Specify MAVEN_OPTS

[mashley806]

Hi All,

How do we specify maven command line arguments or have maven read MAVEN_OPTS env variable inside VSCode?

We have a custom nexus server that is a mirror of maven central repository setup in our settings.xml file. When opening our java project in VSCode hundreds of problems are reported stating:
org.eclipse.aether.transfer.ArtifactTransferException: Could not transfer artifact X from/to Nexus (URL) PKIX path building failed: ... unable to find valid certification path for request target.

NOTE: When we remove our settings.xml file and Maven central is used, everything downloads properly except some proprietary jars we need which are not in maven central.

We have added the certificate to the Java cacerts file. We also have MAVEN_OPTS environmental variable which specifies a truststore with the proper certificates.

PS C:\workspace\Apps> $Env:MAVEN_OPTS -Djavax.net.ssl.trustStore=C:\Users\mashl\.m2\maven-trust.jks -Djavax.net.ssl.trustStorePassword=maven

Everything builds 100% successful and all jars are downloaded from our NEXUS server from the command line.

PS C:\workspace\806Apps> mvn clean install -P all-projects-dev ... [INFO] ------------------------------------------------------------------------ [INFO] Reactor Summary: [INFO] [INFO] dependencies ................................... SUCCESS [ 0.249 s] [INFO] JavaTypeScriptModels ............................... SUCCESS [ 2.867 s] [INFO] Common Utilities and Components SUCCESS [ 7.600 s] [INFO] Core ................................. SUCCESS [ 8.633 s] [INFO] Apps ............................................ SUCCESS [ 0.017 s] [INFO] WebApp .................................. SUCCESS [02:21 min] [INFO] p4lcore ............................................ SUCCESS [ 6.371 s] [INFO] Services ........................................ SUCCESS [ 4.537 s] [INFO] Task Scheduler ................................. SUCCESS [ 45.468 s] [INFO] Web Services ................................... SUCCESS [ 9.780 s] [INFO] IRWeb ...................................... SUCCESS [ 34.051 s] [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 04:21 min [INFO] Finished at: 2018-03-01T15:11:16-06:00 [INFO] Final Memory: 193M/1535M [INFO] ------------------------------------------------------------------------ PS C:\workspace\806Apps>

Environment

• Operating System: Windows 10
• JDK version: 1.8.0_162 (C:\Program Files\Java\jdk1.8.0_162)
• Visual Studio Code version: 1.20.1
• Java extension version: 0.20.0

Steps To Reproduce

1. Open Java project folder in VSCode
2. Have C:\Users\mashl.m2\settings.xml specify the mirror to our repository.

[attach a sample project reproducing the error]
attach logs

Current Result

Expected Result

Additional Informations

[fbricon]

Are you able to open your project in Eclipse?

[fbricon]

Can you try changing java.jdt.ls.vmargs in your vscode settings, to something like

"java.jdt.ls.vmargs": "-noverify -Xmx1G -XX:+UseG1GC -XX:+UseStringDeduplication -Djavax.net.ssl.trustStore=C:\Users\mashl\.m2\maven-trust.jks -Djavax.net.ssl.trustStorePassword=maven"

[mashley806]

Hello,

Unfortunately, vmargs didn't work and we receive the same errors when importing the project into Eclipse. We believe this is related to m3e not respecting MAVEN_OPTS environment variable.

Maybe there are some properties we could tweak and get it working. Listed here: http://www.eclipse.org/m2e/documentation/m2e-faq.html#how-to-connect-to-https-repositories however, we've decided to move the few proprietary jars we had in our nexus repository to the lib folder of our project, and use maven central.

It would be great if there were an easy way to make this work. :)

Thanks,
Matt

[jaschenk]

Any idea when this will be fixed? As there is a issue with setting MAVEN_OPTS and the agent simply ignore them and never uses it and causes one of our largest build to fail due to out-of-memory.

Please advise.

Thanks,
Jeff

[jaschenk]

Adding our Agent is on RHEL 7.
Thanks,
Jeff

[fbricon]

@jaschenk MAVEN_OPTS support would probably require some changes in the m2e project upstream.
OOM errors should be dealt with by increasing the Xmx value in "java.jdt.ls.vmargs". MAVEN_OPTS support would not be of any help in any case here (memory)

[jaschenk]

Where is java.jdt.ls.vmargs located? Where should this be set? Actual MAVEN_OPTS is where you would place the standard memory settings and other options to Maven. Why isn't the Build Agent recognizing MAVEN_OPTS and overwriting with a default?

