HTTPS identities

HTTPS identities provide a means to use the same HTTPS keystore and truststore for routers that are scaled out to several hosts, as well as a means to use different HTTPS keystores and truststores for routers on the same host.

An HTTPS identity consists of an identifier (a name), a keystore and a truststore. The HTTPS identities are stored in the grid database so that all hosts can use them. Creating a new HTTPS identity does not automatically link it to any router – this is configured separately.

Any router may be configured to use any HTTPS identity. Routers that are scaled out to multiple hosts will use the same identity on all hosts, as long as one has been explicitly configured. Host routers on different hosts are not considered instances of the same router.

The host default HTTPS identity

Each host will generate a new host default HTTPS identity when it is first installed (at an upgrade from an older grid version, the default identity will be based on the https.ks and https.ts files). Unless otherwise configured, routers on a host will use the default HTTPS identity.

When a router node starts up it will load the keystore and truststore from its HTTPS identity configuration. Routers with no HTTPS identity configuration will fall back to use the host default identity. Therefore, it is important to never delete a default HTTPS identity. This also means that a multi-host router without any specific HTTPS identity configuration will use different HTTPS certificates on each host, since it will fall back to use the respective host default identities. This may cause unwanted behavior if there is a load balancer in front of the Grid. In order to share an identity over multiple hosts, create a dedicated HTTPS identity.

It is possible to create a new HTTPS identity either by having the grid generate an SSL certificate for it or by importing an SSL keystore with a private key in it in PKCS#12 format.