Creating a PKCS12 Truststore with more recent Java 11 releases is unreadable with IBM J9 (Java 8)

Hi everyone!

Problem description

For my day work I create truststores from a database on the fly. However, switching to IBM Semeru or more recent AdoptOpenJDK(!) versions will create a truststore which is unreadable with IBM J9.

The last version of Java 11 we found to create a "J9-valid" truststore was 11.0.6+10, OpenJ9 0.18.1.

We found out that using 11.0.13+8, OpenJ9 0.29.0 or the latest AdoptOpenJDK version of OpenJ9 (OpenJDK_11.0.10_9_openj9-0.24.0) will create "non-J9-valid" truststores.

Sample output

Here's a sample output.

Setup

$ ./wlp/java/./bin/java -version
java version "1.8.0_311"
Java(TM) SE Runtime Environment (build 8.0.7.0 - pap6480sr7-20211025_01(SR7))
IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64-Bit Compressed References 20211022_15212 (JIT enabled, AOT enabled)

Hint: We also get the error on Linux x64, so it is not specific to AIX ppc64.

Truststore 1 created with IBM Semeru 11.0.13+8, OpenJ9 0.29.0: test_java11_new_truststore_11.0.13+8_0.29.0.pk12
Truststore 2 created with AdoptOpenJDK Eclipse OpenJ9 11.0.6+10, OpenJ9 0.18.1: test_java11_new_truststore_11.0.6+10_0.18.1.pk12

Empty Truststore

We create an empty truststore beforehand:

 keytool -genkeypair \
    -alias boguscert \
    -storepass "topsecretstorepass" -keypass "topsecretstorepass" \
    -keystore "$TRUSTSTORE_PATH" \
    -storetype PKCS12 \
    -dname "CN=Developer, OU=Department, O=Company, L=City, ST=State, C=CA" \
    -noprompt

  keytool -delete \
    -alias boguscert \
    -storepass "topsecretstorepass" \
    -storetype PKCS12 \
    -keystore "$TRUSTSTORE_PATH" \
    -noprompt

Keytool output

# Truststore 1
# created with IBM Semeru 11.0.13+8, OpenJ9 0.29.0
$ ./wlp/java/./bin/keytool -list -keystore ~/test_java11_new_truststore_11.0.13+8_0.29.0.pk12 -storetype PKCS12 -v
keytool error (likely untranslated): java.io.IOException: Error extracting keyentry aliases from PFX

# did not work

# Truststore 2
# created with AdoptOpenJDK Eclipse OpenJ9, 11.0.6+10, OpenJ9 0.18.1
$ ./wlp/java/./bin/keytool -list -keystore ~/test_java11_new_truststore_11.0.6+10_0.18.1.pk12 -storetype PKCS12 -v
Enter keystore password:

# this works

Linked IBM issue

TS008467149

ibmruntimes / Semeru-Runtimes