How add a Certificate to the Java CA Certificate Store in Openshift (cacerts)?

Question

I use this command several times and always works :

cd ../../jdk/jre/lib/security
keytool -import -trustcacerts -alias my.alias -file /../../myCert.crt -keystore cacerts

Now in openshift with a jboss-as 7 :

cd /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.95/jre/lib/security
keytool -import -trustcacerts -alias my.alias -file /../.../myCert.crt -keystore cacerts

Error log is:

Enter keystore password:
Owner: CN=...
Issuer: CN=...
Serial number:....
...
Trust this certificate? [no]:  yes
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: cacerts (Permission denied)

Reviewing the archivies, I see that cacerts file is a simlink. This simlink has 0777 permissions but source file has rw-r--r-- or 0644 permissions:

/etc/pki/java/cacerts

So my questions are :

1.- How can I alter permisssions in openshift? I tried and I get an error.

2.- Is there another way to add my certificate to java cacerts file in openshift?

3.- Openshift offer some configuration to do this ?

Thanks in advance!

Answer 1

I came across this question and found a solution

At first, I copied the default keystore and added a custom certificate afterwards:

    RUN mkdir -p source/configuration/security && \
        keytool --importkeystore -noprompt \
        -srckeystore /etc/pki/ca-trust/extracted/java/cacerts \
        -srcstorepass changeit \
        -destkeystore source/configuration/security/<custom>.jks \
        -deststorepass changeit

    ADD certificates /

    RUN keytool -import -v -file /certs/<my-certficate> \
        -keystore source/configuration/security/<custom>.jks \
        -noprompt -storepass changeit

Answer 2

This is an operating systems permissions issue, not an openshift, PKI, or keytool issue. Perhaps you should use root/administrator access and modify the file permissions (e.g. chmod) so you can access it.