======OS - BSD - OpenBSD - Notes - Miscellaneous======
[[http://blog.hawkhost.com/2010/06/28/tmux-the-terminal-multiplexer/|Hawk Host Blog - TMUX – The Terminal Multiplexer (Part 1)]] \\
[[http://blog.hawkhost.com/2010/07/02/tmux-–-the-terminal-multiplexer-part-2/|Hawk Host Blog - TMUX – The Terminal Multiplexer (Part 2)]] \\
Start Webmin:
/usr/bin/perl /root/webmin-1.420/miniserv.pl /etc/webmin/miniserv.conf
Add a description to an interface:
ifconfig em0 description "description (in double quotes if it contains spaces)"
Source:[[http://jcs.org/notaweblog/2008/07/30/my_history_with_openbsd/|joshua stein: my history with openbsd]] \\
Radeon + nvagp: [[http://marc.info/?l=openbsd-tech&m=122042134418052&w=2|openbsd-tech - [patch] nForce AGP support]] \\
Connect over a USB COM port to the debug port of a PowerStation:
cu -l ttyU0 -s 19200|tee output
When executing as a normal user an error is shown:
$ cu -l ttyU0|tee output
/var/spool/lock/LCK..ttyU0: No such file or directory
Can't open lock file.
all ports busy
Source:[[http://www.nabble.com/Re:-net4801-loads-slowly-pxelinux.0-p7372217.html|Nabble.com - Re: net4801 loads slowly pxelinux.0]] \\
Open the CDROM drive:
eject /dev/rcd0c
Prefer IPv6 addresses when resolving names? Add the following to /etc/resolv.conf:
family inet6 inet4
Show SSH fingerprint without printing the filenames (ksh shell):
for i in `ls /etc/ssh/*.pub`; do ssh-keygen -l -f $i; done | awk '{ print $1, $2, $4 }'
Source:[[http://efreedom.com/Question/2-231105/Manually-Know-RSA2-Key-Finger-Print|eFreedom - SSH - How to manually know the RSA2 key finger print?]] \\
Show linked libraries of a library/program:
ldd /path/to/library/or/program
Show a list of processes with opened network ports:
fstat | grep internet
Build a pkg_delete list based on the contents of /var/log/messages:
grep "pkg_add: Added" /var/log/messages | awk '{ print "pkg_delete " $7 }'
Build a pkg_delete list in reversed order based on the contents of /var/log/messages:
grep "pkg_add: Added" /var/log/messages | awk '{ print "pkg_delete " $7 }' | tail -r
Print a file in all lowercase:
awk '{ print tolower }' filename
====Virtual machine drive size for testing====
40G drive.
|a|150M|/|
|b|512M|swap|
|d|6G|/usr|
|e|30G|/var|
|f|2G|/tmp|
|g|1,3G|/home|
=====OpenBSD and multicore CPU's=====
throwing more than one cpu (core) at a database server running just
one mysqld instance is not going to help right now. that's likely to
change with rthreads so.
throwing more than one core at a firewall (without much proxy stuff in
userland) hurts more than it helps right now.
guess my point is clear. we scale fine for many (I'd even say the most)
tasks. we scale miserably for some others. yes, our SMP can be
improved, but it isn't bad. heck, what cannot be improved?
