Grid Keystores

The certificates used in the grid are partitioned into several single-usage keystores. It is important to protect the keystore files and the keystore password files by applying proper file permissions. This protection is set up automatically at installation time. For more information, see File Security.

Some grid applications may have their own keystores. Please review the documentation for those applications when necessary.

gridname.ks

The keystore gridname.ks contains the grid root key pair and certificate. This keystore is only available on the first host installed.

The private key in this keystore is used for signing host, client, and SSL certificates used in the grid, as described in the following sections.

It is recommended to back up this keystore and the password file that belongs to it.

server.ks

The server.ks keystore, found on each host, contains a certificate and the corresponding private key used for internal grid communication. Each host in a grid has its own server.ks. The host certificate in server.ks is signed by the grid root key to enable inter-grid host trust. The server.ks keystore is sometimes referred to as the host keystore.

https.ks

The https.ks keystore, found on each host, contains the SSL certificates used on that host. Each host must have its own https.ks keystore. By default, the certificate in the keystore is signed by the grid root key, but it is possible to create a Certificate Signing Request (CSR), have an external Certificate Authority sign the request, and import the signed certificate into the keystore. For instructions, see Creating certificate signing requests and importing certificates.