grouper-study - RE: managing java CA keystore in a container?
Subject: grouper-study
List archive
- From: "Coleman, Erik C" <>
- To: John Gasper <>, Liam Hoekenga <>, "" <>
- Subject: RE: managing java CA keystore in a container?
- Date: Thu, 12 Jul 2018 14:02:09 +0000
- Accept-language: en-US
- Ironport-phdr: 9a23:SLwXRhChWNJ5m+O2cT69UyQJP3N1i/DPJgcQr6AfoPdwSPX7ocbcNUDSrc9gkEXOFd2Cra4c1ayO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhTexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRsZfWTJcDIOgYYUBDOQBMuRZr4bhqFQDtgGxCRWwCO711jNEmn370Ksn2OohCwHG2wkgEsoAvHnKq9X1MLkdUeWvw6nO1TnIcvxY2S386IjLbxssv/+AVq93fMXP1UYgCxjIjlSUqYzhPjOV0OMNs2mA7+Z6S+2glnMnphh3rzOyxckskpHEipwJxl3L7yl0xIg4KcemREJhYtOoCIZcuiWEO4dsX88vQXtktSgkxrEcpJK3YjAGyJo5yBPcd/CKdo2F7QzsWemNIDp1gXZodK+7ihms9EWtxO3xVsex3VpXrCdKiMTDu3YQ3BLJ8MeHUOFy/kK51DaPyQ/T7uZELFg1larfL54hw7gwlp0SsUTYBCP5hlj5jLKOekUl/Oin9fjnb634qpOAOIJ4kAXzP6o0lsChG+g1MRACX22B9uS90L3j81f5QLJPjvAujKbWrIzVKN8apq69Bw9V04Aj6xG+Dze9ytgXg2QILE9ddBKdk4fpI03OIOz/DfqnjFSsijBrx+3ePrL/GJXBN2PDkKv8fblg609R0w4zzdFE55JIEbENPuj/Wk73tNzEEBA5KQq0zPj7CNljzI8RR3+AArLKeJ/V5H2P5uRnDOCXfIIP8GL/JPE+//P0pWI/mFQae++v0IdBLDicH/1ja2WebHnhhNgIWTMOvwM7VsT3jVyJUXhea2vkG+p26Ss8FZqrF8LYWp2hkZSA2ju2BJtbejoAB1yRWz+8eJ+DRu8BcmeJPtJtgxQFU6SsUYksyUvouQPnnelJNO3Rr2czspbu0dFzo6X+jxAxvRc+R5CQ2GqlTmVwn2UPRiRw0axi9x8ugmyf2LR11qQLXedY4OlEB0JjbcbR
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
|
As FYI, we chose to RUN the keytool to import CA keys in our Dockerfile, just as John describes, it seemed to be the easiest approach. Other alternatives we considered: ADD a ourCA.jks file to the image and then referencie that with CATALINA_OPTS
startup option, or inject a replacement cacerts file. Both of those required extra steps outside of the Docker build, so we opted for the previous. -Erik From: <>
On Behalf Of John Gasper Hi Liam, I’d argue if you are adding them at runtime, you could/should just include them as Docker Config/bind mount/k8 configmap instead of doing it in the container start-up. Otherwise add them to the image, if those CA certs are shared across
env: RUN /usr/lib/jvm/zulu-8/bin/keytool -import -alias ourCA -keystore /usr/lib/jvm/zulu-8/jre/lib/security/cacerts -file /cacert.der -storepass changeit -noprompt
From: <> on behalf of Liam Hoekenga <> Does anyone have any pointers on adding custom CA certificates to the java cacerts keystore inside of a container? Liam |
- managing java CA keystore in a container?, Liam Hoekenga, 07/11/2018
- Re: managing java CA keystore in a container?, John Gasper, 07/11/2018
- RE: managing java CA keystore in a container?, Coleman, Erik C, 07/12/2018
- Re: managing java CA keystore in a container?, Liam Hoekenga, 07/12/2018
- Re: managing java CA keystore in a container?, John Gasper, 07/11/2018
Archive powered by MHonArc 2.6.19.