Changeset 8b9034a for general/prog
- Timestamp:
- 09/11/2013 05:21:08 PM (11 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 0c77342d
- Parents:
- eec1fd7
- File:
-
- 1 edited
-
general/prog/openjdk.xml (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
general/prog/openjdk.xml
reec1fd7 r8b9034a 463 463 </sect3> 464 464 465 <sect3 id='ojdk-certs'> 466 <title>Install or update the JRE Certificate Authority Certificates (cacerts) file</title> 467 468 <para>Use the following procedure to check if the cacerts file was 469 successfully installed during the OpenJDK installation or if the <xref 470 linkend="cacerts"/> have been updated, the following instructions will 471 generate a new JRE <filename>cacerts</filename> file. First, check if the 472 <filename>cacerts</filename> have been successfully installed: </para> 473 474 <screen role="root"><userinput>cd /opt/jdk 475 bin/keytool -list -keystore jre/lib/security/cacerts</userinput></screen> 476 477 <para>At the prompt "Enter keystore password:", press the "Enter" key if 478 there is no keystore password defined. If the 479 <filename>cacerts</filename> was installed correctly, you will see a 480 list of the certificates with related information for each one. If not, 481 you need to manually install them. First, generate the 482 <command>mkcacerts</command> script as the 483 <systemitem class="username">root</systemitem> user:</para> 484 485 <screen role="root"><userinput>cat > /opt/jdk/bin/mkcacerts << "EOF" 486 <literal>#!/bin/sh 487 # Simple script to extract x509 certificates and create a JRE cacerts file. 488 489 function get_args() 490 { 491 if test -z "${1}" ; then 492 showhelp 493 exit 1 494 fi 495 496 while test -n "${1}" ; do 497 case "${1}" in 498 -f | --cafile) 499 check_arg $1 $2 500 CAFILE="${2}" 501 shift 2 502 ;; 503 -d | --cadir) 504 check_arg $1 $2 505 CADIR="${2}" 506 shift 2 507 ;; 508 -o | --outfile) 509 check_arg $1 $2 510 OUTFILE="${2}" 511 shift 2 512 ;; 513 -k | --keytool) 514 check_arg $1 $2 515 KEYTOOL="${2}" 516 shift 2 517 ;; 518 -s | --openssl) 519 check_arg $1 $2 520 OPENSSL="${2}" 521 shift 2 522 ;; 523 -h | --help) 524 showhelp 525 exit 0 526 ;; 527 *) 528 showhelp 529 exit 1 530 ;; 531 esac 532 done 533 } 534 535 function check_arg() 536 { 537 echo "${2}" | grep -v "^-" > /dev/null 538 if [ -z "$?" -o ! -n "$2" ]; then 539 echo "Error: $1 requires a valid argument." 540 exit 1 541 fi 542 } 543 544 # The date binary is not reliable on 32bit systems for dates after 2038 545 function mydate() 546 { 547 local y=$( echo $1 | cut -d" " -f4 ) 548 local M=$( echo $1 | cut -d" " -f1 ) 549 local d=$( echo $1 | cut -d" " -f2 ) 550 local m 551 552 if [ ${d} -lt 10 ]; then d="0${d}"; fi 553 554 case $M in 555 Jan) m="01";; 556 Feb) m="02";; 557 Mar) m="03";; 558 Apr) m="04";; 559 May) m="05";; 560 Jun) m="06";; 561 Jul) m="07";; 562 Aug) m="08";; 563 Sep) m="09";; 564 Oct) m="10";; 565 Nov) m="11";; 566 Dec) m="12";; 567 esac 568 569 certdate="${y}${m}${d}" 570 } 571 572 function showhelp() 573 { 574 echo "`basename ${0}` creates a valid cacerts file for use with IcedTea." 575 echo "" 576 echo " -f --cafile The path to a file containing PEM formated CA" 577 echo " certificates. May not be used with -d/--cadir." 578 echo " -d --cadir The path to a diectory of PEM formatted CA" 579 echo " certificates. May not be used with -f/--cafile." 580 echo " -o --outfile The path to the output file." 581 echo "" 582 echo " -k --keytool The path to the java keytool utility." 583 echo "" 584 echo " -s --openssl The path to the openssl utility." 