[jaschenk]

No matter what is specify the Build Agent does not taken in account any MAVEN_OPTS overrides and using [debug]MAVEN_OPTS is now set to -Xmx1024m for whatever reason and unable to find where this is being set on the VSTS Agent. Very frustrating. I guess I can edit the mvn script, but you shouldn't have to do that!

[fbricon]

@jaschenk java.jdt.ls.vmargs is the vscode preference for launching the Java language server, that powers vscode-java and gives you linting, code completion, hover, navigation and whatnot.

If your problem is with running Maven through a Build task, then this is a vscode issue, upstream. I don't know why the environment variables are not available to the build task (maybe try launching vscode from a terminal). Other than that, environment variables can be set through the env property in a tasks.json. See https://code.visualstudio.com/docs/editor/tasks#_custom-tasks for more info

[kainazzzo]

I am having the same problem with not being able to specify what I already have in MAVEN_OPTS to work with the java language server. I need to specify the javax.net.ssl.trustStore and trustStorePassword parameters in order to allow maven to work with our internal nexus server.

It is causing errors in my pom.xml to show up in vs code. mvn compile works fine on a terminal, because all environment variables are setup when running it that way.

I have tried the java.jdt.ls.vmargs setting, have cleaned the java language server workspace, and have even tried to use the terminal.integrated.env.windows setting to no avail.

My only solution thus far has been to add a .mvn/jvm.config file with the parameters in it, but that's not great since I have to put that in the project itself. This being a system wide setting, and in MAVEN_OPTS already, it's not the best experience.

The other only option which works for me is to temporarily add the dependency (which is missing and causing the pom.xml errors) directly to the pom.xml file as a project dependency, then do a mvn compile to trick mvn into downloading the dependency. There just doesn't seem to be a way to add jvm parameters for this flow.

Edit 1: strikethroughs
Edit 2: The reason the workaround "works" is because the dependency gets added to my local repository, and then vs code doesn't have to use the custom truststore at all... it just grabs the dependency from the local repo.

Edit 3: After trying the same thing for the 147th time, it appears to work now. I confirmed by deleting the package from my local repository, and cleaning the java language server workspace several times to try again (deleting the package each time). I also did this and completely rebooted to make sure it wasn't that VS code was holding on to some environment variable. I don't understand why it wasn't working, but I think the java.jdt.ls.vmargs is the way to go for this!

[BobLuursema]

I am running into the same issue but specifying the keystore in java.jdt.ls.vmargs doesn't make a difference in my case. Currenty I have it specified as:

"java.jdt.ls.vmargs": "-javaagent:C:\\Users\\m63j824\\.m2\\repository\\org\\projectlombok\\lombok\\1.18.8\\lombok-1.18.8.jar -Xmx512m -Djavax.net.ssl.trustStore=C:\\Users\\m63j824\\keystore -Djavax.net.ssl.trustStorePassword=password"

Is this incorrect?

[fbricon]

@snjeza is this something you have tested?

[snjeza]

It works for me.
I have tested in the following way:

# added the following property to VS Code settings.xml
"java.jdt.ls.vmargs": "-javaagent:C:\\Users\\snjeza\\.m2\\repository\\org\\projectlombok\\lombok\\1.18.8\\lombok-1.18.8.jar -Xmx512m -Djavax.net.ssl.trustStore=C:\\Users\\snjeza\\keystore -Djavax.net.ssl.trustStorePassword=changeit"
# checked lombok*.jar
C:\>dir C:\Users\Snjeza\.m2\repository\org\projectlombok\lombok\1.18.8\lombok-1.
18.8.jar
 Volume in drive C has no label.
 Volume Serial Number is 7AD6-735E

 Directory of C:\Users\Snjeza\.m2\repository\org\projectlombok\lombok\1.18.8

08/07/2019  06:29 PM         1,730,973 lombok-1.18.8.jar
               1 File(s)      1,730,973 bytes
               0 Dir(s)   3,698,659,328 bytes free

C:\>

C:\ copy <java_home>\jre\lib\security\cacerts  c:\Users\snjeza\keystore
code .
# added a new dependency to pom.xml

[snjeza]

@BobLuursema How have you created your keystore?

