A cert needs to be imported into jdk for the APP to access HTTPS. Normally, I do it like this:
keytool -keystore "C:\Program Files\Java\jdk1.8.0_71\jre\lib\security\cacerts" -importcert -alias WoSign -file WS_CA1_NEW.cer
If my app is running in CF with java-buildpack, how can I do the same thing with java-buildpack?
Thanks.
Certificates that are shared across all applications (e.g. a CA used company-wide) can be added using BOSH's (also available in PCF Ops Manager) trusted certificates support. Certificates that are shared across a number of, but not neccesarily all, applications can use a fork of the buildpack that replaces the cacerts
file in the JRE. Finally, certificates that are used by a single application can packaged within the application itself (typically within META-INF
so they can't be accidentally served to users), and referred to with system properties (e.g. -Djavax.net.ssl.trustStore=$PWS/app/META-INF/truststore.jks
).
Hi @nebhale ,
I follow https://github.com/cloudfoundry/java-buildpack/blob/master/docs/jre-open_jdk_jre.md#custom-ca-certificates and get an error during staging.
Do you any idea about this? Thanks!
BTW, "cf push" can be successful by using official buildpack.
Error logs:
Staging...
-----> Java Buildpack Version: ee0dec3 | https://github.com/zhongyi-zhang/java-buildpack.git#ee0dec3
-----> Downloading Open Jdk JRE 1.8.0_121 from https://java-buildpack.cloudfoundry.org/openjdk/trusty/x86_64/openjdk-1.8.0_121.tar.gz (found in cache)
Expanding Open Jdk JRE to .java-buildpack/open_jdk_jre (1.6s)
[Buildpack] ERROR Compile failed with exception #<Errno::EEXIST: File exists @ dir_s_mkdir - /tmp/app/.java-buildpack/open_jdk_jre/./lib/security/cacerts>
File exists @ dir_s_mkdir - /tmp/app/.java-buildpack/open_jdk_jre/./lib/security/cacerts
Failed to compile droplet
Exit status 223
Staging failed: Exited with status 223
FAILED
BuildpackCompileFailed
Our testing indicates that this currently works. There's a branch with a custom cacerts
file in this branch. You can push an application specifying -b https://github.com/cloudfoundry/java-buildpack.git#custom-ca-certs
and you'll see your application stage properly.
It's hard to say exactly why your file can't be copied, but it could possibly be permissions on the cacerts
file that you added to the fork.
Oh, the problem is that cacerts
is a Java KeyStore
containing all the CA certificates you'd like to trust.
Most helpful comment
Certificates that are shared across all applications (e.g. a CA used company-wide) can be added using BOSH's (also available in PCF Ops Manager) trusted certificates support. Certificates that are shared across a number of, but not neccesarily all, applications can use a fork of the buildpack that replaces the
cacerts
file in the JRE. Finally, certificates that are used by a single application can packaged within the application itself (typically withinMETA-INF
so they can't be accidentally served to users), and referred to with system properties (e.g.-Djavax.net.ssl.trustStore=$PWS/app/META-INF/truststore.jks
).