AEM as a Cloud Service Security Considerations security-considerations
AEM Trust Store aem-trust-store
To support asymmetric, cryptographic operations, AEM stores certificates inside the content repository, in a global trust-store. Its contents are public and, by default, are anonymously accessible by everyone on publisher instances.
Characteristics of the Trust Store truststore-characteristics
-
The trust-store is located below
/etc/truststoreand consists of a Java™ keystore file, the keystore password, and repository metadata. Both the password and the keystore are encrypted for technical reasons, even though the contained certificates are accessible to everyone by default through the API -
Out of the box the certificates are used for HTTPS and SAML support only, and the store must be manually created first
-
Customers can use it in their own code through the keystore API
-
The trust-store can be managed through the UI at Tools - Security - Trust Store or by accessing
https://serveraddress:serverport/libs/granite/security/content/truststore.html, as shown below:
-
Access to the trust-store can be further restricted by repository access control depending on the use-case.
jcr:all for everyone.