Adding CA certificate to java trust store on EJBCA Docker container

[jorgh6]

Hello,

In a lab environment I'm trying to setup a combination of OpenLDAP, EJBCA and Keycloak. All are running, but I'm having trouble switching from LDAP to LDAPS specifically in the connection between EJBCA and OpenLDAP.

I've configured all components, and generated certificates for OpenLDAP. Using the LDAP Admin windows client, I'm able to connect to OpenLDAP using LDAPS.

Next step is to configure the Publisher within EJBCA to use LDAPS (it works using LDAP plaintext already). When switching the connection to SSL on port 636 I get a connection error, which I believe to be caused by the java trust store within the docker container, not containing my own CA certificate.

From the documentation (https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/publishers-overview/ldap-publisher-ldap-search-publisher) I make out, that you manually need to add the CA certificate to the Java Trust store.

I've validated from the docker console that the certificate is not yet present in the trust store using: keytool -list -cacerts

In my quest to add the certificate I've downloaded the CA certificate in der format using:

ejbca.sh ca getcacert ManagementCA /tmp/myca.der -der

and subsequently importing this in the java trust store using:

keytool -import -noprompt -trustcacerts -alias ManagementCA -keystore /usr/lib/jvm/java-17-slim/lib/security/cacerts -storepass changeit -file /tmp/myca.der

or (as a warning indicates that -cacerts should be used instead)

ejbca-ce keytool -import -noprompt -cacerts -trustcacerts -alias ManagementCA -storepass changeit -file /tmp/myca.der

In both cases this results in the following:

Certificate was added to keystore
keytool error: java.io.FileNotFoundException: /usr/lib/jvm/java-17-slim/lib/security/cacerts (Permission denied)

and when checking the java keystore again, it does not seem to be added.

Am I overlooking something? Or is this not possible in the docker variant of EJBCA? Or might it be a bug?

Thanks in advance for any help.

Regards,

Jorg

[primetomas]

/usr/lib/jvm/java-17-slim/lib/security/cacerts requires root permissions, in your OS, to be edited,simply use sudo to run the keytoold command.

sudo keytool -import ...

[jorgh6]

Hi Tomas,

That is one of the options I tried, but it seems sudo is not available within the docker container (keyfactor/ejbca-ce).

Regards,

Jorg

[primetomas]

Aha, you didn't mention that you were running the container. For containers you can build an overlay with your java truststore, you can mount in replacement files. But modifying files inside the container is not the proper way to do it. Generate it outside and mount in your new version.

[jorgh6]

Thanks Thomas for the reply,

I've moved the Java trust store to a docker volume, where i change the file permissions from the host system side, prior to running the command to add the CA certificate. Afterwards I restore the file permissions to the original access rights. This does the trick. It's a little easier, as I don't have the keytool installed on the host running the containers.

Regards,

Jorg