-- Henning Brauer
The above is subject to change. Taken from:[[http://marc.info/?l=openbsd-misc&m=129431461101023&w=2|marc.info - openbsd.misc - multicore processors gain]] \\
=====Apache=====
[[http://httpd.apache.org/docs/1.3/vhosts/name-based.html|Apache HTTP Server Version 1.3 - Name-based Virtual Host Support]] \\
[[http://httpd.apache.org/docs/1.3/vhosts/ip-based.html|Apache HTTP Server Version 1.3 - Apache IP-based Virtual Host Support]] \\
====Logrotate====
//Very crappy log rotation for Apache logs.// \\
//Use [[http://www.openbsd.org/cgi-bin/man.cgi?query=rotatelogs&sektion=8&apropos=0&manpath=OpenBSD+Current&arch=i386|rotatelogs (8)]] instead.//
apachectl stop
cd /var/www/logs
mv access_log access_log_`date +%Y%m%d`
mv error_log error_log_`date +%Y%m%d`
mv ssl_engine_log ssl_engine_log_`date +%Y%m%d`
mv ssl_request_log ssl_request_log_`date +%Y%m%d`
touch access_log
touch error_log
touch ssl_engine_log
touch ssl_request_log
apachectl startssl
gzip access_log_`date +%Y%m%d`
gzip error_log_`date +%Y%m%d`
gzip ssl_engine_log_`date +%Y%m%d`
gzip ssl_request_log_`date +%Y%m%d`
====SSL====
===Add intermediate/signing certificate===
//This assumes /etc/ssl/server.crt and /etc/ssl/private/server.key are already installed.//
Add the public intermediate/signing certificate that was used to sign server.crt (in this case [[https://www.globalsign.com/support/intermediate/domainssl_intermediate2011.php|GlobalSign Domain Validation CA - G2]]):
cp GlobalSign\ Domain\ Validation\ CA\ -\ G2.crt /etc/ssl/globalsigndomvalcag2.crt
chgrp bin /etc/ssl/globalsigndomvalcag2.crt
Add the following to /var/www/conf/httpd.conf (after the line "SSLCertificateKeyFile /etc/ssl/private/server.key"):
SSLCertificateChainFile /etc/ssl/globalsigndomvalcag2.crt
Source for httpd.conf entry:[[https://maillists.uci.edu/manual/mod/mod_ssl.html|Apache Module mod_ssl]] \\
=====Sendmail=====
====Set up sendmail as a null client====
By default sendmail only listens on the localhost address and does not forward email. With this setting you turn sendmail into a null client, all email that can't be delivered locally will be sent to an SMTP gateway/relay server.
Open /usr/share/sendmail/cf/openbsd-localhost.mc and add the following rule at the bottom:
define(`SMART_HOST',`esmtp:[10.1.1.1]')dnl
Save the file. Then cd to the cf directory:
# cd /usr/share/sendmail/cf
And compile the configuration file:
# make openbsd-localhost.cf
Copy /usr/share/sendmail/cf/openbsd-localhost.cf to /etc/mail/localhost.cf:
# cp /usr/share/sendmail/cf/openbsd-localhost.cf /etc/mail/localhost.cf
=====dd=====
Erase a disk (by overwriting it with zeros):
dd if=/dev/zero of=/dev/rsd0c bs=10m
Source: [[http://marc.info/?l=openbsd-misc&m=122228074928814&w=2|Marc.info - Re: Can one dd to /dev/rwd0c?]] \\
> dd if=/dev/wd0c of=/dev/wd1c bs=4m
This hits the buffer cache, use raw devices for anything apart
from mounting, ie /dev/rwd0c
Source: "Re: dd performance question" thread op misc@openbsd.
=====Erase a drive=====
atactl drive secerase
Via [[http://marc.info/?l=openbsd-misc&m=136850991519185&w=2|marc.info - openbsd-misc - Re: Is fdisk, disklabel and newfs enough to "reset" an SSD]] \\
=====Installation as transparant filtering bridge=====
* Install OpenBSD (5.0)
* Install two or more networkcards
* Create a bridge and add two network cards:
# ifconfig bridge0 create
# ifconfig bridge0 add bge1
# ifconfig bridge0 add bge2
# ifconfig bge1 up
# ifconfig bge2 up
# ifconfig bridge0 up
To make this configuration permanent you have to create the /etc/hostname.if files with the correct contents:
# echo add bge1 > /etc/hostname.bridge0
# echo add bge2 >> /etc/hostname.bridge0
# echo add up >> /etc/hostname.bridge0
# echo up > /etc/hostname.bge1
# echo up > /etc/hostname.bge2
You can filter on this bridge. Example /etc/pf.conf:
ext_if = "bge2"
int_if = "bge1"
tcp_services = "{www,https}"
block in on $ext_if all
# Allow all outbound tcp traffic to tcp_services
pass out quick on $ext_if proto tcp from any to any port $tcp_services
# Allow all outbound udp traffic to 10.0.0.138 for DNS
pass out quick on $ext_if proto udp from any to 10.0.0.138 port domain
=====ANSI (IBM CP437) art and the text console=====
Set the TERM variable to cons25:
TERM=cons25
See:
^Karakterverzameling^Terminaltype^
|ISO8859-1 of ISO-8859-15|cons25l1|
|ISO8859-2|cons25l2|
|ISO8859-7|cons25l7|
|KOI8-R|cons25r|
|KOI8-U|cons25u|
|CP437 (VGA standaardinstelling)|cons25|
|US-ASCII|cons25w|
Source:[[http://www.freebsd.org/doc/nl/books/handbook/using-localization.html|FreeBSD handboek - 23.3. Lokalisatie gebruiken]] \\
Download the latest version of [[http://tetradraw.sourceforge.net/|Tetradraw]], extract, and then compile with:
configure
make
Use the tetraview application to open .ANS file:
./tetraview FINAL.ANS
See also: \\
[[http://marc.info/?l=openbsd-misc&m=99534253611414&w=2|marc.info - openbsd-misc - Subject: Running ANSI-based applications]] \\
[[http://people.freebsd.org/~hmp/freebsd/head_man/syscons/fonts/|FreeBSD syscons fonts]] \\
[[http://xyzzy.freeshell.org/cp437/|CP437.fnt - Alternate 8x16 Character font]] \\
=====Sendmail skips mailertable=====
Scenario: \\
After the system had an unclean shutdown (loss of power) sendmail ignored the mailertable.\\
mailertable:
domein.nl dbmail:localhost
local-host-names has no additions.
