I have a Java client used to connect to Amazon AWS services (SQS, S3, and SNS). Currently I have to add the root certificates for those Amazon endpoints into the DefaultTrustStore specified in the ISSecurity > Keystore UI. If I define another project-specific truststore alias, how I do ensure the certificate within the newly created truststore alias is used? This is because there is an IS extended setting watt.server.ssl.trustStoreAlias=DefaultTrustStore and I cannot change that.

Hi,

please check the IS Built-In-Services Reference for folder pub.security.

You will find a service setKeyAndChain there, which allows you to specify custom certificates for particular outbound calls.

Just load the specific Keystore and Truststore into the Keystores config as separate stores.

Regards,
Holger

watt.server.ssl.keyStoreAlias and watt.server.ssl.trustStoreAlias are settings to tell IS to use key and truststores configured in the IS admin gui for the JVM as well. This is a replacement for using

javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
javax.net.ssl.keyStore
javax.net.ssl.keyStorePassword

settings for the jvm. You need those settings JMS or any other Java specific connections which use the jvm ssl settings implicetly.
The extended settings should be editable, but only make sense if set to key and truststores configured in IS Admin.

To configure key and truststores go to Security - Keystore. You can configure several key and truststores. This allows for different client or server identitites in IS specific connections like webMethods messaging or server identities on https ports. Details to be found in the IS Admin guide.