Re: After installing Java, what should I set JAVA_HOME to?

[Radoslav Petrov <more@edno.moe>]

[-- Attachment #1: Type: text/plain, Size: 4084 bytes --]

Hi, all. Apologises for the bad formatting but I wasn't member of the 
mailing list when this message was sent.
|    Downloading 
https://services.gradle.org/distributions/gradle-3.0-bin.zip
|
|    Exception in thread "main" javax.net.ssl.SSLException: 
java.lang.RuntimeException: Unexpected error: 
|java.security.InvalidAlgorithmParameterException: the trustAnchors 
parameter must be non-empty
|(further stacktrace elided)

| When I run `sudo ./gradlew clean`, it works fine. My suspicion is that 
it's related to $JAVA_HOME being symlinked to  something not owned by my 
current user (/home/zck/.guix-profile is a symlink to 
/var/guix/profiles/per-user/zck/guix-profile/, | which is a symlink to 
/var/guix/profiles/per-user/zck/guix-profile-20-link/, which is a 
symlink to /gnu/store/c483gnpwwcmcwdbdba25q3c7x1g79mzm-profile/, which 
is owned by root/guixbuild, although this directory has permissions to 
read and execute for all users).
|
| Further supporting my suspicion that JAVA_HOME shouldn't be the guix 
profile is that I would think either guix or java should manage the 
directory, but not both.
|
|So my question is: what's going on here? What do I need to change to be 
able to run gradle as my current user? Thanks.

Two weeks ago I was playing with GuixSD and decided to try to run Apache 
Tomcat on it. I've downloaded the Linux binary archive and installed 
icedtea3 JDK (Java 8). I've hit the same problem described above: Java 
is available and able to compile/run various code, but Tomcat was 
throwing exceptions and was not able to start.
After some trials, errors and reading I've found the problem:
   IcedTea is configured to use NSS service for handling the 
cryptography operations. The default install/config of the IcedTea in 
Guix configures "jdk_base_dir/jre/lib/security/nss.cfg" file correctly. 
Mine looks like this:

name = NSS

nssLibraryDirectory = /gnu/store/p2d98rbmb5sl7xgca8rf96k6zq51cww6-nss-3.27.1/lib/nss

nssDbMode = noDb

attributes = compatibility

handleStartupErrors = ignoreMultipleInitialisation

However this settings to take effect the JDK needs one more setting in 
another file: "jdk_base_dir/jre/lib/security/java.security" i.e. the 
same directory as "nss.cfg". Read the comments in the begging of the 
file to get a glimpse of what is configured there. If you look VERY 
closely around "List of providers and their security settings" you will 
see this:

security.provider.9=sun.security.pkcs11.SunPKCS11*${java.home}/lib/security/nss.cfg *

This file exists(I'm not sure about this - I think I've found some file 
without the setting) in Guix but doesn't have the correct location of 
the NSS library set.
My workaround was to manually override the JDK security settings by 
creating "nss.cfg" and "java.security" files in Tomcat "tomcat_base/bin" 
dir and point them to the correct locations. Here is the JDK cmd option 
(setting it through /bin/setenv.sh):

  -Djava.security.properties=java.security

The contents of the custom "java.security" are copied from the original 
file. Only the line for the "nss.cfg" is changed:

security.provider.9=sun.security.pkcs11.SunPKCS11 nss.cfg

The contents of the custom "nss.cfg"

name=NSS

nssLibraryDirectory=/var/guix/profiles/per-user/zloster/guix-profile/lib/nss

nssDbMode=noDb

attributes=compatibility

Most probably this is not the most appropriate way to configure the 
JDK/NSS relation in Guix but for a workaround it is fine.

Here is a screenshot of Tomcat running (glorious moment for me:) ): 
https://www.edno.moe/image-share/2016-11-11-210342_1920x1080_scrot.png

About a proper fix: IMO iced3 JDK Guix definition needs to process 
"java.security" file for the SunPKCS11 provider to override the 
JAVA_HOME definition with the file in the current version/dir/instance 
of the Guix package (I'm not sure for the correct term). But this have 
to be done on each update/upgrade of NSS package. So I'm not so sure 
about the proper way to fix this packaging problem.

-- 
Поздрави,       | Best regards,
Радослав Петров | Radoslav Petrov


[-- Attachment #2: Type: text/html, Size: 5043 bytes --]