From: Radoslav Petrov <more@edno.moe>
To: help-guix@gnu.org
Subject: Re: After installing Java, what should I set JAVA_HOME to?
Date: Sat, 12 Nov 2016 20:48:35 +0200 [thread overview]
Message-ID: <4e5ee794-1d1a-c433-d72f-7eb4e113a60b@edno.moe> (raw)
[-- Attachment #1: Type: text/plain, Size: 4084 bytes --]
Hi, all. Apologises for the bad formatting but I wasn't member of the
mailing list when this message was sent.
| Downloading
https://services.gradle.org/distributions/gradle-3.0-bin.zip
|
| Exception in thread "main" javax.net.ssl.SSLException:
java.lang.RuntimeException: Unexpected error:
|java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty
|(further stacktrace elided)
| When I run `sudo ./gradlew clean`, it works fine. My suspicion is that
it's related to $JAVA_HOME being symlinked to something not owned by my
current user (/home/zck/.guix-profile is a symlink to
/var/guix/profiles/per-user/zck/guix-profile/, | which is a symlink to
/var/guix/profiles/per-user/zck/guix-profile-20-link/, which is a
symlink to /gnu/store/c483gnpwwcmcwdbdba25q3c7x1g79mzm-profile/, which
is owned by root/guixbuild, although this directory has permissions to
read and execute for all users).
|
| Further supporting my suspicion that JAVA_HOME shouldn't be the guix
profile is that I would think either guix or java should manage the
directory, but not both.
|
|So my question is: what's going on here? What do I need to change to be
able to run gradle as my current user? Thanks.
Two weeks ago I was playing with GuixSD and decided to try to run Apache
Tomcat on it. I've downloaded the Linux binary archive and installed
icedtea3 JDK (Java 8). I've hit the same problem described above: Java
is available and able to compile/run various code, but Tomcat was
throwing exceptions and was not able to start.
After some trials, errors and reading I've found the problem:
IcedTea is configured to use NSS service for handling the
cryptography operations. The default install/config of the IcedTea in
Guix configures "jdk_base_dir/jre/lib/security/nss.cfg" file correctly.
Mine looks like this:
name = NSS
nssLibraryDirectory = /gnu/store/p2d98rbmb5sl7xgca8rf96k6zq51cww6-nss-3.27.1/lib/nss
nssDbMode = noDb
attributes = compatibility
handleStartupErrors = ignoreMultipleInitialisation
However this settings to take effect the JDK needs one more setting in
another file: "jdk_base_dir/jre/lib/security/java.security" i.e. the
same directory as "nss.cfg". Read the comments in the begging of the
file to get a glimpse of what is configured there. If you look VERY
closely around "List of providers and their security settings" you will
see this:
security.provider.9=sun.security.pkcs11.SunPKCS11*${java.home}/lib/security/nss.cfg *
This file exists(I'm not sure about this - I think I've found some file
without the setting) in Guix but doesn't have the correct location of
the NSS library set.
My workaround was to manually override the JDK security settings by
creating "nss.cfg" and "java.security" files in Tomcat "tomcat_base/bin"
dir and point them to the correct locations. Here is the JDK cmd option
(setting it through /bin/setenv.sh):
-Djava.security.properties=java.security
The contents of the custom "java.security" are copied from the original
file. Only the line for the "nss.cfg" is changed:
security.provider.9=sun.security.pkcs11.SunPKCS11 nss.cfg
The contents of the custom "nss.cfg"
name=NSS
nssLibraryDirectory=/var/guix/profiles/per-user/zloster/guix-profile/lib/nss
nssDbMode=noDb
attributes=compatibility
Most probably this is not the most appropriate way to configure the
JDK/NSS relation in Guix but for a workaround it is fine.
Here is a screenshot of Tomcat running (glorious moment for me:) ):
https://www.edno.moe/image-share/2016-11-11-210342_1920x1080_scrot.png
About a proper fix: IMO iced3 JDK Guix definition needs to process
"java.security" file for the SunPKCS11 provider to override the
JAVA_HOME definition with the file in the current version/dir/instance
of the Guix package (I'm not sure for the correct term). But this have
to be done on each update/upgrade of NSS package. So I'm not so sure
about the proper way to fix this packaging problem.
--
Поздрави, | Best regards,
Радослав Петров | Radoslav Petrov
[-- Attachment #2: Type: text/html, Size: 5043 bytes --]
next reply other threads:[~2016-11-12 18:48 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-12 18:48 Radoslav Petrov [this message]
2016-12-01 2:18 ` After installing Java, what should I set JAVA_HOME to? Chris Marusich
2016-12-01 13:06 ` Ludovic Courtès
2016-12-01 13:07 ` Ricardo Wurmus
-- strict thread matches above, loose matches on Subject: below --
2016-11-02 4:38 Zachary Kanfer
2016-11-02 6:18 ` Chris Marusich
2016-11-08 4:20 ` Zachary Kanfer
2016-11-08 12:31 ` Ludovic Courtès
2016-11-08 15:15 ` Ricardo Wurmus
2016-11-09 7:01 ` Chris Marusich
2016-11-09 21:22 ` Hartmut Goebel
2016-11-28 5:15 ` Zachary Kanfer
2016-11-28 8:45 ` Ricardo Wurmus
2016-11-30 22:01 ` zloster
2016-12-01 8:59 ` Ricardo Wurmus
2016-11-28 9:59 ` Ludovic Courtès
2016-11-28 17:08 ` Hartmut Goebel
2016-11-29 2:34 ` Chris Marusich
2016-11-08 15:13 ` Ricardo Wurmus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4e5ee794-1d1a-c433-d72f-7eb4e113a60b@edno.moe \
--to=more@edno.moe \
--cc=help-guix@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.