Details

      Backports

        Description

        The OpenJDK 9 binary for Linux x64 contains an empty `cacerts` keystore. This prevents TLS connections from being established because there are no Trusted Root Certificate Authorities installed. You may see an exception like the following:

        `javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty`

        As a workaround, users can set the `javax.net.ssl.trustStore` System Property to use a different keystore. For example, the `ca-certificates` package on Oracle Linux 7 contains the set of Root CA certificates chosen by the Mozilla Foundation for use with the Internet PKI. This package installs a trust store at `/etc/pki/java/cacerts`, which can be used by OpenJDK 9.

        Only the OpenJDK 64 bit Linux download is impacted. This issue does not apply to any Oracle JRE/JDK download.

        Progress on open-sourcing the Oracle JDK Root CAs can be tracked through the issue JDK-8189131.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  rhalade Rajan Halade
                  Reporter:
                  mullan Sean Mullan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: