Certificate Manager

With the certificate manager, users are able to import certificates and PKCS12 files for the use of SSL authenticated features. The certificate manager is used by some Data Feeds and Data Source types if they connect securely.

  1. Navigate to Window→Preferences in the menu
  2. Expand the Champion drop down in the preferences
  3. Select Certificate Manager

.crt & .cer

Certificates are most commonly imported into the TrustStore, where the trusted certificates from third parties are needed for two-way SSL handshakes. To import a certificate into the TrustStore:

  1. Click the New button. This will show the form to import the certificate
  2. Click Browse and navigate to the certificate file and select it
  3. Enter the alias you would like to assign
  4. Select the TrustStore option (selected by default)
  5. Click Import then Apply

Tip: Certs are automatically downloaded from the server

If you connect to a secure server via a Data Source or Data Feed and have not yet imported the certificate for that server, the connection will fail, and DarkLight will download the cert file needed from the server. Hover over the "splat" icon to see the filename. The file is saved in your system home directory at ~/champion/server/keystores/new/

Invalid Link
Example listing of the server's filesystem for the user "darklight" showing the keystores/new folder.

.p12 & .pfx

PCFX files will have to be stored into the KeyStore as they contain the certificate-chain and your private key.

  1. Click the New button. This will show the form to import the certificate
  2. Click Browse and navigate to the certificate file and select it
  3. Enter the password that was used when creating the PCFX12 file
  4. Enter an alias you would like to assign
  5. Select the KeyStore radial
  6. Click Import then Apply

Check for Certs when Moving a Workspace to a New System

If you intend to move a workspace created before version 3.7.2 from one system to another, any certificates you have entered will not work on the new system as they are system-dependent. Certificates before 3.7.2 were stored at the workspace level in <workspace>/config/application/keystores. If you move an entire workspace folder from one system to another, you will need to delete the /keystores folder and reimport the certs on the new system.

Importing and Listing Certificates from the Server Console

If you are in the situation where you need a certificate in order to connect the client to the server (such as with LDAP authentication), you can also import certificates using commands on the DarkLight server OSGI console. (Version 3.6.0 and up)

The command for importing is called jksimport. A help screen for it is available with jkshelp

JKS commands to alter the DL keystores and view their aliases
 jksimport: import a cert or key into respective stores
    -f [path]     The system path to the file to import
    -a [alias]    The alias for the imported item
    -p [password] (optional) The password for the key
   Flags: (Required) Exclusively used (only one)
    -t            (flag) Used if the certificate is to be imported into the truststore
    -k            (flag) Used if the certificate is to be imported into the keystore
    -pkcs         (flag) Used if importing a p12 file
 jkscerts: View the aliases in the truststore
 jkskeys: View the aliases in the keystore
 jksremove [alias]: Remove an alias from the truststore or keystore
   Flags: (Required) Exclusively used (only one)
    -t            Remove the alias from the truststore
    -k            Remove the alias from the keystore
 jkssave: Saves the changes made to the stores
 jkshelp: Print the help message

For example, to import a .cer file that could be used for an LDAP connection into DarkLight's TrustStore, the command would look like this:

osgi> jksimport -f /home/darklight/secureco.cer -a secureco -t

Note that the path to the cert needs to be a fully-qualified path (i.e., no ~/ shortcuts)

A successful import will result in a message like:

 Successfully imported /home/darklight/secureco.cer with alias 'secureco'

You must run the jkssave command for the changes to take effect.

 osgi> jkssave
 JKS changes saved

You may need to restart the server after import before a client can login.

DarkLight publishes a Public Key that can be used to authenticate with other systems. (Version 3.6.0 and up)

Setup the DarkLight Public Key with Kafka

On the DarkLight Server

  1. Exit DarkLight if it is running
  2. (Optional) If you have previously imported a Kafka key into DarkLight:
    1. Navigate to your system's keystore folder ~/champion/server/keystores
    2. Make a backup of the workspace.ks file
    3. Delete workspace.ks
  3. Go to your DarkLight installation and navigate to server/plugins/com.champtc.dl.server.settings_<version>/config/application/certs
  4. Make a copy of champserver_cert

On the Kafka Server

  1. Connect to your kafka server and go the location of your keystore
  2. Copy the champserver_cert to that location
  3. Use the java keytool command to copy the cert into your keystore.
    1. keytool -import -file champserver_cert -alias champserver -keystore server.truststore.jks
  4. Restart your kafka server
    1. /opt/kafka/bin/kafka-server-stop.sh
    2. /opt/kafka/bin/kafka-server-start.sh -daemon /opt/kafka/config/server.properties
  • help/ssl_certificates
  • Last modified: 2019/06/12 23:43