PDA

View Full Version : Java upgrade removes CA cert for LDAP connection



boblmartens
01-Jun-2015, 19:16
We load our institutional CA into the Java keystore for LDAP connections. After a recent Java upgrade, that CA was not loaded automatically and it looks like the keystore that we had loaded it into was replaced.

Is there some blessed way to load CA certs into the keystore so that they are kept around even on upgrades?

Running SLES 12 at the moment. Thanks!

ab
01-Jun-2015, 20:22
Most of the time it is the best practice to have the code running within
Java use a truststore outside of the JRE but specific to the application
for this exact reason. It's Sun/Oracle's job to keep us safe by replacing
that file with new trusted CAs, removing old untrusted CAs, and that
cannot happen in the situation as developed. On the other hand, there are
articles aplenty on how to code an application to use a truststore loaded
at runtime, and many applications have this option present by default.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

boblmartens
01-Jun-2015, 20:32
Could you point me at one? I'm super lazy. :-)


Most of the time it is the best practice to have the code running within
Java use a truststore outside of the JRE but specific to the application
for this exact reason. It's Sun/Oracle's job to keep us safe by replacing
that file with new trusted CAs, removing old untrusted CAs, and that
cannot happen in the situation as developed. On the other hand, there are
articles aplenty on how to code an application to use a truststore loaded
at runtime, and many applications have this option present by default.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

ab
01-Jun-2015, 20:59
First hit from Google querying for java use custom truststore:

http://stackoverflow.com/questions/24555890/using-a-custom-truststore-in-java-as-well-as-the-default-one


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...