Customizing Usage of Truststores
Most of the time you will want to specify a truststore; however, there may be times when you do not want to. For example, you might want to trust all certificate authorities on outbound requests and trust specific CAs on different ports for incoming requests.
For outbound requests, you can specify:
A truststore in the service making the outbound call, such as the
trustStore input parameter in the
pub.client:http service.
A default outbound truststore in the
Truststore setting on the
Server > Certificates page.
A global setting to always trust to accept and trust any certificate it receives during the SSL handshake of an outbound request. The value of the watt.security.cert.wmChainVerifier.trustByDefault server configuration parameter determines if
Integration Server accepts and trust any certificate it receives during the SSL handshake of an outbound request. When set to true (the default)
Integration Server accepts and trust any certificate it receives. When set to false,
Integration Server does not accept any certificate it receives during the SSL handshake of an outbound SSL request.
During the handshake for an outbound SSL request, Integration Server first checks for a truststore set in the service. If one is specified, Integration Server uses the specified truststore to perform the trust verification. If the service does not supply a truststore, then Integration Server uses the value specified under Truststore setting on the Server > Certificates page for truststore verification with the request. However, if the Truststore setting on the Server > Certificates page is blank, then Integration Server relies on the value of the watt.security.cert.wmChainVerifier.trustByDefault to determine if Integration Server will accept and trust any certificate it receives during the SSL handshake of an outbound request.
For inbound requests, you can specify a truststore at the Integration Server level (on the Security > Certificates page) or at the port level (on the Edit HTTPS Port Configuration page or the Edit FTPS Port Configuration page). If you omit a truststore from both the Integration Server level and the port level, Integration Server will trust no certificate authorities. If you specify a truststore at the Integration Server level and at the port level, the server uses the truststore specified at the port level for determining trust on connections being made to that port. If you specify a truststore at just the port level, the server uses the port-level setting for requests being made to the port.