8

Trying to import a CA Cert to my Java 6 truststore and am running into this error:

./keytool -v -import -trustcacerts -alias Rapidssl -file /Users/spurr/Desktop/rapidssl.cer -keystore /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts
Enter keystore password:
Certificate was added to keystore
[Storing /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts]
keytool error: java.io.FileNotFoundException: /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts (Operation not permitted)
java.io.FileNotFoundException: /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts (Operation not permitted)
at java.io.FileOutputStream.open(Native Method)
at java.io.FileOutputStream.<init>(FileOutputStream.java:194)
at java.io.FileOutputStream.<init>(FileOutputStream.java:84)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:902)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)

I'm running that command as root as well so I'd think I have access to that cacerts keystore location. Using Java 6.

PurrBiscuit
  • 525
  • 2
  • 6
  • 19
  • are you in your home dir? I would update the JVM – bichito Jan 19 '17 at 17:01
  • this is what my $JAVA_HOME shows `$ echo $JAVA_HOME /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home` – PurrBiscuit Jan 19 '17 at 17:04
  • I meant form where you are issuing the command – bichito Jan 19 '17 at 17:05
  • further more - the `lib/security/cacerts` file is a symlink to a different `cacerts` file on my system - `/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security $ ls -al | grep cacerts lrwxr-xr-x 1 root wheel 81 Jan 5 11:13 cacerts -> /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts` – PurrBiscuit Jan 19 '17 at 17:05
  • i'm issuing the command from `/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/bin` – PurrBiscuit Jan 19 '17 at 17:06
  • I think you should try this in your home dir for many reasons – bichito Jan 19 '17 at 17:12
  • I just tried to in my home directory without any success `~ $ sudo /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/bin/keytool -import -trustcacerts -alias Rapidssl -file /Users/spurr/Desktop/rapidssl.cer -keystore /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts` and got the same result as before `Enter keystore password: Certificate was added to keystore keytool error: java.io.FileNotFoundException: /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts (Operation not permitted)` – PurrBiscuit Jan 19 '17 at 17:20
  • as joeDoe user? Who is the actual user of the certs? – bichito Jan 19 '17 at 17:23
  • do man key tool. Keystores are created in the home directory of the user issuing the command. – bichito Jan 19 '17 at 17:26
  • the user that I login with - I'm running an application called "youtrack workflow editor" that uses java 6 – PurrBiscuit Jan 19 '17 at 17:27
  • sudo is superuser do. Remove the sudo and try it from your home dir. It works for me. – bichito Jan 19 '17 at 17:29
  • i've run the same command without `sudo` and got the same result. I'm also using the embedded `keytool` from within java - not from a local binary. – PurrBiscuit Jan 19 '17 at 17:31
  • I am out of ideas. Sudo will create the keystore in the root home dir. Probably something you don't want. My keytool points to /usr/bin/keytool which is a link to /System/Library/Frameworks/JavaVM.framework/Versions/Current/Commands/keytool – bichito Jan 19 '17 at 17:34
  • I don't want to "create" a keystore - I want to import a cacert into an existing cacerts keystore. – PurrBiscuit Jan 19 '17 at 17:40
  • The keystore is created when you import by default. So if the tool is pointing to a dir that has restrictions you would probably get the exception – bichito Jan 19 '17 at 17:43
  • what do you mean the keystore is "created"? I'm trying to import to an existing keystore using `-keystore /System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home/lib/security/cacerts` - what is there to create in this case? it already exists. – PurrBiscuit Jan 19 '17 at 17:49
  • this stackoverflow suggests it's an administrator level (sudo for mac) issue - http://stackoverflow.com/questions/10321211/java-keytool-error-after-importing-certificate-keytool-error-java-io-filenot?rq=1 although i'm still running into the issue – PurrBiscuit Jan 19 '17 at 17:50
  • The file not found exception is stating that you are not hitting the right keystore. – bichito Jan 19 '17 at 17:54
  • I just got it to work - it looks like it's a mac osx specific issue - you have to disable `csrutil` first during a reboot and then it will allow you to important certs to that keystore. Here's how it looks now - `sudo keytool -import -trustcacerts -alias rapidssl -file ~/Desktop/rapidssl.cer -keystore /System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home/lib/security/cacerts` and the result is `Password: Enter keystore password: Certificate was added to keystore` – PurrBiscuit Jan 19 '17 at 18:04
  • can you do it now as joseDoe? – bichito Jan 19 '17 at 18:39
  • no, now I get a (permission denied) error when not using `sudo` - `keytool error: java.io.FileNotFoundException: /System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home/lib/security/cacerts (Permission denied)` - but that makes sense to me because the cacerts keystore I'm trying to import into is owned by `root` – PurrBiscuit Jan 19 '17 at 18:43

3 Answers3

10

I was hit by similar issue on MacOS Big Sur while starting an jnlp file:

CouldNotLoadArgumentException[ Could not load file/URL specified: /Users/jhartman/Documents/Favorities/NCC/NCC 123.jnlp]
....
Caused by: java.io.FileNotFoundException: /Users/jhartman/Documents/Favorities/NCC/NCC 123.jnlp (Operation not permitted)

Solution for this was:

  • Give Java (/usr/bin/java) Full Disk access
  • Give Java (/usr/bin/java) Files and Folders access to Downloads, Documents and Folders

Steps

  1. Open /usr/bin in Finder, e.g. by invoking from Terminal:
jhartman@MBP ~ % open /usr/bin

  1. Localise java (and keytool)

  2. Open System Preferences and Security & Privacy. Open Full Disk Access tab and authorise

  3. Drag java and keytool from Finder window opened in step 1 and drop onto the App list in Full Disk Access

enter image description here

  1. Go to Security & Privacy -> Files and Folders, tick Downloads Folder and Document Folder for java and keytool

enter image description here

It was solution for my problem but I hope it should also sort out keytool issue.

Jarek
  • 782
  • 5
  • 16
  • 2
    If even after providing required permissions and restart the issue persists, move the required files in src/main/resources folder. – suhas0sn07 Aug 10 '21 at 06:53
6

This seems to be a mac specific issue when the exception states (Operation not permitted) -

For anyone else having this problem you need to reboot your mac and press ⌘+R when booting up. Then go into Utilities > Terminal and type the following commands:

csrutil disable
reboot

You should be able to import cacerts to your Java keystore following that. Don't forget to reenable csrutil after you've imported that cacert. Reboot, press ⌘+R when booting up, Utilities > Terminal, enter:

csrutil enable
reboot
PurrBiscuit
  • 525
  • 2
  • 6
  • 19
0

I was running into this for files under my .metadata directory because I put my Eclipse workspace under Documents. Get around this by going into System Preferences->Privacy and adding access to particular Files and Folder for Eclipse or giving Eclipse Full Disk Access.

JAK
  • 11