jl66
asked on
How to specify root certificate for Java application in Redhat linux?
How to specify/setup root certificate with the parameter "deployment.user.security. cacerts" for jave (current version: java-1.8.0-oracle-1.8.0.xx x) on Linux (Red Hat 2.6.32-754.9.1.xxx.x86_64) ? Since the java version is often upgraded, would like to place the root certificate in an unchangeable place. Can any gurus shed some light to it? Thanks a lot.
Is this a server machine?
ASKER
Yes. Thanks.
Usually you would use the -Djavax.net.ssl.trustStore switch. If you want to use your own switch you would have to do: -Ddeployment.user.security .cacerts and then load the certification manually (i.e. with code).
alias java='java -Ddeployment.user.security.cacerts=/home/foo/cacerts'
might be one way of doing it (for the user 'foo' running java)
ASKER
Thanks a lot for the tips.
girionis: can you give me a concrete example on how to use that option -Djavax.net.ssl.trustStore ?
girionis: can you give me a concrete example on how to use that option -Djavax.net.ssl.trustStore
That's not the option you need afaics
Java by default reads the certificates from <java installation>/jre/lib/secu rity/cacer ts file. You can copy and paste this file to another folder and just provide the path to this file using the trustStore switch. For example if you copy/paste the cacerts file into /home/myapp/certifications then you can pass the following argument:
to JVM when you start Java.
-Djavax.net.ssl.trustStore=/home/myapp/certifications/cacerts
to JVM when you start Java.
https://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/security.html :
The Root Certificate Authority certificate stores are the union of the certificate stores in the files pointed to by the properties: deployment.user.security.cI'm guessing that for your purposes, you've already identified the proper system security propertyacerts and deployment.system.security .cacerts. By default deployment.system.security .cacerts points to the cacerts file in the jre/lib/security directory. deployment.user.security.c acerts points to a file that contains any additional cacerts imported into it using the Certificates dialog in the Security tab of the Java Control Panel.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Note: Keep in mind a 2.6.32-754.9 Kernel is very old + this will likely cause many other problems, if you have any public (new openssl code) connecting to your very old openssl code.
So long as you don't expose your 2.6.32-754.9 Kernel (along with related old openssl) as a public service, you should be fine.
So long as you don't expose your 2.6.32-754.9 Kernel (along with related old openssl) as a public service, you should be fine.
... covers how to inject your own private CA issuer chainsYes, i assumed jl66 already knows how to do this, which is a task onerous in a different way - plus one likely to get overwritten (as the OP mentions)
ASKER
Thanks a lot for the additional tips.
David -- your statement makes a lot sense "Each time you update Java all public issuer chains automatically update.", but I can't prove it now. If it is true, that is what I have been looking for. Appreciate it.
David -- your statement makes a lot sense "Each time you update Java all public issuer chains automatically update.", but I can't prove it now. If it is true, that is what I have been looking for. Appreciate it.
ASKER
Thanks a lot for the additional comments.
David-- I feel this makes a lot of sense "Each time you update Java all public issuer chains automatically update", but currently I can't prove it. If so, that is what I want. Appreciate it.
David-- I feel this makes a lot of sense "Each time you update Java all public issuer chains automatically update", but currently I can't prove it. If so, that is what I want. Appreciate it.