Skip to main content
Solved

Java 7 Certificates


Forum|alt.badge.img+7

I have a web application that uses Java 7 and wanted to get it 'pre-approved' - which used to be easy with Apple's Java 6 as the certificates were originally distributed with MCX back in the day (which would now be done into the system keystore via Casper certificate distribution).

But I don't think there's a way to do this for Java 7 is there? I was feeling very pleased when I found the 'system' certificate store at

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/trusted.certs

and have got myself as far as importing a cert with keytool

1keytool -importcert -noprompt -file mynewcert -keystore trusted.certs

But that requires an inline interactive password setting. Is there a better way of going around doing this. It's a lot of work when I could just e-mail everyone saying "when it comes up the first time tick the OK, and don't ask again" and that will put it in their user home (~/Application Support/Oracle/Java/Deployment/security/trusted.certs)

Best answer by NowAllTheTime

This is the command that we have been trying; it accepts the command, but Java doesn't actually show our imported certs in the keystore GUI:

1/Library/Java/JavaVirtualMachines/jdk1.7.0_51.jdk/Contents/Home/bin/keytool -importcert -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_51.jdk/Contents/Home/jre/lib/security/cacerts -storepass changeit -alias YOURALIAS -noprompt -file /path/to/your/cert.cer

I haven't tried importing into 'trusted.certs' but maybe that also uses the default '-storepass changeit' I don't know if that helps at all in your case, but it's worth a shot. The documentation on enterprise management of the OS X Java 7 client is pretty weak. We've had to riff off of the Windows documentation for most of our implementation.

View original
Did this topic help you find an answer to your question?

10 replies

Forum|alt.badge.img+11
  • Valued Contributor
  • 120 replies
  • Answer
  • March 25, 2014

This is the command that we have been trying; it accepts the command, but Java doesn't actually show our imported certs in the keystore GUI:

1/Library/Java/JavaVirtualMachines/jdk1.7.0_51.jdk/Contents/Home/bin/keytool -importcert -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_51.jdk/Contents/Home/jre/lib/security/cacerts -storepass changeit -alias YOURALIAS -noprompt -file /path/to/your/cert.cer

I haven't tried importing into 'trusted.certs' but maybe that also uses the default '-storepass changeit' I don't know if that helps at all in your case, but it's worth a shot. The documentation on enterprise management of the OS X Java 7 client is pretty weak. We've had to riff off of the Windows documentation for most of our implementation.


Forum|alt.badge.img+7

STOREPASS - thank you, that did it. staring me in the face in the -help command there. I think that did it.

(Oddly it looks like the java 7 install we have is confined to the Library/Internet Plug-Ins/JavaAppletPlugin.plugin and there's nothing in /Library/Java/JavaVirtualMachines)


Forum|alt.badge.img+7

That answered my immediate issue - but annoyingly though I now have a deployment-ready way to get the certificate into the java 7 'system keystore' it still prompts the user and after approving it manually you end up with the same certitifcate in both user and system pane :-(


Forum|alt.badge.img+5
  • New Contributor
  • 7 replies
  • March 25, 2014

I wrote this quick and dirty Python script for handling this problem. It assumes that the certificate you want to add to the user's trusted.certs keystore exists in /private/tmp.

