On 10/2/25 8:31 AM, Baesken, Matthias wrote:
Hi Sean, what you propose sounds really good.
The DKSTest I found
https://github.com/openjdk/jdk/blob/8be16160d2a6275ff619ea4cebb725475c646052/test/jdk/sun/security/provider/KeyStore/DKSTest.java#L111
mentions also ‘system’ , is this the system (OS , e.g. Windows) –
keystore or the cacert ?
No, that's just the name of the domain in the config file:
https://github.com/openjdk/jdk/blob/8be16160d2a6275ff619ea4cebb725475c646052/test/jdk/sun/security/provider/KeyStore/domains.cfg
See also the constructor which explains the URI parameter:
https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html#%3Cinit%3E(java.net.URI,java.util.Map)
--Sean
The documentation at
https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html
mentions ‘system’ as keystore system-truststore but there it is
pointing to keystoreURI="${java.home}/lib/security/cacerts";
Best regards, Matthias
>Hi,
>There is already a feature in the JDK that is close to what you are
looking for. There is a KeyStore type called "DKS" (called the
DomainKeyStore). See
https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html
for more info on how to configure it.
>Basically, it uses a config file to present a collection of keystores
as one logical keystore.
>Currently there is no way to specify the configuration file as a
system property, so you would have to write a custom TrustManagerFactory.
>I would try seeing if this solution is workable and we can think
about whether adding a system property for the config file is
something that would be useful.
>--Sean
