java runtime for jwma

Although our main focus is on java17, which is required for the current version of jwma, this information applies to java since version 9 and also to java 21 and likely future versions beyond that as well. We want to take just the necessary modules from a full java JDK to allow either tomcat or jetty to suport jwma. The secondary purpose of this page is to document the step needed to make a java install imaps capable.

Download the JDK from Oracle and decompress the archive in /opt.JWMA bundles a number of jar files in it's WEB-INF/lib directory and we also need to consider the libraries included with tomcat and jetty. So in turn we run the following command against them:

david@bulawayo: $ /opt/jdk-17.0.9/bin/jdeps jakarta.mail-2.0.0.jar
jakarta.mail-2.0.0.jar -> java.base
jakarta.mail-2.0.0.jar -> java.desktop
jakarta.mail-2.0.0.jar -> java.logging
jakarta.mail-2.0.0.jar -> java.security.sasl
jakarta.mail-2.0.0.jar -> java.xml
jakarta.mail-2.0.0.jar -> not found

The output is cut at this point as those five java modules are what's of interest and that's what we need to note. The command will fail against some jar files, such as commons-fileupload2-core-2.0.0-M1.jar, but to avoid command line hell I simply ignored complaints about missing multi-release options and absent dependancies and moved on to the next jar file.

They'll be many duplications, ie the same java module will be required by more than one library. I ended up with 14 required modules required to run JWMA. The jre is produced as follows next:

david@bulawayo:~ $ /opt/jdk-17.0.9/bin/jlink --add-modules java.base,java.logging,java.rmi,java.desktop,java.security.sasl,java.xml,java.management,java.naming,java.sql,java.instrument,java.security.jgss,java.transaction.xa,java.compiler --output jre-17.0.19 --no-header-files --no-man-pages --strip-debug

As a check, we can compare the size of the original jdk against our new runtime:

david@bulawayo:/opt $ du -hs jdk-17.0.9/
305M	jdk-17.0.9/
david@bulawayo:/opt $ du -hs jre-17.0.9/
76M	jre-17.0.9/

imaps access to jwma

When JWMA is configured to use imaps access as opposed to default unencrypted imap, there is an additional step to configuring JWMA and generating the dovecot certificate. The java runtime needs to know abot this certificate:

root@mydomain.com:~ # keytool -import -alias dovecot -keystore /opt/jre-17.0.9/lib/security/cacerts -file /etc/dovecot/ssl/dovecot.pem
Enter keystore password:

This command will copy the dovecot certificate into java's certificate store. If you haven't changed it, the password will likely be changeit.