You need to upload valid certificates into Salesforce, so the InCountry Data Residency for Salesforce package can perform data communication of regulated between Salesforce and the InCountry Platform.
Getting certificates from InCountry
You need to Set up an account on the InCountry Portal.
Generating Salesforce compatible certificates
Under specific circumstances, the InCountry Portal may generate the certificate in the CER format instead of the CRT format. In the following instructions, you can find commands for both certificate formats.
Use Java version 8 only to generate a valid JKS certificate for the InCountry Data Residency for Salesforce package. When using other versions of Java, the generated certificate may be invalid.
Installing OpenJDK 1.8 on MacOS
Add the casks tap to use the AdoptOpenJDK versions by running the following command:
brew tap AdoptOpenJDK/openjdk
Install OpenJDK version 8 by running the following command:
brew install --cask adoptopenjdk8
OpenJDK is installed into the
/Library/Java/JavaVirtualMachines/ folder. This is a default location on MacOS X.
Generating a JKS certificate
Install OpenSSL and Java Keystore locally.
Open OpenSSL as an administrator and enter:
for the CRT certificate format:
openssl pkcs12 -export -name <certAlias> -in <YourCertName>.crt -inkey <YourKeyName>.key -out keystore.p12
for the CER certificate format:
openssl pkcs12 -export -name <certAlias> -in <YourCertName>.cer -inkey <YourKeyName>.key -out keystore.p12
Enter a password for the keystore between 6 and 8 characters.
Use the following command for the
keytool -importkeystore -destkeystore salesforce.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias <certAlias>
To use a different version of Java, use the command below as a reference:
/Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/bin/keytool -importkeystore -destkeystore salesforce.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias <certAlias>
Enter the same password as in step 3.
Upload the JKS file to Salesforce (Setup > Security > Certificate and Key Management > Import from Keystore), and enter the password specified in steps 3 and 6.
Set the certificate in Salesforce as SSO Request Signing, API Client, and/or Domain Certificate.
The InCountry Data Residency for Salesforce package requires certificates to perform the client-side requests to InCountry REST SDK. All the certificates must be provided in the JKS format.
You need to upload the following certificates:
incountry- the generic certificate for performing data requests to the InCountry Platform. This is a required certificate.
serverless- the certificate to perform serverless functions. This is an optional certificate.
batch- the certificate to perform batch data operations (for data migration). This is an optional certificate.
You will have to specify the certificate names in the corresponding InCountry REST API endpoints. Depending on your setup, some certificate may not be needed.
Get a certificate from InCountry.
From Setup, click Security, then select Certificate and Key Management.
On the Certificate and Key Management page, click Import from Keystore.
Select the certificate file and enter the keystore password.
Once you have uploaded the certificates, the InCountry Data Residency for Salesforce package is ready for operation.
If you receive the Data not available error when importing certificates, please do any of the following to bypass this issue:
Create a self-signed certificate in the Certificate and Key Management section.
Enable the Identity Provider and assign the self-signed certificate to it.
After performing these steps, you will be able to import the JKS certificates.