JBoss EAP for OpenShift のトラストストアに CA ルート証明書をインポートするにはどうすればよいですか?

Issue

• JBoss EAP for OpenShift のトラストストアに CA ルート証明書をインポートするにはどうすればよいですか?

• 次のように、update-ca-trust が JBoss EAP Pod で失敗します。コンテナー内の cacerts を更新するにはどうすればよいですか?

  $ oc rsh <pod-name>
  sh-4.2$ update-ca-trust 
  p11-kit: couldn't create file: /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt: Permission denied
  p11-kit: couldn't create file: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem: Permission denied
  p11-kit: couldn't create file: /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem: Permission denied
  p11-kit: couldn't create file: /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem: Permission denied
  p11-kit: couldn't create file: /etc/pki/ca-trust/extracted/java/cacerts: Permission denied
  

• keytool -import も、Permission denied が原因で JBoss EAP Pod で失敗します。

  $ oc rsh <pod-name>
  sh-4.2$ keytool -import -keystore /usr/lib/jvm/java-1.8.0-openjdk/jre/lib/security/cacerts -trustcacerts -alias my-root-cert -file /opt/eap/standalone/configuration/root-ca.crt -storepass changeit -noprompt 
  Certificate was added to keystore
  keytool error: java.io.FileNotFoundException: /usr/lib/jvm/java-1.8.0-openjdk/jre/lib/security/cacerts (Permission denied)