Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse JustJ » Include additional certificates in JRE keystore
Include additional certificates in JRE keystore [message #1839676] Thu, 25 March 2021 14:21 Go to next message
Jan Poganski is currently offline Jan PoganskiFriend
Messages: 6
Registered: March 2011
Junior Member
The JREs provided by JustJ come with the usual keystore located at \jre\lib\security\cacerts.
I need to include some additional company-specific certificates so that my product can access certain p2 update sites via HTTPS.
I know how to add certificates to a keystore using the keytool application so that I can prepare an enhanced cacerts file. Now I wonder how to inject it into a JRE which I am consuming from a JustJ update site.
A feature patch might help but do I really want to prepare such a patch each time I move to a newer JRE?

Is there a better way to make sure the additional certificates will be present in my final product's cacerts file?
And what if these certificates expire and I want to replace them (maybe by providing an update using p2)?

Any idea or suggestion is appreciated!

Report message to a moderator

Re: Include additional certificates in JRE keystore [message #1839679 is a reply to message #1839676] Thu, 25 March 2021 15:43 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 33137
Registered: July 2009
Senior Member
I'm not sure what to suggest. I'm not an expert on the topic, though I'm well aware of the associated problems from past experience (especially at customer sites).

I see that the keytool is present in the jre's bin folder so one could potentially have an early start bundle that automatically updates the cacerts. Or one could just replace the file. It's kind of virus-like behavior though. I'm not sure if you're building an update site or just distributing packages products...

Or perhaps you can have a plugin with a touchpoint to set the path to your own cacerts which would be in that plugin:

https://stackoverflow.com/questions/2642046/is-there-a-way-to-load-a-different-cacerts-than-the-one-specified-in-the-java-ho

Ed Merks
Professional Support: https://www.macromodeling.com/

Report message to a moderator

Re: Include additional certificates in JRE keystore [message #1839942 is a reply to message #1839679] Thu, 01 April 2021 15:12 Go to previous message
Jan Poganski is currently offline Jan PoganskiFriend
Messages: 6
Registered: March 2011
Junior Member
Thanks for your your valuable hints, Ed.

For those who are interested which solution I've selected:
Using the concept of root files (https://help.eclipse.org/2021-03/index.jsp?topic=/org.eclipse.pde.doc.user/tasks/pde_rootfiles.htm) I put our custom cacerts file into one of our features like this: /rootfiles/plugins/org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_15.0.2.v20210201-0955/jre/lib/security/cacerts
Unfortunately I had to hard code some version information in a folder name. And in build.properties I added a line: root=rootfiles
Effectively, the orignial cacerts file of that JRE is now replaced by our custom one in the final product.

(My attempt to out a VM argument -Djavax.net.ssl.trustStore=[...] in our product definition finally failed when I found out that the path I had provided with this property is always interpreted relative to the working directory from where the IDE is started. In our case this is most of the time not the root folder of our Eclipse product.)

Report message to a moderator

Previous Topic:What is JustJ?
Next Topic:Working configuration to build products, plug-ins and features together
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Apr 19 21:06:30 GMT 2024

Powered by FUDForum. Page generated in 0.03082 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly