Skip to Content.
Sympa Menu

grouper-study - Re: managing java CA keystore in a container?

Subject: grouper-study

List archive

Re: managing java CA keystore in a container?


Chronological Thread 
  • From: Liam Hoekenga <>
  • To: John Gasper <>
  • Cc:
  • Subject: Re: managing java CA keystore in a container?
  • Date: Thu, 12 Jul 2018 09:06:24 -0500
  • Ironport-phdr: 9a23:Dl2k3BHfLBuBoLrBB5zgMp1GYnF86YWxBRYc798ds5kLTJ7zpcmwAkXT6L1XgUPTWs2DsrQY07SQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbAhEmDuwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VC+85Kl3VhDnlCYHNyY48G7JjMxwkLlbqw+lqxBm3oLYfJ2ZOP94c6jAf90VWHBBU95TWCxPAo2yYYgBAfcfM+lEtITyvUcCoAGkCAWwGO/iyDlFjWL2060g1OQhFBnL0gohH90UtXTfsdf7NKAMXuC20qbIyzrDYOlL0jr67IjIcwouofSWXb9rbMrRzEgvGB/FjlmKt4PqIi6V2/0LvmOG4eRgUuevhHQmqwF3ujWvxN0jipfTiYMa0FzE8zt2wJozKNalS0B7ecapHIVRui2GNYZ7R80iTmJztyomz7ALtoK3cDQWx5ki2xHTd/+Kfo2N7x79SuqePTF1j29/dr2lnRa9602gx/X8Vsaq1FZKqTJIktzWuXAM0xzf89WHReFh8ku41jeDyR7f5f1eLUA7kqrbLJEhwroumZYJrUvDGSr2lF33jK+QaEok5vCl5/rmb7n6pJKRMoF0hwLlPagyn8GyDvg0PhQSUGWe5euwyL7u8Ej8TblUkPE5jrHVsJXAKsQaoq65DRVV0oEm6xunCzem0c4XnXwdLF9eZRKHionpNE3OIPziE/iwnkmsnC9xx//aJr3hHonNLn/bnbfuZ7Z97FNcyBItwtBF/p5UEa0BIO/uVU7xr9HYCh45Mxeow+b8FtlxzIIeWWSTAqCHKqPSt0GH5v4xL+WWeoAapSv9eLAZ4KvMin8/0XAUZrGkx9NDan+xBexrOW2EZ3vnhdFHF2oW6FkQVuvv3XmDWDsbR3G/XK866ThzXIanBILZbp2ogbeBmiq3A8sFNSh9FlmQHCKwJM2/UPAWZXfXe5c5nw==
What about dropping it in /etc/pki/ca-trust/source/anchors and using update-ca-trust to regenerate the various CA bundles?
Then use resulting copy of /etc/pki/ca-trust/extracted/java/cacerts in java?  (either overwrite /opt/java/jre/lib/security/cacerts, or add javax.net.ssl.trustStore when starting up tomcat)

Liam

On Wed, Jul 11, 2018 at 3:14 PM, John Gasper <> wrote:

Hi Liam,

 

I’d argue if you are adding them at runtime, you could/should just include them as Docker Config/bind mount/k8 configmap instead of doing it in the container start-up. Otherwise add them to the image, if those CA certs are shared across env:

 

RUN /usr/lib/jvm/zulu-8/bin/keytool -import -alias ourCA -keystore /usr/lib/jvm/zulu-8/jre/lib/security/cacerts -file /cacert.der -storepass changeit -noprompt

 


John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

 

From: <> on behalf of Liam Hoekenga <>
Date: Wednesday, July 11, 2018 at 12:42 PM
To: <>
Subject: managing java CA keystore in a container?

 

Does anyone have any pointers on adding custom CA certificates to the java cacerts keystore inside of a container?

 

Liam



Archive powered by MHonArc 2.6.19.

Top of Page