问题
Mac OS X has the CA keystore in /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts. This keystore seems to be overwritten by every Java update, which is very annoying since we have internal CAs for development environments, testing…
Is there a way to preserve keystore changes across Apple JSRs, and now, with Snow Leo JSR3, also across updates for the separate Java developer packages (whose JDKs use the same keystore)?
回答1:
[ This is outdated info - see the answer below for 10.6+ ]
/System/Library/Frameworks/JavaVM.framework/Home/
is a symlink to Versions/CurrentJDK/Home
within JavaVM.framework. Obviously this will change with a new Version. Use the full path (e.g. /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home
) and it won't change across updates.
回答2:
The following parameters can be used to specify the location of the cacerts file to java:
-Djavax.net.ssl.trustStore=<cacerts.location>
-Djavax.net.ssl.trustStorePassword=changeit
Make a copy of the cacerts in the java home directory (with internal CAs) and put it somewhere in your home directory. Then put the full path to the cacerts file location as the value of javax.net.ssl.trustStore property above. That copy will not get overwritten by Java updates. The default password is 'changeit'.
Two downsides to this approach are:
- Your file won't get any updates to the cacerts file in the sdk. This is primarily an issue if a certificate authority is compromised.
- Everywhere you need the custom cacerts (build tools, app server, etc), these parameters need to be specified.
回答3:
It seems things have changed in Mac OS X 10.6.8 Snow Leopard. Now /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts
is a symlink to /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts
, which won't change on updates, if we're lucky.
来源:https://stackoverflow.com/questions/4428901/how-to-preserve-the-cacerts-keystore-on-mac-across-updates