1#!/usr/bin/env python
2
3'''
4This script allows you to import a certificate into
5the Oracle Java trusted.certs keystore.
6
7Created by James Barclay on 2014-03-10.
8
9'''
10
11from __future__ import print_function
12
13import os
14import plistlib
15import subprocess
16import sys
17
18# Constants
19ALIAS = 'your_alias'
20INTERNET_PLUGINS = '/Library/Internet Plug-Ins'
21JAVA_CERT = '/private/tmp/your_cert.cer'
22
23JAVA_WEB_PLUGIN = os.path.join(INTERNET_PLUGINS, 'JavaAppletPlugin.plugin')
24
25def get_console_user():
26 '''Returns the currently logged-in user as
27 a string, even if running as EUID root.'''
28 if os.geteuid() == 0:
29 console_user = subprocess.check_output(['/usr/bin/stat',
30 '-f%Su',
31 '/dev/console']).strip()
32 else:
33 import getpass
34 console_user = getpass.getuser()
35
36 return console_user
37
38def determine_java_vendor(info_plist):
39 '''Determine Java vendor. Takes the path to
40 a Java Info.plist file and returns a string
41 of the Java vendor's name.'''
42 java_vendor = None
43 try:
44 pl = plistlib.readPlist(info_plist)
45 java_vendor = pl['CFBundleIdentifier'].split('.')[1]
46
47 except KeyError:
48 print('CFBundleIdentifer does not exist in %s.' % info_plist)
49
50 except IOError:
51 print('%s does not exist!' % info_plist)
52
53 return java_vendor
54
55def get_keytool_path(java_vendor):
56 '''Returns the path to the keytool command-
57 line utility.'''
58 keytool_path = None
59 if java_vendor == 'oracle':
60 keytool_path = os.path.join(JAVA_WEB_PLUGIN, 'Contents/Home/bin/keytool')
61 elif java_vendor == 'apple':
62 keytool_path = '/usr/bin/keytool'
63
64 return keytool_path
65
66def cert_in_keystore(keytool, keystore, store_pass, alias):
67 '''Returns True if the specified certificate
68 alias exists in the specified keystore.'''
69 try:
70 if os.path.exists(keystore):
71 rc = subprocess.check_call([keytool,
72 '-list',
73 '-keystore',
74 keystore,
75 '-storepass',
76 store_pass,
77 '-alias',
78 alias])
79 if rc == 0:
80 return True
81
82 except subprocess.CalledProcessError, e:
83 print('An error occurred when attempting to locate alias '%s' in %s. Probably ok. Error: %s' % (alias, keystore, e))
84
85def add_cert_to_java_trusted_certs(keytool, store_pass, cert, keystore):
86 '''Adds the specified certificate to the specified
87 Java cacerts keystore.'''
88 try:
89 subprocess.check_output([keytool,
90 '-import',
91 '-v',
92 '-noprompt',
93 '-storepass',
94 store_pass,
95 '-alias',
96 ALIAS,
97 '-keystore',
98 keystore,
99 '-trustcacerts',
100 '-file',
101 cert])
102 except subprocess.CalledProcessError, e:
103 print('An error occurred when attempting to add %s to %s. Error: %s.' % (cert, keystore, e))
104
105def main():
106 real_java_path = os.path.realpath(JAVA_WEB_PLUGIN)
107 java_info_plist = os.path.join(real_java_path, 'Contents/Info.plist')
108 java_vendor = determine_java_vendor(java_info_plist)
109 trusted_certs = '/Users/%s/Library/Application Support/Oracle/Java/Deployment/security/trusted.certs' % get_console_user()
110
111 keytool = os.path.join(JAVA_WEB_PLUGIN, 'Contents/Home/bin/keytool')
112 if not os.path.isfile(keytool):
113 keytool = '/usr/bin/keytool'
114
115 store_pass = ''
116 if not os.path.isfile(trusted_certs):
117 store_pass = 'changeit'
118
119 if os.path.exists(JAVA_CERT):
120 if java_vendor == 'oracle':
121 if cert_in_keystore(keytool, trusted_certs, store_pass, ALIAS):
122 print('%s already exists in %s. Exiting now.' % (ALIAS, trusted_certs))
123 sys.exit(1)
124 else:
125 print('Using %s to add %s to %s.' % (keytool, JAVA_CERT, trusted_certs))
126 add_cert_to_java_trusted_certs(keytool, store_pass, JAVA_CERT, trusted_certs)
127 elif java_vendor == 'apple':
128 print('Unable to add certificate to trusted.certs. Modify com.apple.java.security.plist instead.')
129 sys.exit(1)
130 else:
131 print('Unable to continue. Unknown Java vendor: %s.' % java_vendor)
132 sys.exit(1)
133 else:
134 print('%s does not exist! Exiting now.' % JAVA_CERT)
135 sys.exit(1)
136
137if __name__ == '__main__':
138 main()

Forum|alt.badge.img+11
  • Valued Contributor
  • 120 replies
  • March 25, 2014

Huh, I haven't tried setting it via the internet plug-ins path. I'll try that and see if it solves my problem. That's frustrating that it got you a little closer but still ends up with users getting prompted. JAVA!!!!


Forum|alt.badge.img+12
  • Contributor
  • 64 replies
  • March 26, 2014

@alan.trewartha: the JRE is contained in the Internet plug-in. Jason references the JDK.

We import into /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/cacerts btw.


Forum|alt.badge.img+7

Thanks for clearing that up for me, and i'll try the cacerts file instead


Forum|alt.badge.img+7

I got it into the cacerts file - it appears listed as both "Signer CA" and "Secure Site CA". But amazingly I still get prompted to go through manually adding it in the 'user realm' and end up with it there under "Trusted certificates" too.

For anyone playing along at home, the "cacert" file has a default password of "changeit" (or "changeme" on some earlier versions) (which jason already mentioned! d'oh)


Forum|alt.badge.img+11
  • Valued Contributor
  • 120 replies
  • March 26, 2014

Ok, so I adjust my command to the following and it is working everywhere I need it:

sudo /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/keytool -importcert -keystore /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/cacerts -storepass changeit -alias YOURALIAS -noprompt -file /path/to/your/cert.cer

We are also utilizing the DeploymentRuleSet.jar which allows us to whitelist websites, which might be something you need to stop getting that prompt.

Here are the instructions we followed for how to create the whitelist):

http://kylebubp.com/2013/11/use-java-whitelisting-to-further-secure-your-organization/

The only thing that we did differently from this document was placing the DeploymentRuleSet.jar in /Library/Application Support/Oracle/Java/Deployment/ instead of /etc/.java/deployment/


Forum|alt.badge.img+7

I thought I'd give that new style whitelist JAR a shot, but I got a bit unstuck at the jar signing. looks like it would give us good control of this sort of thing - as would importing it properly into the system certs properly if I understood what I was doing and could spot what I was doing wrong in the first place!


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings