Scope: client and server, all versions.
A certificate may be needed for accessing another system. Examples are accessing a MyProxy from an OA4MP server or having an OA4MP client that has been issued a specific cert. A keystore is a single file that contains X509 certificates, possibly associated certificate chains and private keys. The two major formats supported are PKCS12 or JKS (Java KeyStore). OA4MP supports both. Java comes bundled with a set of certificates of common commercial certification authorities. This may be used or not. Just to make this a bit clearer, any time your browser goes to a site that requires you to accept their certificates before connecting, you have hit the case exactly for using this feature: Your browser has a clickable thingie for certificates, but your java virtual machine does not.| Name | Required | Default | |
| path | N | - | The absolute path to the keystore. |
| type | N | - | The type of the keystore, e.g. "pkcs12" or "jks". |
| password | N | - | The password for the keystore |
| factory | N | - | The name of the factory, e.g. SunX509, which will be used to create the key manager factory. This creates any key managers. You should generally not need to change this. |
| useJavaKeystore | T | true | Use the default Java keystore (which normally resides at $JAVA_HOME/lib/security/cacerts) in addition to the one given in the path. If this element is omitted it is the same as setting this option to "true". Generally, if this is disabled then no commercial certificates will be recognized by SSL. This might be useful in certain cases, but should probably be enabled unless you have good reasons otherwise. |
<config>
<client name="my-secure-client">
<keystore path="/var/www/config/certs/2014-03-18/server.bigstate.edu.p12"
type="pkcs12"
password="uninterestingFakePassword"
factory="SunX509"
useJavaKeystore="false"/>
<-- Bunch of other configuration stuff >
</client>
</config>