Test with the following command:
# sendmail -d60.5 -bv naam@domein.nl
This produced the following output:
map_lookup(dequote, root, %0=root) => NOT FOUND (0)
map_lookup(host, domein.nl, %0=domein.nl) => domein.nl. (0)
map_lookup(virtuser, naam@domein.nl, %0=naam@domein.nl, %1=naam) => NOT FOUND (0)
map_lookup(virtuser, @domein.nl, %0=@domein.nl, %1=naam) => NOT FOUND (0)
naam@domein.nl... User unknown
The mailertable is skipped.
/etc/hosts held an extra line with the private IP-address of the server and behind it:
www.domein.nl www domein.nl
After commenting out this line in /etc/hosts and restarting the system the output of 'sendmail -d60.5 -bv naam@domein.nl' was now:
# sendmail -C/etc/mail/dbmail.cf -d60.5 -bv naam@domein.nl
map_lookup(dequote, root, %0=root) => NOT FOUND (0)
map_lookup(host, domein.nl, %0=domein.nl) => domein.nl. (0)
map_lookup(mailertable, domein.nl, %0=domein.nl) => dbmail:localhost (0)
naam@domein.nl... deliverable: mailer dbmail, host localhost, user naam@domein.nl
Strangely the system did work before that with the extra line in /etc/hosts. \\
Presumably after the unclean shutdown a corrupted file or cache in the sendmail<->dbmail chain was rebuilt or something similar after which the rule in /etc/hosts was in full effect.
Sources: \\
[[http://www.issociate.de/board/post/266376/Configure_Local_DNS_lookup_in_Sendmail.html|Configure Local DNS lookup in Sendmail]] voor het d60.5 commando. \\
[[http://andrea.brancatelli.it/blog/2007/04/08/when-sendmail-ignores-the-mailertable/|extract the nectar, burn the tree - When SendMail ignores the mailertable]] maakte melding van een identieke opstelling met DBMail waar een compleet lege local-host-names de oplossing was. Getest, werkte niet voor mijn opzet. \\
[[http://www.linuxquestions.org/questions/linux-networking-3/sendmail-mailertable-311364/|LinuxQuestions.org - sendmail mailertable]] beschrijft een soorgelijk probleem en wees met de laatste post in de richting van /etc/hosts. \\
[[http://www.goldfisch.at/knowledge/378|goldfisch knowledgebase - sendmail ignores mailertable and threatens domain as local]] \\
=====Quake 2 Giex server=====
- Install the Quake2 package:pkg_add quake2
- Copy at least pak0.pak upto pak4.pak to /usr/local/share/quake2/baseq2/.
- Place the giex directory in /usr/local/share/quake2/.
- Make sure the game library is named game.so.
- Add a _giex user. (default shell, no password, answer yes to disalow logons)
- Change the ownership of the charsave directory and giexlog.txt to _giex:chown -R _giex /usr/local/share/quake2/giex/charsave
chown _giex /usr/local/share/quake2/giex/giexlog.txt
- To automatically start the server at system startup add the following to /etc/rc.local:
if [ -x /usr/local/bin/quake2 ]; then
echo -n ' q2-giex'
su -m _giex -c "cd /usr/local/share/quake2/ && /usr/local/bin/quake2 +game giex +map q2dm1 +exec dmsrv.cfg +set dedicated 1 >/dev/null &"
fi
=====OpenSSH ChrootDirectory=====
[[http://en.wikibooks.org/wiki/OpenSSH/Cookbook/SFTP|OpenSSH/Cookbook/SFTP]] \\
[[http://en.wikibooks.org/wiki/OpenSSH/Logging#Logging_Chrooted_SFTP|OpenSSH/Logging - Logging Chrooted SFTP]] \\
[[http://www.bigmite.com/blog/2010/05/19/chroot-sftp-using-openssh-and-logging/|Bigmite Solutions - Chroot sftp using openssh and logging]] \\
Open /etc/ssh/sshd_config and modify the Subsystem line to the following:
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server -u 0022
Voeg onderaan toe:
Match Group sftp-only
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -f AUTH -l VERBOSE -u 0027
The options after internal-sftp are important if you want to have the file transfers logged to /var/log/authlog and have files created without group write and any world permissions. Source:[[http://forums.freebsd.org/showthread.php?t=4349|The FreeBSD Forums > Server & Networking > Web & Network Services - openssh and sftp logging]] \\
Add an extra log socket to the syslogd startup options by adding the following to /etc/rc.conf.local:
syslogd_flags="-a /home/sftp.log.socket"
Stop syslogd and start it with the above -a option.
Correct the permissions on the homedir and remove the dotfiles:
chown root:wheel /home/username/
rm -rf /home/username/.*
Create a user writable subdirectory:
mkdir /home/username/export
chown username:username /home/username/export
Create the /dev/ directory in the chroot homedir and link the sftp.log.socket:
mkdir /home/username/dev/
chmod 0755 /home/username/dev/
ln /home/sftp.log.socket /home/username/dev/log
Create the sftp-only group:
groupadd sftp-only
Now add the users that should chroot to their homedir to the sftp-only group.
=====Geany treebrowser plugin=====
^Tested on^^^^
^OpenBSD version^OpenBSD arch^Geany version^Geany plugins version^
|5.2|i386|0.20|0.20|
Install the prerequisites:
pkg_add intltool
Extract the plugins archive:
tar xzvf geany-plugins-0.20.tar.gz
Change to the plugins directory:
cd geany-plugins-0.20
Run the configure script (to create the Makefiles):
./configure
Change to the treebrowser directory:
cd treebrowser
Compile the plugin:
make
Copy the compiled plugin to the geany plugin directory:
cp .libs/treebrowser.so /usr/local/lib/geany/
Correct the file mode and group on the plugin:
chmod -x /usr/local/lib/geany/treebrowser.so
chgrp bin /usr/local/lib/geany/treebrowser.so
The plugin should now be available in the Geany Plugin Manager.
=====Auto logon=====
====Auto logon to X====
- Create a user to auto logon with.
- Setup ~/.xinitrc to start the desired window manager.
- Add the following to /etc/rc.local:/usr/bin/su - -c /usr/X11R6/bin/startx //Replace with the name of the user to auto logon with. //
- When the system next boots it will be logged in automatically under the user and X will be started.
Source: [[http://linux.koolsolutions.com/2009/03/15/howto-autologin-into-your-linux-system-without-xdm-gdm-kdm-etc/|Debian Ubuntu Linux Solutions Blog - HOWTO: Autologin into your Linux system without XDM, GDM, KDM, etc]] \\
=====LPD printing to HP CM 2320i printer=====
Add the following to /etc/printcap:
rp|cm2320:\
:lp=cm2320.domain.local:rm=cm2320:rp=lp:sd=/var/spool/output:lf=/var/log/lpd-errs:
And start lpd:
/etc/rc.d/lpd -f start
Test printing from a program (xpdf, Seamonkey, LibreOffice) with:
lpr -Pcm2320
=====Default packages for desktop system=====
A list of packages used on a personal desktop system.
FIXME: Expand the list towards a fully equipped system...
pkg_add -i dia dillo dmenu dosbox gimp libreoffice mutt rsync seamonkey texmaker thunderbird unzip vim vlc xfe xpdf
Games:
pkg_add -i chocolate-doom flare megaglest openarena prboom-plus quake quake2 redeclipse sumwars widelands
Compiling:
pkg_add -i clang cmake gmake subversion
=====goomwwm=====
Compile and install the latest version of goomwwm.
- Download the latest master.tar.gz from [[https://github.com/seanpringle/goomwwm|GitHub - seanpringle - goomwwm]].
- Extract the goomwwm-master.tar.gz archive.
- Compile:make
- Install:sudo cp goomwwm /usr/local/bin
sudo cp goomwwm.1 /usr/local/man/man1/
- Install the required prerequisite of dmenu:pkg_add dmenu
- Add to ~/.xinitrc:goomwwm -modkey mod1,shift//'-modkey mod1,shift' uses the Alt+Shift keys as modkey instead of the left Windows key (for keyboards that do not have a Windows key). Can be omitted on keyboards that do have a Windows key.//
- Start X Window:startx
- Use the key combination Alt+Shift+x (or Windows+x) to call the dmenu launcher.
=====sscrotwm=====
Compile and install the latest version of sscrotwm.
- Download the latest master.tar.gz from [[https://github.com/sporkexec/sscrotwm|GitHub - sporkexec - sscrotwm]].
- Extract the sscrotwm-master.tar.gz archive.
- Compile:make
- Install:sudo cp sscrotwm /usr/local/bin
sudo cp sscrotwm.1 /usr/local/man/man1/
sudo cp sscrotwm.conf /etc/
- Install the required prerequisite of dmenu:pkg_add dmenu
- Add to ~/.xinitrc:sscrotwm
- Start X Window:startx
- Use the key combination Alt+p to call the menu launcher.
- Use the key combination Alt+Shift+Return to call a terminal.
=====librt and libdl functions in libc=====
// Ran into this when trying to compile Odamex 0.7.0. //
OpenBSD currently (2015-05-30) does not supply librt or libdl.
(Some of) their functionality is included in libc.
Sources:
* [[https://github.com/jonathangray/RBDOOM-3-BFG/commit/ccd5d65dbe2dadd26f01ca2a5521ed110c82345f|commit on jonathangray/RBDOOM-3-BFG (GitHub)]]
* [[http://comments.gmane.org/gmane.os.openbsd.misc/221704|Gmane - misc@openbsd - timer_create for openbsd. Any equivalent ?]]
* [[http://lists.suckless.org/dev/1407/23102.html|Re: [dev] [st][PATCH] Add information about librt and OpenBSD to the FAQ]] // "If you want compile st for OpenBSD you have to remove -lrt from config.mk, and st will compile without any loss of funcionality because all the functions are included in libc on this platform." // \\
=====Audio control - Volume=====
First read [[http://www.openbsd.org/faq/faq13.html|OpenBSD FAQ - 13 - Multimedia]].
// Tested on: //
$ dmesg | grep audio
audio0 at azalia0
$ dmesg | grep azalia
azalia0 at pci0 dev 27 function 0 "Intel 6321ESB HD Audio" rev 0x09: msi
azalia0: codecs: Realtek ALC262
audio0 at azalia0
outputs.master is set to 120,120 by default:
$ mixerctl outputs.master
outputs.master=120,120
To up this:
mixerctl outputs.master=220,220
To make this permanent on every reboot:
echo outputs.master=220,220 >> /etc/mixerctl.conf
=====OpenSMTPd + cron == no From address=====
// Applies to OpenBSD 5.4 - 5.7. Fixed in OpenBSD 5.8. //
Due to [[http://marc.info/?l=openbsd-misc&m=125542062831242&w=2|openbsd-misc - Re: no hostname in mails sent with smtpd in a crontab]] not being solved yet all cronjobs need to have ' | mail -s "Subject" ' appended if it is desired to mail the output to someone else than the host root account.
Su to root. \\
Modify the crontab for root:crontab -e
Change:
* Add MAILTO="" to prevent cron from sending email.
* Add 'MAILADDR=user@domain.nl' with the emailaddress that should receive the email.
* Append ' | mail -s "Subject" $MAILADDR' to every active cronjob.
=====Resize a file system=====
// Tested on OpenBSD/amd64 5.8 on VMware ESXi 6.0 after enlarging /dev/sd1 VMDK. /dev/sd1 only contained one partition (a). //
- Unmount the file system:umount /dev/sd1a
- Edit the disklabel:disklabel -E /dev/rsd1c
- Set disk boundaries to cover the entire disk:
> b
Starting sector: [0]
Size ('*' for entire disk): [8388608] *
- Change the size of the partition to cover the entire disk:
> c a
Partition a is currently 8388608 sectors in size, and can have a maximum
size of 16777216 sectors.
size: [8388608] *
- Write the new label:
> q
Write new label?: [y]
- Grow the file system on sd1a:
# growfs /dev/rsd1a
We strongly recommend you to make a backup before growing the Filesystem
Did you backup your data (Yes/No) ? Yes
new filesystem size is: 4194304 frags
Warning: 190976 sector(s) cannot be allocated.
growfs: 8098.8MB (16586240 sectors) block size 16384, fragment size 2048
using 40 cylinder groups of 202.47MB, 12958 blks, 25984 inodes.
super-block backups (for fsck -b #) at:
8707808, 9122464, 9537120, 9951776, 10366432, 10781088, 11195744, 11610400,
12025056, 12439712, 12854368, 13269024, 13683680, 14098336, 14512992,
14927648, 15342304, 15756960, 16171616
- Check the file system:
# fsck /dev/rsd1a
** /dev/sd1a (58e67b67b9473b4c.a)
** Last Mounted on /var/www/pkg-cache
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
524 files, 1699675 used, 2381276 free (92 frags, 297648 blocks, 0.0% fragmentati
on)
MARK FILE SYSTEM CLEAN? [Fyn?] y
- Mount all file systems:mount -a
=====Extra bpf devices=====
// Tested on OpenBSD/macppc 5.7 and 5.9. //
OpenBSD creates 10 bpf devices by default.
Sometimes those 10 are already used. For instance when creating two extra pflog devices on a default install.
You can see how many bpf devices are in use in the output of:
fstat | grep bpf
Example output:
_pflogd pflogd 8788 3 / 10223 crw------- rw bpf9
root pflogd 20191 3 / 10223 crw------- rw bpf9
_pflogd pflogd 32657 3 / 10222 crw------- rw bpf8
root pflogd 25912 3 / 10222 crw------- rw bpf8
_dhcp dhcpd 16901 4 / 10215 crw------- rw bpf1
_dhcp dhcpd 16901 5 / 10216 crw------- rw bpf2
_dhcp dhcpd 16901 6 / 10217 crw------- rw bpf3
_dhcp dhcpd 16901 7 / 10218 crw------- rw bpf4
_dhcp dhcpd 16901 8 / 10219 crw------- rw bpf5
_dhcp dhcpd 16901 9 / 10220 crw------- rw bpf6
_dhcp dhcpd 16901 10 / 10221 crw------- rw bpf7
_pflogd pflogd 1558 3 / 10214 crw------- rw bpf0
root pflogd 29587 3 / 10214 crw------- rw bpf0
When all bpf devices are in use, starting a tcpdump gives an error:
# tcpdump -i gem0
tcpdump: Failed to open bpf device for gem0: No such file or directory
The fix is creating extra bpf devices:
cd /dev/
sh MAKEDEV bpf10
sh MAKEDEV bpf11
sh MAKEDEV bpf12
#And so on...
Sources:
* [[http://marc.info/?t=122228379800001&r=1&w=2|marc.info - OpenBSD Misc - Does OpenBSD only allow 19 Interfaces]]
* [[http://marc.info/?l=openbsd-misc&m=129657069318053&w=2|marc.info - OpenBSD Misc - BPF device limitations]]
=====Add a CA cert to the Java keystore=====
// Tested on OpenBSD/amd64 6.0 with jdk-1.7.0.80p1v0. //
This will import the root CA certificate stored in /root/rootca.crt into the global Java keystore so the Java programs can verify certificates signed by that root CA.
/usr/local/jdk-1.7.0/bin/keytool -importcert \
-keystore /usr/local/jdk-1.7.0/jre/lib/security/cacerts \
-file /root/rootca.crt -noprompt \
-storepass changeit
Source for password: [[https://docs.microsoft.com/en-us/azure/java-add-certificate-ca-store|Microsoft Azure - Adding a Certificate to the Java CA Certificates Store]]