How to add custom truststore for IQ HA helm deployments

Overview:

Our recommended deployments options for IQ HA is using our helm chart. When deploying on environments where SSL certificates are signed by local CA certificate, outbound connections may fail with PKIX error, as explained in How to configure the IQ Server to trust an LDAP Server SSL certificate KB. Recommended solution is to use custom truststore with local CA certificates. 

Use below steps to create and configure helm deployment with custom trust store.

Updating IQHA deployment with custom truststore

1. Get the current deployment details.

$ kubectl get pods -n iqha
NAME                                          READY   STATUS    RESTARTS        AGE
iqha1-iq-server-deployment-5f9c86b687-r24l2   1/1     Running   2 (8m14s ago)   8m19s

2. Copy the default java cacerts file from running IQ Pod to local filesystem.

$ mkdir iqha-truststore
$ cd iqha-truststore

$ kubectl cp -n iqha iqha1-iq-server-deployment-5f9c86b687-r24l2:/opt/sonatype/nexus-iq-server/lib/security/cacerts nexus-iq-server-outbound.jks
Defaulted container "iqha1-iq-server-container" out of: iqha1-iq-server-container, iqha1-set-iq-persistence-ownership (init)
tar: Removing leading `/' from member names

$ ls -l nexus-iq-server-outbound.jks
-rw-rw-r-- 1 srini srini 172306 Oct 17 16:16 nexus-iq-server-outbound.jks

3. Obtain the local CA certs from LDAPS server. 

$ echo -n | openssl s_client -showcerts -connect ldaphost:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldaps.pem

If your firewall re-writes SSL certs for all remote servers, then obtain the Firewall CA certificate.

$ echo -n | openssl s_client -showcerts -connect clm.sonatype.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > clm-fw.pem

4. Import the local CA SSL certs to copied default truststore file. 

$ keytool -importcert -file ldaps.pem -alias nexus-iq-server-ldaps-cert -trustcacerts -keystore nexus-iq-server-outbound.jks -storepass changeit
# If applicable.
$ keytool -importcert -file clm-fw.pem -alias nexus-iq-server-ldaps-cert -trustcacerts -keystore nexus-iq-server-outbound.jks -storepass changeit

Use the same method to import any other local CA Server Cert / Intermediate CA Cert.

5. Copy the updated truststore to IQ HA persistent storage (/sonatype-work directory). 

$ kubectl cp -n iqha nexus-iq-server-outbound.jks iqha1-iq-server-deployment-5f9c86b687-r24l2:/sonatype-work/nexus-iq-server-outbound.jks
Defaulted container "iqha1-iq-server-container" out of: iqha1-iq-server-container, iqha1-set-iq-persistence-ownership (init)

6. Update the deployment to add custom Truststore, by adding below entry to the values.yaml file 
(modify same values.yaml file used for deploying the IQ HA).

$ head -3 values.yaml
iq_server:
  licenseSecret: nx-license-file.lic
  javaOpts: "-Djavax.net.ssl.trustStore=/sonatype-work/nexus-iq-server-outbound.jks -Djavax.net.ssl.trustStorePassword=changeit" 

Stop all the IQ HA Pods

$ kubectl scale --replicas=0 -n iqha deployment/iqha1-iq-server-deployment
deployment.apps/iqha1-iq-server-deployment scaled

Update the helm deployment with modified values.yaml file. 

$ helm upgrade iqha1 -f values.yaml -n iqha sonatype/nexus-iq-server-ha
Release "iqha1" has been upgraded. Happy Helming!
NAME: iqha1
LAST DEPLOYED: Fri Oct 17 16:26:14 2025
NAMESPACE: iqha
STATUS: deployed
REVISION: 2
TEST SUITE: None

$ helm history iqha1 -n iqha
REVISION	UPDATED                 	STATUS    	CHART                     	APP VERSION	DESCRIPTION
1       	Fri Oct 17 15:53:35 2025	superseded	nexus-iq-server-ha-195.0.0	1.195.0    	Install complete
2       	Fri Oct 17 16:26:14 2025	deployed  	nexus-iq-server-ha-195.0.0	1.195.0    	Upgrade complete

7. Once the Pods are started, check that Java Options are updated with truststore options in IQHA deployment.

$ kubectl get pods -n iqha
NAME                                          READY   STATUS    RESTARTS   AGE
iqha1-iq-server-deployment-7868569947-7r967   1/1     Running   0          74s

# Confirm that Java command is running with -Djavax.net.ssl.trustStore option. 

$ kubectl exec -it iqha1-iq-server-deployment-7868569947-7r967 -n iqha -- ps auxww
Defaulted container "iqha1-iq-server-container" out of: iqha1-iq-server-container, iqha1-set-iq-persistence-ownership (init)
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
nexus          1  0.0  0.0   3808  2676 ?        Ss   05:33   0:00 sh ./start.sh
nexus         13 35.2  2.9 9014940 484300 ?      Sl   05:33   0:16 /opt/sonatype/nexus-iq-server/bin/java -Djavax.net.ssl.trustStore=/sonatype-work/nexus-iq-server-outbound.jks -Djavax.net.ssl.trustStorePassword=changeit --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/sun.security.rsa=ALL-UNNAMED --add-opens=java.base/sun.security.x509=ALL-UNNAMED --add-opens=java.base/sun.security.util=ALL-UNNAMED --add-opens=java.xml/com.sun.org.apache.xerces.internal.jaxp.datatype=ALL-UNNAMED -classpath /opt/sonatype/nexus-iq-server/jars/* com.sonatype.insight.brain.service.InsightBrainService server /etc/nexus-iq-server/config.yml
nexus        127  0.0  0.0   6836  2736 pts/0    Rs+  05:34   0:00 ps auxww

8. Login to IQHA UI and continue configuring LDAPS server. Also check that IQ server is able to connect to locally signed SSL secured servers.