Ldap – How to persist certificates in Java’s cacerts

javakeystoreldapssl-certificateupdate

We need to have a certificate in Java's cacerts keystore for one of our servers that is authenticated by LDAP. We are using Ubuntu server.

We have successfully done this by updating the cacerts file in /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/security but occasionally a Java update is installed and the cacerts file seems to be getting replaced by a default one that doesn't contain our changes.

This doesn't happen very often but it is becoming a bit of a pain when it does happen. Is there a better way of adding things to cacerts so that they don't get lost when a Java update happens?

Best Answer

Get the server certificate signed by a CA, then you don't have do it at all.

If you really can't do that, which you really should, Java installs its own cacerts file when it updates so you will just have to cope with it.

Related Solutions

Tomcat access control exceptions (binding to RMI) with no Security Manager running (Ubuntu)

OK, solved it. The problem was the use of OpenJDK as opposed to Sun Java. The OpenJDK rmiregistry implementation doesn't like file URLs (access exceptions) and, when trying to access the codebase property for a Tomcat webapp, it somehow isn't seeing it properly (presume something to do with the per-webapp class loaders used in Tomcat messing it up).

Switching to the Sun rmiregistry implementation (even when retaining use of OpenJDK for Tomcat) meant it worked properly. If I can't find any OpenJDK bug on this, I'll raise one and link to it here for completeness.

I suspect that the file URLs issue with the OpenJDK one is due to different default (no explicit java policy) security setups, and that I could get that to work using an explicit policy file...

Hope this helps others out because it was a real head-scratcher.

Java – Fixing CertificateException in Domino 9 When Accessing HTTPS URL

So for Domino 9, as the new feature OpenSocial was added, a lot of functionality was changed around certificates to make it easier to maintain.

As such there is a new API "com.ibm.domino.napi.ssl.DominoX509TrustManager". What this API does is now check the Domino certificates for the related trusted certificate which is also cross certified against the server certificate.

It checks first in the CACERTS. If it can't find this, then it will check the Domino certificates.

So in order to get the code above to work you need to do the following.

Open the Domino Administrator client and select the ""People and Groups -> Certificates".
In the actions menu select "Import Internet Certificates".
Select the related certificate file to import using the file dialog. It may ask you for the file structure when importing, so select the correct structure if needed. It should appear in the view once completed.
Open the document and from the actions menu select "Create Cross Certificate".
A dialog pops up. You select the certificate and click OK.
Next dialog make sure you have it set correctly for your server. ie. The right server and certifier. Click Cross Certify when done.