Preserve imported CA Certificates through Java upgrades

linux redhat java

6,896

Solution 1

It may be helpful to keep your site-specific or host-specific key-store / trust-store outside the java installation-directory, and instead point to it when you need to consume trust. Presuming your trust-store is at /opt/site/cacerts.JKS, you would do that one of two ways:

In your Java code, add a line like: System.setProperty("javax.net.ssl.trustStore","/opt/site/cacerts.JKS");

At run-time, add a definition to your startup script: java -D'javax.net.ssl.trustStore'="/opt/site/cacerts.JKS" /opt/site/myClass.class

Solution 2

The way I do (maybe not the best?): save cacerts before upgrade and restore after, I scripted it in my update script like this:

1) save:

javaexe=`readlink -f  /usr/bin/java`
jredir=`dirname $javaexe`
cacertsfile=${jredir}/../lib/security/cacerts
[ -f $cacertsfile ] && cp -p $cacertsfile /tmp/cacerts

2) install updates (yum update or other way).

3) restore:

[ -f /tmp/cacerts ] && cp -p /tmp/cacerts $cacertsfile

6,896

Christopher Karel

Security and Systems Administrator

Updated on September 18, 2022

Comments

Christopher Karel over 1 year

I have imported internal Certificate Authorities into Java's CA keystore. (Using keytool to import into the "cacerts" store) This works fine and dandy, until I update the Java RPM. At which point all of those imported certs are not carried over to the new install. So applications bomb when attempting to make SSL connections.

Is there any way to make these certificates persist through Java upgrades? Or an easy way to rerun the import commands on an upgrade trigger? I can obviously script these commands into my upgrade process, but I'm hoping there's a more elegant solution.

For reference, this is a RHEL 5.10 equivalent (technically Oracle Linux). I'm using java-1.7.0-openjdk through the official repositories, and just upgraded to U65.
- Giovanni Toraldo over 9 years
  
  scripting is not elegant but doing it every time by hand is it?
- Christopher Karel over 9 years
  
  Obviously not. I'm clearly aiming for a third, more elegant, option.
shonky linux user over 9 years

I haven't tried this but you might be able to put your cacerts file somewhere else and create a symlink to it from the lib/security directory.
Christopher Karel over 9 years

Interesting work around. The downside is that you will never get certificate store updates (eg: new CAs) as part of a java upgrade. But it does definitely fix my issue.
DTK over 9 years

This is true. I had assumed you had a predefined trust-store that is managed by security, and which could be pushed-out when new versions are built by your security team.
user2418702 about 4 years

this effectively overwites the keystore changes that comes from time to time