Knowledge Base

Configuring Java KeyStore and TrustStore when using an App Server

If you can't or don't want to modify your application server's truststore or if the truststore is automatically updated in a way that your changes might be lost (such as auto-upgrades), you can instead use a custom SSLContext and load the certificate file for use by your application in a way that is fully independent of the server's truststore.

To do so, you would add code to create a custom SSLContext object using a separate truststore just for your phiMail application. For sandbox use, that truststore only needs to contain the EMR Direct Test CA certificate. The code below is an example of a custom SSLContext:



    FileInputStream fis = null;



    try {



        // Section 1: set up custom keyStore

        KeyManagerFactory kmf = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm() );

        KeyStore ks = KeyStore.getInstance( KeyStore.getDefaultType() );

        fis = new FileInputStream("/path/to/myKeyStore.jks");

        char[] myKeyStorePassword = "changeit".toCharArray();

        ks.load(fis, myKeyStorePassword);

        fis.close();

        kmf.init(ks, myKeyStorePassword);



        // Section 2: set up custom trustStore

        TrustManagerFactory tmf = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() );

        KeyStore ts = KeyStore.getInstance( KeyStore.getDefaultType() );

        fis = new FileInputStream("/path/to/myTrustStore.jks");

        char[] myTrustStorePassword = "changeit".toCharArray();

        ts.load(fis, myTrustStorePassword);

        fis.close();

        tmf.init(ts);



        SSLContext myCustomSSLContext = SSLContext.getInstance("TLS");

        myCustomSSLContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);



        // if you are not using a client authentication certificate, comment out

        // the line above and use the following line instead:

        //myCustomSSLContext.init(null, tmf.getTrustManagers(), null);



        PhiMailConnector.setSSLContext(myCustomSSLContext);



    } catch (Exception e) {



        try { if (fis != null) fis.close(); } catch (Exception ignore) {}

        throw e; // fatal error if SSLContext cannot be set up!



    }

The first section defining kmf is only needed for clients using a client authentication certificate. If you are not using this feature, you will not have a keystore file for your phiMail client so you can comment out Section 1 and set the first parameter in the call to myCustomSSLContext.init(...) to null as per the comments in the example.

All clients will require Section 2. To connect to the sandbox, the .jks file referenced in Section 2 should contain only the EMR Direct Test CA certificate included in the SDK. You can create the trustStore .jks file using the Java keytool -importcert function. Note that a different trust anchor will be used when you connect in the production environment.

You can evaluate the code and adapt for your purposes to replace the two calls to System.setProperty(...) found in the example code in the SDK. The SSLContext only needs to be set once during initialization.

Did this article answer your question? If not, please contact us.