Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


Reload Java cacerts without restarting JVM

Reload Java cacerts without restarting JVM

Reload Java cacerts without restarting JVM

We have a product that uses multiple servers, each using a java based control program. We need to add the SSL cert from each of these servers to the cacerts stores on a central control server. The problem is we need to do this without having to restart the JVM each time.

I've been looking for a solution for a few weeks but haven't found anything, is it possible to reload the cacert file without restarting the JVM?

I don't think it is, but want to be certain before I tell marketing the one thing they really really want can't be done....

RE: Reload Java cacerts without restarting JVM

I don't think you can do that unless you write your own security manager.

And this is for a good security reason: dinamycally added certs is an important security flaw. Anyway, how often do you update your certs?


RE: Reload Java cacerts without restarting JVM

Thats the big question. I thought the use case for this would be that it was something the customer didn't do very often, maybe once when a cluster was initially configured. But marketing found another use case where it would happen a lot more frequently - hence the issue being raised.

I've seen a few references to writing a security manager, overriding the TrustManager, but our system is built on Rest-restlett and I can see how I would do that in our architecture.

RE: Reload Java cacerts without restarting JVM

You would replace it so the JVM uses the new TrustManager, no matter what application is running. Anyway, I still can't see the case where the certs are so often changed. In most cases, certs are delivered offline to maintain security and its strength is mostly based on its stability.


RE: Reload Java cacerts without restarting JVM

How do you replace the JVM trustmanager?

The reason we need to add certs so often is that there is a centrol control server that talks to clients in a cluster via SSL/HTTPS. Each time a new client is added to the cluster (a cluster could have up to 100 clients added over a period of time) the client certificate needs to be added to the trust store, and each time that happens we would need to reload. The client cert is placed in the server via sftp.

RE: Reload Java cacerts without restarting JVM

Why don't just adding all the certs? I've never replaced it, but should be something like this


Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close