Changeset 4a16903 for general/prog/openjdk.xml
- Timestamp:
- 11/18/2016 07:13:46 AM (7 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 539dd69d
- Parents:
- 1c929a6d
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
general/prog/openjdk.xml
r1c929a6d r4a16903 555 555 <filename>/etc/ssl/java/cacerts</filename>. That file should be 556 556 generated using the system PKI trust store. The instructions 557 on the <xref linkend="cacerts"/> page will be used to do the update558 by calling the following script. Installthe559 <command>mkcacerts</command> script and setup a symlink in the java560 as the <systemitem class="username">root</systemitem>user:557 on the <xref linkend="cacerts"/> page should be used to update the file 558 located in <filename>/etc/ssl/java</filename>. Setup a symlink in the 559 defualt location as the <systemitem class="username">root</systemitem> 560 user: 561 561 </para> 562 562 563 <screen role="root"><userinput>cat > /opt/jdk/bin/mkcacerts << "EOF" && 564 <literal>#!/bin/sh 565 # Simple script to extract x509 certificates and create a JRE cacerts file. 566 567 function get_args() 568 { 569 if test -z "${1}" ; then 570 showhelp 571 exit 1 572 fi 573 574 while test -n "${1}" ; do 575 case "${1}" in 576 -f | --cafile) 577 check_arg $1 $2 578 CAFILE="${2}" 579 shift 2 580 ;; 581 -d | --cadir) 582 check_arg $1 $2 583 CADIR="${2}" 584 shift 2 585 ;; 586 -o | --outfile) 587 check_arg $1 $2 588 OUTFILE="${2}" 589 shift 2 590 ;; 591 -k | --keytool) 592 check_arg $1 $2 593 KEYTOOL="${2}" 594 shift 2 595 ;; 596 -s | --openssl) 597 check_arg $1 $2 598 OPENSSL="${2}" 599 shift 2 600 ;; 601 -h | --help) 602 showhelp 603 exit 0 604 ;; 605 *) 606 showhelp 607 exit 1 608 ;; 609 esac 610 done 611 } 612 613 function check_arg() 614 { 615 echo "${2}" | grep -v "^-" > /dev/null 616 if [ -z "$?" -o ! -n "$2" ]; then 617 echo "Error: $1 requires a valid argument." 618 exit 1 619 fi 620 } 621 622 # The date binary is not reliable on 32bit systems for dates after 2038 623 function mydate() 624 { 625 local y=$( echo $1 | cut -d" " -f4 ) 626 local M=$( echo $1 | cut -d" " -f1 ) 627 local d=$( echo $1 | cut -d" " -f2 ) 628 local m 629 630 if [ ${d} -lt 10 ]; then d="0${d}"; fi 631 632 case $M in 633 Jan) m="01";; 634 Feb) m="02";; 635 Mar) m="03";; 636 Apr) m="04";; 637 May) m="05";; 638 Jun) m="06";; 639 Jul) m="07";; 640 Aug) m="08";; 641 Sep) m="09";; 642 Oct) m="10";; 643 Nov) m="11";; 644 Dec) m="12";; 645 esac 646 647 certdate="${y}${m}${d}" 648 } 649 650 function showhelp() 651 { 652 echo "`basename ${0}` creates a valid cacerts file for use with IcedTea." 653 echo "" 654 echo " -f --cafile The path to a file containing PEM" 655 echo " formated CA certificates. May not be" 656 echo " used with -d/--cadir." 657 echo "" 658 echo " -d --cadir The path to a directory of PEM formatted" 659 echo " CA certificates. May not be used with" 660 echo " -f/--cafile." 661 echo "" 662 echo " -o --outfile The path to the output file." 663 echo "" 664 echo " -k --keytool The path to the java keytool utility." 665 echo "" 666 echo " -s --openssl The path to the openssl utility." 667 echo "" 668 echo " -h --help Show this help message and exit." 669 echo "" 670 echo "" 671 } 672 673 # Initialize empty variables so that the shell does not pollute the script 674 CAFILE="" 675 CADIR="" 676 OUTFILE="" 677 OPENSSL="" 678 KEYTOOL="" 679 certdate="" 680 date="" 681 today=$( date +%Y%m%d ) 682 683 # Process command line arguments 684 get_args ${@} 685 686 # Handle common errors 687 if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then 688 echo "ERROR! You must provide an x509 certificate store!" 689 echo "\'$(basename ${0}) --help\' for more info." 690 echo "" 691 exit 1 692 fi 693 694 if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then 695 echo "ERROR! You cannot provide two x509 certificate stores!" 696 echo "\'$(basename ${0}) --help\' for more info." 697 echo "" 698 exit 1 699 fi 700 701 if test "${KEYTOOL}x" == "x" ; then 702 echo "ERROR! You must provide a valid keytool program!" 703 echo "\'$(basename ${0}) --help\' for more info." 704 echo "" 705 exit 1 706 fi 707 708 if test "${OPENSSL}x" == "x" ; then 709 echo "ERROR! You must provide a valid path to openssl!" 