RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1440963 - RFC: easier overriding of java.security file
Summary: RFC: easier overriding of java.security file
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: java-1.7.0-openjdk
Version: 6.8
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: jiri vanek
QA Contact: BaseOS QE - Apps
Vladimír Slávik
URL:
Whiteboard:
Depends On:
Blocks: 1374441 1461138 1503147 1504312
TreeView+ depends on / blocked
 
Reported: 2017-04-10 20:37 UTC by Paulo Andrade
Modified: 2021-09-09 12:14 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2018-06-19 05:23:45 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1924 0 None None None 2018-06-19 05:26:14 UTC

Description Paulo Andrade 2017-04-10 20:37:03 UTC 
User asked about possibly having java.security
as an alternatives, so that one could create a
rpm and override it on upgrades.

  One option could be to have something like a
/etc/security/java/ directory or just a file named
/etc/security/java.security

  User would also to know about how will it be
handled in java 9.

  Reason of the RFC is that editing that file does
not provide a clean upgrade path, as the file is
not removed, and changes there are not propagated.

  The query is about clean update procedures on
several servers.
Comment 2 Deepak Bhole 2017-08-08 18:53:39 UTC 
Jiri, is the non-propagation of change expected? Seems like a bug does it not?
Comment 3 jiri vanek 2017-08-14 13:57:11 UTC 
First - there are intentions to move all java config files to /etc/java/NVRA in jdk9 (it is hard to imagine this done in already existing jdks)
With this done, it make sense to have the configurations switch-able by configurations. Still I'm a bit against.

(In reply to Deepak Bhole from comment #2)
> Jiri, is the non-propagation of change expected? Seems like a bug does it
> not?

The propagation reorter have in mind is tricky. There was recently bug, that the propagation does happen.

Current state should be very correct - after update - as we keep java.security as config(norepalce)  then after update, you have java.security.rpmnew and your changed one is still there.

Lukas, can you please double check?
Comment 6 Deepak Bhole 2017-10-02 20:15:03 UTC 
Adding NEEDINFO for Lukas. Lukas, please see comment #5
Comment 9 jiri vanek 2017-10-26 15:19:23 UTC 
Hello! 

(In reply to Paulo Andrade from comment #0)
> 
>   User would also to know about how will it be
> handled in java 9.
> 
>   Reason of the RFC is that editing that file does
> not provide a clean upgrade path, as the file is
> not removed, and changes there are not propagated.
> 
>   The query is about clean update procedures on
> several servers.

Paulo, is this root cause stil valid? java.security should have already clear update path. If not, then it (theupdate path) will be fixed in 6.10, but no alterantives over  this file are planned.  Are you ok with this statement?
If clean update path exists, is the bug considered as resolved?
Comment 10 Paulo Andrade 2017-10-26 16:35:42 UTC 
  The issue is this:

1. customer has custom
   /usr/lib/jvm/java-{openjdk,oracle}-1.7.0.XX.x86_64/jre/lib/security/java.security
2. when updating to a new rpm/build it ends with:
   /usr/lib/jvm/java-{openjdk,oracle}-1.7.0.YY.x86_64/jre/lib/security/java.security
   and the custom java.security still in the -XX directory.

  If the current state is to move the custom
  /usr/lib/jvm/java-{openjdk,oracle}-1.7.0.XX.x86_64/jre/lib/security/java.security
  to
  /usr/lib/jvm/java-{openjdk,oracle}-1.7.0.YY.x86_64/jre/lib/security/java.security
  on upgrade, then the initial report is corrected.
Comment 11 jiri vanek 2017-10-27 07:04:30 UTC 
Yes, that is how it is supposed to work, and should get even a bit more better.

Based on this, Lukas, may you ack? Lets have this 100% covered i erratum.
Comment 26 errata-xmlrpc 2018-06-19 05:23:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1924
Note You need to log in before you can comment on or make changes to this bug.