1

I am using macOS 10.12.6 (16G1510). My Java is:

$ java -version
java version "1.8.0_172"
Java(TM) SE Runtime Environment (build 1.8.0_172-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.172-b11, mixed mode)

$ /usr/libexec/java_home -V
Matching Java Virtual Machines (3):
    1.8.0_172, x86_64:  "Java SE 8" /Library/Java/JavaVirtualMachines/jdk1.8.0_172.jdk/Contents/Home
    1.6.0_65-b14-468, x86_64:   "Java SE 6" /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home
    1.6.0_65-b14-468, i386: "Java SE 6" /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home

/Library/Java/JavaVirtualMachines/jdk1.8.0_172.jdk/Contents/Home

There is /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/cacerts, but there is no security subfolder under /Library/Java/JavaVirtualMachines/jdk1.8.0_172.jdk/Contents/Home/lib/.

I found a fix cd $(/usr/libexec/java_home -v 1.7)/jre/lib/security ln -fsh /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts from here. but in this case, /Library/Java/JavaVirtualMachines/jdk1.8.0_172.jdk/Contents/Home/jre/lib/security/cacerts exists and will be overwritten.

When I run a spark job in scala, I got the following error:

ForkJoinPool-1-worker-13, handling exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

I searched and found that something may be missing in /etc/ssl/certs/java/cacerts, but this is for ubuntu. I have no idea how to verify and fix this issue in mac. btw, there is no /etc/ssl/certs/java directory in my mac.

Any ideas welcomed. Thanks

UPDATE

Now, /Library/Java/JavaVirtualMachines/jdk1.8.0_172.jdk/Contents/Home/jre/lib/security/cacerts -> /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts. Problem NOT solved.

And I found /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts does not exist.

BAE
  • 8,550
  • 22
  • 88
  • 171

3 Answers3

1

This is minor variation on my answer to "Updating java 6 cacerts with those from java 8

Situation: Needed to use jdk6 locally for comparative testing. Observation: All maven-initiated downloads failed with peer not authenticated. Problem: The jdk6 installation's key security files resolved to nonexistent locations.

Versions of things:

working $ $mvn --version
Apache Maven 3.1.1 (0728685237757ffbf44136acec0402957f723d9a; 2013-09-17 09:22:22-0600)
Maven home: /usr/local/Cellar/maven@3.1/3.1.1/libexec
Java version: 1.6.0_65, vendor: Apple Inc.
Java home: /Library/Java/JavaVirtualMachines/jdk1.6.0_65.jdk/Contents/Home
Default locale: en_US, platform encoding: MacRoman
OS name: "mac os x", version: "10.13.6", arch: "x86_64", family: "mac"

A working solution: replace broken symlinks with links to corresponding files in (working) jdk

# store path to java 6 home
tmp $ j6Security=$(/usr/libexec/java_home -v '1.6*')/lib/security;

# show pre-update state
tmp $ ls -la  "$j6Security"
total 16
drwxr-xr-x  10 root  wheel    320 Jan 20 19:39 .
drwxr-xr-x  41 root  wheel   1312 Jan 20 19:39 ..
-rw-r--r--   1 root  wheel   2469 Jul 14  2015 US_export_policy.jar
lrwxr-xr-x   1 root  wheel     79 Jan 20 19:39 blacklist -> /System/Library/Java/Support/Deploy.bundle/Contents/Home/lib/security/blacklist
lrwxr-xr-x   1 root  wheel     81 Jan 20 19:39 cacerts -> /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts
-rw-r--r--   1 root  wheel   3443 Jul 14  2015 java.policy
-rw-r--r--   1 root  wheel  13458 Jul 14  2015 java.security
-rw-r--r--   1 root  wheel   2486 Jul 14  2015 local_policy.jar
-rw-r--r--   1 root  wheel    347 Jul 14  2015 sunpkcs11-macosx.cfg
lrwxr-xr-x   1 root  wheel     87 Jan 20 19:39 trusted.libraries -> /System/Library/Java/Support/Deploy.bundle/Contents/Home/lib/security/trusted.libraries

