Bug 1567204
Summary: | OpenJDK not read jssecacerts file | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Deepu K S <dkochuka> | |
Component: | java-1.8.0-openjdk | Assignee: | Andrew John Hughes <ahughes> | |
Status: | CLOSED ERRATA | QA Contact: | zzambers | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 7.4 | CC: | ahughes, alanm, dbhole, dkochuka, jdoyle, jherrman, jvanek, sgehwolf, vchoudha, zzambers | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | java-1.8.0-openjdk-1.8.0.172-5.b11.el7 | Doc Type: | Bug Fix | |
Doc Text: |
OpenJDK was recently updated to support reading the system certificate authority /etc/pki/java/cacerts database directly. As a consequence, this removed the ability to read certificates from the user-provided /usr/lib/jvm/<NVRA-of-JDK>/jre/lib/security/jssecacert file. With this update, that ability is restored by reading from that file first, if available.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1593736 1593737 (view as bug list) | Environment: | ||
Last Closed: | 2018-10-30 07:27:33 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1593736, 1593737 |
Description
Deepu K S
2018-04-13 14:47:43 UTC
This seems to be an oversight in PR2888 which shouldn't have altered the jssecacerts logic. The intention of that patch is simply to avoid traversing the symlink: $ ll /usr/lib/jvm/java-1.8.0-openjdk/jre/lib/security/cacerts lrwxrwxrwx. 1 root root 41 Nov 21 13:16 /usr/lib/jvm/java-1.8.0-openjdk/jre/lib/security/cacerts -> ../../../../../../../etc/pki/java/cacerts and use /etc/pki/java/cacerts directly. The symlink still needs to exist for some third-party software (e.g. Gradle, bug 1448802, https://github.com/gradle/gradle/issues/1782) that check specifically for that path, but is unused by the JDK itself. I'll fix this. Just side note - due to parallel install feature, the config files in jdk are handled by postinstall scriplets. This may lead to some unexpected issues like leftover old file in previous directory. However, all glitches should be already fixed, and I have not seen issue with cacerts and/or jssecacerts being left over or other way corrupted for at least year. More likely longer. Still It may be point worthy of double checking. Manually tested in rhel7 VM: package: java-1.8.0-openjdk-1.8.0.161-2.b14.el7_4.x86_64 result: PASSED I accidentally reported on rhel-7.4.z package here. However now I have also tested 7.6 package: package: java-1.8.0-openjdk-1.8.0.181-3.b04.el7 result: PASSED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3017 |