Issue
What is the best way to add a new certificate for the Cacerts file to trust the response of a consumed API in Liferay Cloud (PaaS)?
Environment
Liferay DXP 7.4+
Resolution
To ensure your security settings survive a reboot, the best approach is to move the certificates out of the temporary container and onto a mounted volume.
- Generate the necessary
truststore.jksfor the external APIs you would like to call from Liferay. - Place this into the workspace in
configs/{environment-name} - Then in the
LCP.jsonfile of the Liferay service, set the JVM options. For example:- If the
configs/devfolder is mapped into the container atmnt/liferay/"env": {"LIFERAY_JVM_OPTS": "-Djavax.net.ssl.trustStore=/mnt/liferay/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit"} -
If it is mapped into the
configs/dev/secretit must be
"env": {"LIFERAY_JVM_OPTS": "-Djavax.net.ssl.trustStore=/mnt/liferay/secret/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit"}
- If the
Additional Information
The Cacerts file serves as the default truststore for the Java Development Kit (JDK), containing a collection of digital certificates from trusted Certificate Authorities (CAs). When a Liferay instance attempts to communicate with an external API over HTTPS, the JVM uses this file to verify the remote server's identity.
When Liferay is hosted on a Platform as a Service (PaaS), it operates within "containers" that are overseen by Kubernetes. Changes applied in the JVM from inside the running container don't persist after a reboot. The configuration resets each time Kubernetes drops that container.
Related Topics
- Generating a KeyStore and TrustStore (Configuring Java CAPS for SSL Support)