.ssl.trustStore=/srv/custom_keystore/cacerts -Djavax.net.ssl.trustStorePassword=changeit' CMS_HEAP_SIZE: '8g'
volumes:
- /path/to/keystore/cacerts:/srv/custom_keystore/cacerts
- cms-shared:/data/shared
<p>In a clustered environment, distribute the updated KeyStore file to all dotCMS nodes.</p>