Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Gabriel Egidio (GabrielE9965)
Zurich
Cloud Administrator
Zurich
BR
GabrielE9965 Member since 2022 1 post
Zurich
Posted: Jan 4, 2024
Last activity: Jan 19, 2024
Posted: 4 Jan 2024 14:30 EST
Last activity: 19 Jan 2024 11:07 EST
Closed
Solved

Configuring PEGA PDC using a custom keystore

We are configuring the PDC in our applications, but for security reasons our application does not use the default java keystore (/home/tomcat/jdk/jre/lib/security/) instead of it we are using a jks provided by the security team which contains all of our organization's certificates.

We understand that in order to configure the PDC we need to install the certificate, but we cannot import the certificate into our organization's jks because it is shared with other applications thoughout the company,
so we created a customized jks and imported the PDC certificate into it.

We have tried these steps:

We began by attempting to include the new JKS in the web.xml file for ports 443 and 8843. However, upon starting the environment, we started encountering the same certificate errors in the PDC services.

The second attempt involved introducing the JVM variable (-Djavax.net.ssl.trustStore) in the setenv file, referencing the new JKS created. However, the error persisted.

In the third attempt we pointed the -Djavax.net.ssl.trustStore var to the /home/tomcat/jdk/jre/lib/security/cacerts and with it we achieved success.

We need to know if the use of /cacerts is mandatory to use de pdc. 

Image of third attempt:

setenv

 

***Edited by Moderator Marissa to add Predictive Diagnostic Cloud to Product tags***
***Edited by Moderator Marije to add Support Case INC-B466 ; update capability tags***
To see attachments, please log in.
Pega Platform 8.8.2
Pega Platform 8.7.5
Pega Diagnostic Center
Pega Platform
Installation and Deployment
Insurance
System/Cloud Ops Administrator
Support Case Exists

Accepted Solution

Posted: 2 years ago
Posted: 19 Jan 2024 11:07 EST
Marije Schillern (MarijeSchillern)
MOD
Senior Knowledge Management Specialist
Pegasystems Inc.
GB

@GabrielE9965 I can see that you logged a support incident the same time when you logged the original question:  INC-B466

 It sounds like GCS helped resolve your issue.

Explanation provided by GCS:

----------------------------

CA certs is a truststore which is used for authentication of other peers.  Jks is just a keystore that is used for your own certificates . 
Since you are connecting to cloud hosted PDC, CA certs are mandatory for PDC to work . 

Your setup works when you have the certifcate in the Java CA certs but does not work when using the separate jks.

So we recommend using the successfully working scenario. 

---------------------------

 

Yesterday in the ticket you confirmed that you found the solution to this scenario in the existing Pega Cloud Security and data protection documentation:

Data-in-transit encryption

 When you are using a custom trust store, you have to add amazon trust services to ensure to connectivity to Pega Cloud, in this case to the PDC.

I will mark Accept Solution to this explanation as per the support ticket.

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice