Arch Linux

Description:
The SSL certificate store file (/usr/lib/jvm/java-9-openjdk/lib/security/cacerts) is does not contain any certificate. This leads to an "java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty" exception being thrown every time a Java program tries to open an SSL connection (for example an HTTPS request).

In OpenJDK 8 the certificate store file (/usr/lib/jvm/java-8-openjdk/jre/lib/security/cacerts) was a symbolic link to /etc/ssl/certs/java/cacerts, which contains the certs (this can be verified by running the command "keytool -list -keystore /usr/lib/jvm/java-8-openjdk/jre/lib/security/cacerts"; if it asks for a password, just leave it empty and press enter). In OpenJDK 9, however, /usr/lib/jvm/java-9-openjdk/lib/security/cacerts is an empty certificate store file (you can see it with "keytool -list -keystore /usr/lib/jvm/java-9-openjdk/lib/security/cacerts").

A quick workaround to make it work is to rename that file (for example to cacerts-bkp) and create the link to the correct certificate store with the command "ln -s /etc/ssl/certs/java/cacerts /usr/lib/jvm/java-9-openjdk/lib/security/cacerts".

Additional info:
* package version: jre9-openjdk-headless 9.u181-1


Steps to reproduce:
Try to perform an SSL request using any Java program when java-9-openjdk is set as default Java environment, it won't work. For example you can use the simple attached program, which should download the archlinux.org homepage over HTTPS:
* use Java 8 first to have a proof it works: run (as root) "archlinux-java set java-8-openjdk"
* compile it with "javac HttpsTest.java"
* run it with "java HttpsTest"; wait a while and you should see the HTML source of https://archlinux.org
* now switch to OpenJDK 9 with "archlinux-java set java-9-openjdk"
* try a "java HttpsTest" again and you'll get an exception