How to specify root certificate for Java application in Redhat linux?
How to specify/setup root certificate with the parameter "deployment.user.security.
CEHJ
Is this a server machine?
ASKER
Yes. Thanks.
Usually you would use the -Djavax.net.ssl.trustStore
alias java='java -Ddeployment.user.security.cacerts=/home/foo/cacerts'might be one way of doing it (for the user 'foo' running java)
ASKER
Thanks a lot for the tips.
girionis: can you give me a concrete example on how to use that option -Djavax.net.ssl.trustStore
girionis: can you give me a concrete example on how to use that option -Djavax.net.ssl.trustStore
That's not the option you need afaics
Java by default reads the certificates from <java installation>/jre/lib/secu
to JVM when you start Java.
-Djavax.net.ssl.trustStore=/home/myapp/certifications/cacertsto JVM when you start Java.
https://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/security.html :
The Root Certificate Authority certificate stores are the union of the certificate stores in the files pointed to by the properties: deployment.user.security.cI'm guessing that for your purposes, you've already identified the proper system security propertyacerts and deployment.system.security .cacerts. By default deployment.system.security .cacerts points to the cacerts file in the jre/lib/security directory. deployment.user.security.c acerts points to a file that contains any additional cacerts imported into it using the Certificates dialog in the Security tab of the Java Control Panel.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Note: Keep in mind a 2.6.32-754.9 Kernel is very old + this will likely cause many other problems, if you have any public (new openssl code) connecting to your very old openssl code.
So long as you don't expose your 2.6.32-754.9 Kernel (along with related old openssl) as a public service, you should be fine.
So long as you don't expose your 2.6.32-754.9 Kernel (along with related old openssl) as a public service, you should be fine.
... covers how to inject your own private CA issuer chainsYes, i assumed jl66 already knows how to do this, which is a task onerous in a different way - plus one likely to get overwritten (as the OP mentions)
ASKER
Thanks a lot for the additional tips.
David -- your statement makes a lot sense "Each time you update Java all public issuer chains automatically update.", but I can't prove it now. If it is true, that is what I have been looking for. Appreciate it.
David -- your statement makes a lot sense "Each time you update Java all public issuer chains automatically update.", but I can't prove it now. If it is true, that is what I have been looking for. Appreciate it.
ASKER
Thanks a lot for the additional comments.
David-- I feel this makes a lot of sense "Each time you update Java all public issuer chains automatically update", but currently I can't prove it. If so, that is what I want. Appreciate it.
David-- I feel this makes a lot of sense "Each time you update Java all public issuer chains automatically update", but currently I can't prove it. If so, that is what I want. Appreciate it.