[BobLuursema]

@snjeza the Lombok jar shouldn't be related to the issue. To start from the beginning, in my POM I get errors due to the PKIX path building when Maven tries to access our internal Maven repository. To fix this I have downloaded our CA root certificate via Chrome and I have imported it in a keystore created via keytool and set my MAVEN_OPTS variable to -Xmx512m -Djavax.net.ssl.trustStore=C:\\Users\\m63j824\\keystore -Djavax.net.ssl.trustStorePassword=password . This works for Maven from the CLI, but this didn't solve the issue in VS Code, I understood from this thread that the error comes from the language server JVM but after adding the arguments to the java.jdt.ls.vmargs I still see the squiggly error with the exception:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target with the target being our internal Maven repository.

(The Lombok jar also happens to be in the args for the language server to understand the code that Lombok adds).

[snjeza]

@BobLuursema Could you check if your internal Maven repository has been properly configured at https://whatsmychaincert.com/?<your_server>
See an example of the correctly configured site - https://whatsmychaincert.com/?openshift.com

related issue: eclipse/lemminx#419

[BobLuursema]

@snjeza unfortunately I can't use that as our Maven repository is not accessible from the public internet. But I can't imagine that being an issue since I have no issues when using Maven from the command line.

[snjeza]

@BobLuursema Could you set the following property:

 "java.trace.server": "messages",

and attach your workspace log.

[sunix]

@fbricon any idea if this is fixed ?

[fbricon]

@sunix we haven't changed anything. @snjeza was able to successfully use truststore through the jdt.ls.vmargs, so until we find a way to reproduce the issue or someone comes up with a contribution that demonstrably fixes it, then I'm afraid we can't be super helpful.

[sunix]

OK :) I can reproduce it ... running VSCode-java in Che.

[snjeza]

@sunix could you, please, describe how to reproduce the issue.

[sunix]

@snjeza not visible for non redhatter yet https://docs.google.com/document/d/1PHcEn3zZHqprRN-ATr11OBlRyTAwiv4knXVYRbKqGUA/edit?usp=sharing

edit: eclipse-che/che#15503 (comment)

This a doc where I am describing how to setup Che and Maven with private repositories and self signed certificate. I will see if I can make it public but basically:

• Install and configure Nexus in openshift 4.2 through the operator.
• Populate the repo with all the artifacts
• Disabling maven central
• adding a route with a self-signed certificate

Then making various test (jdt.ls and command line)

[tsmaeder]

@fbricon this is relevant for air-gapped scenarios in the imminent CRW 2.1 release. Is there a possibility to get a fix for this soon?

[fbricon]

@tsmaeder now that @snjeza has more info to investigate, if she can find a fix, we'll apply it ASAP

[snjeza]

m2e uses the okhttp client that verifies a hostname as described at https://www.ietf.org/rfc/rfc2818.txt.

@sunix could you try the following:

openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \
  -keyout tls.key -out tls.crt -subj '/CN=acme.com' \
  -addext 'subjectAltName=DNS:*.apps.cluster-acme.com'

instead of

openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout tls.key -out tls.crt -subj "/CN=*.acme.com" -days 365

[sunix]

thanks @snjeza I am currently testing it.

[sunix]

@snjeza

unknown option -addext

$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

... I am trying to find a more recent version

[snjeza]

@sunix I have used Fedora 30

$ openssl version
OpenSSL 1.1.1d FIPS  10 Sep 2019

[snjeza]

@sunix you can try the following command and openssl 1.0.2:

openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes   -keyout tls.key -out tls.crt -subj '/CN=acme.com' \
  -extensions san \
  -config <(echo '[req]'; echo 'distinguished_name=req';
            echo '[san]'; echo 'subjectAltName=DNS:*.apps.cluster-acme.com')

[sunix]

Hello, it works! thanks @snjeza .
So the thing to know is that m2e is not using the same library that maven cli is using to make the SSL handshake. So it is not because a selfsigned certificate is valid with Maven CLI that it would be valid for m2e.
I think we can close this issue.

[snjeza]

Maven CLI doesn't verify a hostname. I think, it is a security hole in Maven CLI.
@fbricon we could add a property to the aether-connector-okhttp project to skip hostname verification.

[sunix]

I think we just need to document it well in a doc or a FAQ rather than adding a property to skip it. Could also be an preference in vscode-java to skip hostname verification in case user could not change the certificate (it happens that user doesn't have permission)

[snjeza]

Could also be an preference in vscode-java to skip hostname verification in case user could not change the certificate (it happens that user doesn't have permission)

That has to be done in the aether-connector-okhttp project. The preference would be added to java.jdt.ls.vmargs. @fbricon What do you think?