8.4.3 Configuring a trust store
By direct access through API, you communicate with the load balancer via HTTP or HTTPS. HTTPS communication requires a trust store that contains a reliable certificate. If you use HTTPS, specify or omit https in one of the following properties files.
- For controlling the load balancer with Management Server:
-
-
lb.API.protocol.load-balancer-management-IP-address in lb.properties
-
- For controlling the load balancer with Virtual Server Manager:
-
-
lb.API.protocol in LB-connection-distinguished-name.properties
-
lb.API.protocol in tierlb.properties
-
Before communicating via HTTPS, follow the steps below to configure the trust store.
-
Obtain an SSL server certificate from the load balancer.
For details about how to obtain an SSL certificate, see the load balancer document.
-
Execute JDK's keytool command on the host that provides the operation management functionality. The SSL server certificate obtained in step 1 will be registered in the trust store.
Below is an example of executing JDK's keytool command.
Cosminexus-installation-directory/jdk/bin/keytool -import -file loadbalancer.cer -alias loadbalancer -keystore C:\work\loadbalancer.keystore -storepass keystore_pass
For details about this command, see the JDK document.
- Important note
-
If you register the certificate in a non-default trust store (other than cacerts) for JDK, use the javax.net.ssl.trustStore parameter in lb.properties to specify the SSL server certificate's absolute path. If you register the certificate in the default trust store (cacerts), the absolute path does not need to be specified.
For BIG-IP, the default trust store (cacerts) must always be used.
This default trust store for JDK (cacerts) is located under Cosminexus-installation-directory/jdk/jre/lib/security. The initial password is changeit.