Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-4932

Trusted client certs added to Corretto keystore, tomcat still uses /etc/pki/java/cacerts

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Minor
    • 4.6.0, 5.4.0
    • 4.0.0
    • container
    • None

    Description

      The documentation on SSL trust management states that if you put pem files in /opt/grouper/certs/client, they get read at startup imported. Where they get imported into is $JAVA_HOME/lib/security/cacerts which is Corretto-specific. However, the Tomcat setenv.sh file has hardcoded 

      -Djavax.net.ssl.trustStore=/etc/pki/java/cacerts

      which is a file not touched by the import.
      Removing the javax.net.ssl.trustStore jvm parameter allows self-signed certificates to work.

      Attachments

        Activity

          People

            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            chad.redman.3@at.internet2.edu Chad Redman
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: