Prepare your application server
The PKI connector sample implementation uses an
Apache
Tomcat
application server, but any application server can be used with a PKI connector. It is a best practice to deploy the application server on a different computer than the one that hosts BlackBerry UEM
.- Use theJavakeytool to create a Keystore to store client certificates and a TrustStore to store certificates from trusted servers (such asEntrust). For instructions, see Generating a Keystore and TrustStore.
- Get a copy of theEntrustserver public certificate.
- Open a command window.
- Run the following command:cd <unzipped path>/gd-ca-adapters/src/main/java/com/good/adapters/entrust/util
- Go to the target/classes folder and run the following command:java com.good.adapters.entrust.util.GenerateSSLCertificateForEntrustCA ENTRUST_HOSTNAME <password>
- In the list of certificates to trust, select the root certificate.
- Copy the resultingjssecacertsfile to the followingJavainstallation directory: $JAVA_HOME/jre/lib/security.
- Edit the Tomcatserver.xmlfile ($TOMCAT_DIR/conf/server.xml) to specify the port that the PKI onnector listens on and the paths to the KeyStore and TrustStore. See the following example (change the port, KeyStore, and TrustStore values as necessary):<Connector port="8090" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <Connector protocol="HTTP/1.1" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/c:/newcerts/foobar.jks" keystorePass="foobarpwd" truststoreFile="/c:/newcerts/cacerts.jks" truststorePass="cacertspassword" clientAuth="true" sslProtocol="TLS"/>