From 00d3a7a54cdcf93e39eee5dfa22452ac195b8d55 Mon Sep 17 00:00:00 2001 From: Brant Gurganus Date: Tue, 20 Feb 2024 07:35:39 -0500 Subject: [PATCH] Update SECURITY.md for #513 with some clearer instruction around caveats of including keys and keystores Signed-off-by: Brant Gurganus --- SECURITY.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 92260624c..3f3ee5086 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -9,7 +9,7 @@ If set to true, then the default certificates from the JVM are used in addition ### Providing custom certificates (`20.0.0.3+`) -It is possible to provide custom PEM certificates by mounting the files into the container. Files that will be imported are `tls.key`, `tls.crt` and `ca.crt`. +It is possible to provide custom PEM certificates by mounting the files into the container. Files that will be imported are `tls.key`, `tls.crt` and `ca.crt`. The private key `tls.key` must not be encrypted or container startup will fail. The location can be specified by `TLS_DIR` environment variable. Default location for certificates is `/etc/x509/certs/`. @@ -26,6 +26,8 @@ A custom keystore can be provided during the application image's build phase by You must then override the keystore's password by including your copy of the `keystore.xml` file inside the `/config/configDropins/defaults/` directory. +Adding the key.p12 file and the keystore.xml override must happen after any calls to `features.sh` or `configure.sh` so they take precedence over anything generated by `features.sh` and `configure.sh`. + ## Single Sign-On configuration The following variables configure container security for Single Sign-On using the socialLogin-1.0 feature.