AEM as a Cloud Service Security Considerations security-considerations

AEM Trust Store aem-trust-store

To support asymmetric, cryptographic operations, AEM stores certificates inside the content repository, in a global trust-store. Its contents are public and, by default, are anonymously accessible by everyone on publisher instances.

Characteristics of the Trust Store truststore-characteristics

  • The trust-store is located below /etc/truststore and consists of a Java™ keystore file, the keystore password, and repository metadata. Both the password and the keystore are encrypted for technical reasons, even though the contained certificates are accessible to everyone by default through the API

  • Out of the box the certificates are used for HTTPS and SAML support only, and the store must be manually created first

  • Customers can use it in their own code through the keystore API

  • The trust-store can be managed through the UI at Tools - Security - Trust Store or by accessing https://serveraddress:serverport/libs/granite/security/content/truststore.html, as shown below:

    Trust Store Management

  • Access to the trust-store can be further restricted by repository access control depending on the use-case.

NOTE
Adobe recommends that the default access controls be used for the Trust Store, which means that it remains publicly accessible. For the most secure configuration, you can use a policy of deny jcr:all for everyone.
recommendation-more-help
fbcff2a9-b6fe-4574-b04a-21e75df764ab