710 echo "\'$(basename ${0}) --help\' for more info." 711 echo "" 712 exit 1 713 fi 714 715 if test "${OUTFILE}x" == "x" ; then 716 echo "ERROR! You must provide a valid output file!" 717 echo "\'$(basename ${0}) --help\' for more info." 718 echo "" 719 exit 1 720 fi 721 722 # Get on with the work 723 724 # If using a CAFILE, split it into individual files in a temp directory 725 if test "${CAFILE}x" != "x" ; then 726 TEMPDIR=`mktemp -d` 727 CADIR="${TEMPDIR}" 728 729 # Get a list of staring lines for each cert 730 CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1` 731 732 # Get a list of ending lines for each cert 733 ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1` 734 735 # Start a loop 736 for certbegin in `echo "${CERTLIST}"` ; do 737 for certend in `echo "${ENDCERTLIST}"` ; do 738 if test "${certend}" -gt "${certbegin}"; then 739 break 740 fi 741 done 742 sed -n "${certbegin},${certend}p" "${CAFILE}" > "${CADIR}/${certbegin}.pem" 743 keyhash=`${OPENSSL} x509 -noout -in "${CADIR}/${certbegin}.pem" -hash` 744 echo "Generated PEM file with hash: ${keyhash}." 745 done 746 fi 747 748 # Write the output file 749 for cert in `find "${CADIR}" -type f -name "*.pem" -o -name "*.crt"` 750 do 751 752 # Make sure the certificate date is valid... 753 date=$( ${OPENSSL} x509 -enddate -in "${cert}" -noout | sed 's/^notAfter=//' ) 754 mydate "${date}" 755 if test "${certdate}" -lt "${today}" ; then 756 echo "${cert} expired on ${certdate}! Skipping..." 757 unset date certdate 758 continue 759 fi 760 unset date certdate 761 ls "${cert}" 762 tempfile=`mktemp` 763 certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1` 764 certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1` 765 sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}" 766 echo yes | env LC_ALL=C "${KEYTOOL}" -import \ 767 -alias `basename "${cert}"` \ 768 -keystore "${OUTFILE}" \ 769 -storepass 'changeit' \ 770 -file "${tempfile}" 771 rm "${tempfile}" 772 done 773 774 if test "${TEMPDIR}x" != "x" ; then 775 rm -rf "${TEMPDIR}" 776 fi 777 exit 0</literal> 778 EOF 779 780 chmod -c 0755 /opt/jdk/bin/mkcacerts && 781 ln -sfv /etc/ssl/java/cacerts /opt/jdk/jre/lib/security/cacerts</userinput></screen> 782 783 <note> 784 <para> 785 Doing a very large copy/paste directly to a terminal may result in a 786 corrupted file. Copying to an editor may overcome this issue. 787 </para> 788 </note> 789 790 <para> 791 Generate the <application>OpenJDK</application> <filename>cacerts</filename> 792 file as the <systemitem class="username">root</systemitem> user: 793 </para> 794 795 <screen role="root"><userinput>if [ -f /etc/ssl/java/cacerts ]; then 796 mv /etc/ssl/java/cacerts \ 797 /etc/ssl/java/cacerts.bak 798 fi && 799 /opt/jdk/bin/mkcacerts \ 800 -d "/etc/ssl/certs/" \ 801 -k "/opt/jdk/bin/keytool" \ 802 -s "/usr/bin/openssl" \ 803 -o "/etc/ssl/java/cacerts"</userinput></screen> 563 <screen role="root"><userinput>ln -sfv /etc/ssl/java/cacerts /opt/jdk/jre/lib/security/cacerts</userinput></screen> 804 564 805 565 <para>Use the following commands to check if the … … 809 569 bin/keytool -list -keystore /etc/ssl/java/cacerts</userinput></screen> 810 570 811 <para>At the prompt "Enter keystore password:", press the "Enter" key if 812 there is no keystore password defined. If the <filename>cacerts</filename> 813 file was installed correctly, you will see a list of the certificates with 814 related information for each one. If not, you need to reinstall 815 them.</para> 571 <para>At the prompt "Enter keystore password:", enter "changeit" (the 572 default). If the <filename>cacerts</filename> file was installed 573 correctly, you will see a list of the certificates with related 574 information for each one. If not, you need to reinstall them.</para> 816 575 817 576 </sect3> … … 831 590 jarsigner, java, javac, javadoc, javah, javap, java-rmi.cgi, 832 591 jcmd, jconsole, jdb, jdeps, jhat, jinfo, jjs, jmap, jps, 833 jrunscript, jsadebugd, jstack, jstat, jstatd, keytool, mkcacerts,592 jrunscript, jsadebugd, jstack, jstat, jstatd, keytool, 834 593 native2ascii, orbd, pack200, policytool, rmic, rmid, rmiregistry, 835 594 schemagen, serialver, servertool, tnameserv, unpack200, … … 1128 887 </varlistentry> 1129 888 1130 <varlistentry id="mkcacerts">1131 <term><command>mkcacerts</command></term>1132 <listitem>1133 <para> is a simple script to extract x509 certificates and create1134 a JRE cacerts file using <command>keytool</command>.</para>1135 <indexterm zone="openjdk mkcacerts">1136 <primary sortas="b-mkcacerts">mkcacerts</primary>1137 </indexterm>1138 </listitem>1139 </varlistentry>1140 1141 889 <varlistentry id="native2ascii"> 1142 890 <term><command>native2ascii</command></term>
Note:
See TracChangeset
for help on using the changeset viewer.