Java-buildpack: How to import cert into jdk?
A cert needs to be imported into jdk for the APP to access HTTPS. Normally, I do it like this:
keytool -keystore "C:\Program Files\Java\jdk1.8.0_71\jre\lib\security\cacerts" -importcert -alias WoSign -file WS_CA1_NEW.cer
If my app is running in CF with java-buildpack, how can I do the same thing with java-buildpack?
Thanks.
bingosummer
All 4 comments
Certificates that are shared across all applications (e.g. a CA used company-wide) can be added using BOSH's (also available in PCF Ops Manager) trusted certificates support. Certificates that are shared across a number of, but not neccesarily all, applications can use a fork of the buildpack that replaces the cacerts file in the JRE. Finally, certificates that are used by a single application can packaged within the application itself (typically within META-INF so they can't be accidentally served to users), and referred to with system properties (e.g. -Djavax.net.ssl.trustStore=$PWS/app/META-INF/truststore.jks).
nebhale
on 23 Feb 2017
Hi @nebhale ,
I follow https://github.com/cloudfoundry/java-buildpack/blob/master/docs/jre-open_jdk_jre.md#custom-ca-certificates and get an error during staging.
Do you any idea about this? Thanks!
BTW, "cf push" can be successful by using official buildpack.
Error logs:
Staging...
-----> Java Buildpack Version: ee0dec3 | https://github.com/zhongyi-zhang/java-buildpack.git#ee0dec3
-----> Downloading Open Jdk JRE 1.8.0_121 from https://java-buildpack.cloudfoundry.org/openjdk/trusty/x86_64/openjdk-1.8.0_121.tar.gz (found in cache)
Expanding Open Jdk JRE to .java-buildpack/open_jdk_jre (1.6s)
[Buildpack] ERROR Compile failed with exception #<Errno::EEXIST: File exists @ dir_s_mkdir - /tmp/app/.java-buildpack/open_jdk_jre/./lib/security/cacerts>
File exists @ dir_s_mkdir - /tmp/app/.java-buildpack/open_jdk_jre/./lib/security/cacerts
Failed to compile droplet
Exit status 223
Staging failed: Exited with status 223
FAILED
BuildpackCompileFailed
zhongyi-zhang
on 27 Feb 2017
Our testing indicates that this currently works. There's a branch with a custom cacerts file in this branch. You can push an application specifying -b https://github.com/cloudfoundry/java-buildpack.git#custom-ca-certs and you'll see your application stage properly.
It's hard to say exactly why your file can't be copied, but it could possibly be permissions on the cacerts file that you added to the fork.
nebhale
on 27 Feb 2017
Oh, the problem is that cacerts is a Java KeyStore containing all the CA certificates you'd like to trust.
nebhale
on 27 Feb 2017
Related issues
mkuratczyk
·
10Comments
jtuchscherer
·
18Comments
edeandrea
·
4Comments
aknobloch
·
8Comments
thorntonrp
·
4Comments
Most helpful comment
Certificates that are shared across all applications (e.g. a CA used company-wide) can be added using BOSH's (also available in PCF Ops Manager) trusted certificates support. Certificates that are shared across a number of, but not neccesarily all, applications can use a fork of the buildpack that replaces the
cacertsfile in the JRE. Finally, certificates that are used by a single application can packaged within the application itself (typically withinMETA-INFso they can't be accidentally served to users), and referred to with system properties (e.g.-Djavax.net.ssl.trustStore=$PWS/app/META-INF/truststore.jks).