# store path to current (i.e., switcher) home
tmp $ jXSecurity=/Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security;

# replace (broken) j6 files with symlink to current files
tmp $ for file in blacklist cacerts trusted.libraries; do src="${jXSecurity}/${file}" tgt="${j6Security}/${file}"; test -f $tgt && sudo rm $tgt; sudo ln -s "$src" "$tgt"; done

# show post-update state
tmp $ ls -la "$j6Security"
total 16
drwxr-xr-x  10 root  wheel    320 Jan 20 20:33 .
drwxr-xr-x  41 root  wheel   1312 Jan 20 19:39 ..
-rw-r--r--   1 root  wheel   2469 Jul 14  2015 US_export_policy.jar
lrwxr-xr-x   1 root  wheel     87 Jan 20 20:33 blacklist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/blacklist
lrwxr-xr-x   1 root  wheel     85 Jan 20 20:33 cacerts -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/cacerts
-rw-r--r--   1 root  wheel   3443 Jul 14  2015 java.policy
-rw-r--r--   1 root  wheel  13458 Jul 14  2015 java.security
-rw-r--r--   1 root  wheel   2486 Jul 14  2015 local_policy.jar
-rw-r--r--   1 root  wheel    347 Jul 14  2015 sunpkcs11-macosx.cfg
lrwxr-xr-x   1 root  wheel     95 Jan 20 20:33 trusted.libraries -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/trusted.libraries

At first, I pinned to java 8, something like j8Security=$(/usr/libexec/java_home -v '1.8*') instead of jXSecurity=/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/trusted.libraries. Also, instead of linking, you could just copy the files. (Copying "felt" worse to me, but the linking to a specific working version does seem safer. I was just trying to learn how macos was setup and stopped where I stopped.)

I struggled to find an exact solution on the web, but something that caught my attention and seems worth highlighting: *If the the type of the cacerts store is changed* in future versions of java, linking to the "Current" version (the virtual version the java plugin automatically updates) could cause problems. If that concerns you, pinning (or copying) is probably better. (My primary jdk is jdk8, and I do not see a newer version on the horizon for my work. :L)

For those who like bash one-liners when getting stuff done:

ls -la "$j6Security"; j6Security=$(/usr/libexec/java_home -v '1.6*')/lib/security; jXSecurity=/Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security; for file in blacklist cacerts trusted.libraries; do src="${jXSecurity}/${file}" tgt="${j6Security}/${file}"; test -f $tgt && sudo rm $tgt; sudo ln -s "$src" "$tgt"; done; ls -la "$j6Security"

or just the commands

ls -la "$j6Security"
j6Security=$(/usr/libexec/java_home -v '1.6*')/lib/security
jXSecurity=/Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security
for file in blacklist cacerts trusted.libraries; do
  src="${jXSecurity}/${file}" tgt="${j6Security}/${file}"
  test -f $tgt && sudo rm $tgt
  sudo ln -s "$src" "$tgt"
done
ls -la "$j6Security"

Notes: - The quotes are needed around $jXSecurity because the space in "Internet Plug-Ins" needs to be preserved. (The assignment does not require quotes because the space is escaped with a backslash (\).) - I did try reinstalling. - The macos java 6 legacy installer is available at https://support.apple.com/downloads/java-6. - I had 1.6.0_37-b06-434.jdk/ on my machine from many OS upgrades prior, and it is broken in a similar fashion. (This was the version I was using when I initially encountered the issue. I only found the newer download while exploring the inter tubes.)

lpearson
  • 641
  • 5
  • 3
0

I had a similar issue with Corretto-11.0.6. After spending couple of hours found that it has been fixed in this release. It also works fine with Corretto-11.0.7 which is the latest release of Corretto 11 as of today.

GSSwain
  • 5,787
  • 2
  • 19
  • 24
-2

I had a similar problem. I added the following in ~/.bash_profile 

export JAVA_HOME=$(/usr/libexec/java_home)
export JAVA_TOOL_OPTIONS="-Djavax.net.ssl.trustAnchors=$JAVA_HOME/jre/lib/security/cacerts -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts"

Then source ~/.bash_profile

to load the changes.

bsorek
  • 1