Domain KeyStore(DKS) is a keystore of keystore. It abstracts a collection of keystores that are presented as a single logical keystore. Itself is actually not a keystore. This new keystore type is introduced in Java 8. There is a new class DomainLoadStoreParameter which closely relates to DKS.
To load different keystores into the single logical keystore, some configuration is needed. Here is the format of the configuration for grouping different keystores.
domain [ ...] { keystore [ ...] ; ... };
Below is one sample configuration for domain domain.
domain app1 { keystore app1-truststore keystoreURI="file:///app1/etc/truststore.jks"; keystore system-truststore keystoreURI="${java.home}/lib/security/cacerts"; keystore app1-keystore keystoreType="PKCS12" keystoreURI="file:///app1/etc/keystore.p12"; };
This configuration defines a domain app1 and it contains three keystores. There is keystoreName specified for each contained keystore(app1-truststore, system-truststore, app1-keystore). Note, the keystoreName should be unique for each entry.
Following the keystoreName is a set of properties for the keystore. These properties include keystoreURI, keystoreType, keystoreProviderName, keystorePasswordEnv, entryNameSeparator. The property names are self-explained.
When loading the DKS keystore, a DomainLoadStoreParameter object is constructed and passed to KeyStore.load(). Below is a sample code snippet for loading DKS keystore.
Map<String, KeyStore.ProtectionParameter> PASSWORDS = new HashMap<String, KeyStore.ProtectionParameter>() {{ put("keystore", new KeyStore.PasswordProtection("test123".toCharArray())); put("policy_keystore", new KeyStore.PasswordProtection( "Alias.password".toCharArray())); put("pw_keystore", new KeyStore.PasswordProtection("test12".toCharArray())); put("eckeystore1", new KeyStore.PasswordProtection("password".toCharArray())); put("eckeystore2", new KeyStore.PasswordProtection("password".toCharArray())); put("truststore", new KeyStore.PasswordProtection("changeit".toCharArray())); put("empty", new KeyStore.PasswordProtection("passphrase".toCharArray())); }}; URI config = new URI(CONFIG + "#system"); KeyStore keystore = KeyStore.getInstance("DKS"); keystore.load(new DomainLoadStoreParameter(config, PASSWORDS));
config is the configuration path for the DKS keystore and PASSWORDS is the map which contains the corresponding password for the keystore defined in config file.
DKS also supports loading an InputStream, in this case, the InputStream must be a single keystore stream which has the keystore type of JKS or KeyStore.getDefaultType(). For example, below code snippet will load a JKS keystore using DKS.
char[] PASSWORD = <PASSWORD>; KeyStore keyStore = KeyStore.getInstance("DKS");, keyStore.load(new FileInputStream("keystore.jks"), PASSWORD);
Once the keystore is loaded, other keystore operations are the same as those for other keystore types such as JKS. For operations on creating keys and certificates, please read Different types of keystore in Java -- JKS.