585 echo "" 586 echo " -h --help Show this help message and exit." 587 echo "" 588 echo "" 589 } 590 591 # Initialize empty variables so that the shell does not polute the script 592 CAFILE="" 593 CADIR="" 594 OUTFILE="" 595 OPENSSL="" 596 KEYTOOL="" 597 certdate="" 598 date="" 599 today=$( date +%Y%m%d ) 600 601 # Process command line arguments 602 get_args ${@} 603 604 # Handle common errors 605 if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then 606 echo "ERROR! You must provide an x509 certificate store!" 607 echo "\'$(basename ${0}) --help\' for more info." 608 echo "" 609 exit 1 610 fi 611 612 if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then 613 echo "ERROR! You cannot provide two x509 certificate stores!" 614 echo "\'$(basename ${0}) --help\' for more info." 615 echo "" 616 exit 1 617 fi 618 619 if test "${KEYTOOL}x" == "x" ; then 620 echo "ERROR! You must provide a valid keytool program!" 621 echo "\'$(basename ${0}) --help\' for more info." 622 echo "" 623 exit 1 624 fi 625 626 if test "${OPENSSL}x" == "x" ; then 627 echo "ERROR! You must provide a valid path to openssl!" 628 echo "\'$(basename ${0}) --help\' for more info." 629 echo "" 630 exit 1 631 fi 632 633 if test "${OUTFILE}x" == "x" ; then 634 echo "ERROR! You must provide a valid output file!" 635 echo "\'$(basename ${0}) --help\' for more info." 636 echo "" 637 exit 1 638 fi 639 640 # Get on with the work 641 642 # If using a CAFILE, split it into individual files in a temp directory 643 if test "${CAFILE}x" != "x" ; then 644 TEMPDIR=`mktemp -d` 645 CADIR="${TEMPDIR}" 646 647 # Get a list of staring lines for each cert 648 CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1` 649 650 # Get a list of ending lines for each cert 651 ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1` 652 653 # Start a loop 654 for certbegin in `echo "${CERTLIST}"` ; do 655 for certend in `echo "${ENDCERTLIST}"` ; do 656 if test "${certend}" -gt "${certbegin}"; then 657 break 658 fi 659 done 660 sed -n "${certbegin},${certend}p" "${CAFILE}" > "${CADIR}/${certbegin}.pem" 661 keyhash=`${OPENSSL} x509 -noout -in "${CADIR}/${certbegin}.pem" -hash` 662 echo "Generated PEM file with hash: ${keyhash}." 663 done 664 fi 665 666 # Write the output file 667 for cert in `find "${CADIR}" -type f -name "*.pem" -o -name "*.crt"` 668 do 669 670 # Make sure the certificate date is valid... 671 date=$( ${OPENSSL} x509 -enddate -in "${cert}" -noout | sed 's/^notAfter=//' ) 672 mydate "${date}" 673 if test "${certdate}" -lt "${today}" ; then 674 echo "${cert} expired on ${certdate}! Skipping..." 675 unset date certdate 676 continue 677 fi 678 unset date certdate 679 ls "${cert}" 680 tempfile=`mktemp` 681 certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1` 682 certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1` 683 sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}" 684 echo yes | env LC_ALL=C "${KEYTOOL}" -import -alias `basename "${cert}"` -keystore \ 685 "${OUTFILE}" -storepass 'changeit' -file "${tempfile}" 686 rm "${tempfile}" 687 done 688 689 if test "${TEMPDIR}x" != "x" ; then 690 rm -rf "${TEMPDIR}" 691 fi 692 exit 0</literal> 693 EOF 694 695 chmod -c 0755 /opt/jdk/bin/mkcacerts</userinput></screen> 696 697 <note> 698 <para> 699 Doing a very large copy/paste directly to a terminal may result in a 700 corrupted file. Copying to an editor may overcome this issue. 701 </para> 702 </note> 703 704 <para>After making a backup of the 705 <filename>/opt/jdk/jre/lib/security/cacerts</filename> file, if there is 706 any. To create a new one, as the 707 <systemitem class="username">root</systemitem> user:</para> 708 709 <screen><userinput>/opt/jdk/bin/mkcacerts -d "/etc/ssl/certs/" -k "/opt/jdk/bin/keytool" \ 710 -s "/usr/bin/openssl" -o "/opt/jdk/jre/lib/security/cacerts"</userinput></screen> 711 712 </sect3> 713 465 714 </sect2> 466 715
Note:
See TracChangeset
for help on using the changeset viewer.
