Add certificates to keystore for Jitterbit private agents

Introduction

Note

For authentication with HTTPS sources/targets, SOAP web services, or SFTP, instead refer to these topics:

HTTPS / web services: It is recommended to add SSL client certificates through the Management Console via the Customizations > Client Certificates page.
SFTP: For instructions on converting keys to the proper format and configuring the private agent, see Connect to SFTP with SSH keys.

Jitterbit uses standard HTTPS to communicate securely over the Internet. Jitterbit applications that are installed locally – including private agents, Design Studio, and Data Loader – include a trusted keystore containing all of the certificates that are needed to communicate securely.

You may need to add a new certificate to the Jitterbit Java keystore if, for example, you are using a proxy server and need to allow the Jitterbit local client to communicate securely through the proxy server.

This page contains generic instructions for manually adding certificates to the Jitterbit Java keystore.

Java KeyStore (JKS)

You must be in Administrator mode in order to run Java Keytool commands. Any of the Java Keytool commands presented in this document may be used by substituting the home directory for the product you are working with:

Private agent (Windows): C:\Program Files (x86)\Jitterbit Agent\
Private agent (Linux): /opt/jitterbit/
Design Studio (Windows): C:\Program Files\Jitterbit Studio x.xx\
Data Loader (Windows): C:\Program Files (x86)\Jitterbit Cloud Data Loader\

Jitterbit local applications use the standard Java KeyStore (JKS) repository bundled with Java as the repository of all certificates. The keystore is named "cacerts" and is located in these directories:

<Jitterbit Agent Home>/jre/lib/security/cacerts
<Jitterbit Studio Home>/jre/lib/security/cacerts
<Jitterbit Cloud Data Loader Home>/jre/lib/security/cacerts

Certificates must be installed into the \jre\lib\security folder included in the Jitterbit product installation.

Change default password

The default password for the Jitterbit Java keystore is the default password for any JKS, which is "changeit". It is recommended that you change the password using this command:

Windows

<Jitterbit Agent Home>\jre\bin\keytool -storepasswd -new <new_storepass> -keystore <Jitterbit Agent Home>\jre\lib\security\cacerts

Linux

<Jitterbit Agent Home>/jre/bin/keytool -storepasswd -new <new_storepass> -keystore <Jitterbit Agent Home>/jre/lib/security/cacerts

Get list of certificates

To list all of the certificates in the Jitterbit Java keystore, use this command:

Windows

<Jitterbit Agent Home>\jre\bin\keytool -list -keystore <Jitterbit Agent Home>\jre\lib\security\cacerts

Linux

<Jitterbit Agent Home>/jre/bin/keytool -list -keystore <Jitterbit Agent Home>/jre/lib/security/cacerts

Add a new certificate

To add a new certificate to the Jitterbit Java keystore, use this command:

Windows

<Jitterbit Agent Home>\jre\bin\keytool -importcert -trustcacerts -alias <alias> -file <certfile>  -keystore <Jitterbit Agent Home>\jre\lib\security\cacerts

Linux

<Jitterbit Agent Home>/jre/bin/keytool -importcert -trustcacerts -alias <alias> -file <certfile>  -keystore <Jitterbit Agent Home>/jre/lib/security/cacerts

Manage certificates

Upgrade or reinstall Jitterbit

You must install the certificate(s) in the \jre\lib\security folder that Jitterbit ships with the product each time you upgrade or reinstall private agent(s), Design Studio, or Data Loader.

Renew or replace certificates

Each time you change the certificate(s) that are used, it will be necessary to get the new certificate(s) from your network administrator or third-party vendor and install them in the \jre\lib\security folder that Jitterbit ships with the product.

Troubleshoot certificate issues

Additional steps to troubleshoot certificate issues are available at Check for valid SSL certificate or proxy filter setting error message.

Additional KeyTool command resources are available:

Configure a private agent to not accept all certificates by default

When installing a private agent, all certificates are accepted by default. If you do not want to accept all certificates by default, these steps are recommended before deploying an agent to production:

Add the list of certificates originating from the proxy server using the Add a new certificate command above.
Configure the private agent to validate against the list of certificates in its keystore using this command:
Windows
```
JitterbitUtils --verify-proxy-cert
```
Linux
```
/opt/jitterbit/bin/jitterbit-utils --verify-proxy-cert
```