Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creating a PKCS12 Truststore with more recent Java 11 releases is unreadable with IBM J9 (Java 8) #18

Open
bmarwell opened this issue Feb 17, 2022 · 0 comments
Open

Creating a PKCS12 Truststore with more recent Java 11 releases is unreadable with IBM J9 (Java 8) #18

bmarwell opened this issue Feb 17, 2022 · 0 comments

Comments

@bmarwell
Copy link

bmarwell commented Feb 17, 2022
edited
Loading

Hi everyone!

Problem description

For my day work I create truststores from a database on the fly.
However, switching to IBM Semeru or more recent AdoptOpenJDK(!) versions will create a truststore which is unreadable with IBM J9.

The last version of Java 11 we found to create a "J9-valid" truststore was 11.0.6+10, OpenJ9 0.18.1.

We found out that using 11.0.13+8, OpenJ9 0.29.0 or the latest AdoptOpenJDK version of OpenJ9 (OpenJDK_11.0.10_9_openj9-0.24.0) will create "non-J9-valid" truststores.

Sample output

Here's a sample output.

Setup

$ ./wlp/java/./bin/java -version
java version "1.8.0_311"
Java(TM) SE Runtime Environment (build 8.0.7.0 - pap6480sr7-20211025_01(SR7))
IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64-Bit Compressed References 20211022_15212 (JIT enabled, AOT enabled)

Hint: We also get the error on Linux x64, so it is not specific to AIX ppc64.

  • Truststore 1 created with IBM Semeru 11.0.13+8, OpenJ9 0.29.0: test_java11_new_truststore_11.0.13+8_0.29.0.pk12
  • Truststore 2 created with AdoptOpenJDK Eclipse OpenJ9 11.0.6+10, OpenJ9 0.18.1: test_java11_new_truststore_11.0.6+10_0.18.1.pk12

Empty Truststore

We create an empty truststore beforehand:

 keytool -genkeypair \
    -alias boguscert \
    -storepass "topsecretstorepass" -keypass "topsecretstorepass" \
    -keystore "$TRUSTSTORE_PATH" \
    -storetype PKCS12 \
    -dname "CN=Developer, OU=Department, O=Company, L=City, ST=State, C=CA" \
    -noprompt

  keytool -delete \
    -alias boguscert \
    -storepass "topsecretstorepass" \
    -storetype PKCS12 \
    -keystore "$TRUSTSTORE_PATH" \
    -noprompt

Keytool output

# Truststore 1
# created with IBM Semeru 11.0.13+8, OpenJ9 0.29.0
$ ./wlp/java/./bin/keytool -list -keystore ~/test_java11_new_truststore_11.0.13+8_0.29.0.pk12 -storetype PKCS12 -v
keytool error (likely untranslated): java.io.IOException: Error extracting keyentry aliases from PFX

# did not work

# Truststore 2
# created with AdoptOpenJDK Eclipse OpenJ9, 11.0.6+10, OpenJ9 0.18.1
$ ./wlp/java/./bin/keytool -list -keystore ~/test_java11_new_truststore_11.0.6+10_0.18.1.pk12 -storetype PKCS12 -v
Enter keystore password:

# this works

Linked IBM issue

TS008467149
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bmarwell