Using Java analysis tools jsadebug, jinfo, and jmap

Some of the Java analysis tools access other Java processes via the HotSpot serviceability agent and introspection into the other process. On MacOS, this access is controlled for security reasons. There are two ways to get these tools to function:

• Use sudo to run the tool as root.
• Sign the binary of these commands using a certificate that is trusted by the computer.

The OpenJDK build makefile attempts to sign these commands using a certificate named openjdk_codesign. When Oracle builds binary releases with an authoritative certificate of this name, their binaries should be accepted by all computers recognizing that authority. Alternatively, the individual OpenJDK builder can create a code-sigining certificate that will give authorization on their computers.

Creating A Code-Signing Certificate (courtesy of the lldb project)

• Launch /Applications/Utilities/Keychain Access.app

• In Keychain Access select the "login" keychain in the "Keychains"
  list in the upper left hand corner of the window.

• Select the following menu item:

Keychain Access->Certificate Assistant->Create a Certificate...

• Set the following settings

Name = openjdk_codesign
Identity Type = Self Signed Root
Certificate Type = Code Signing

• Click Create
• Click Continue
• Click Done
• Click on the "My Certificates"
• Double click on your new openjdk_codesign certificate
• Turn down the "Trust" disclosure triangle

Change:
When using this certificate: Always Trust

• Enter your login password to confirm and make it trusted

The next steps are necessary on SnowLeopard, but are probably because of a bug in how Keychain Access makes certificates. (Note: These also apply for Lion.)

• Option-drag the new openjdk_codesign certificate from the login keychain to the System keychain in the Keychains pane of the main Keychain Access window to make a copy of this certificate in the System keychain. You'll have to authorize a few more times, set it to be "Always trusted" when asked.
• Switch to the System keychain, and drag the copy of openjdk_codesign you just made there onto the desktop.

• Switch to Terminal, and run the following:

sudo security add-trust -d -r trustRoot -p basic -p codeSign -k /Library/Keychains/System.keychain ~/Desktop/openjdk_codesign.cer

• Right click on the "openjdk_codesign" certificate in the "System" keychain (NOT "login", but the one in "System"), and select "Delete" to delete it from
  the "System" keychain.
• Reboot (I've found this step unnecessary.)
• Clean and rebuild OpenJDK and you should be able to debug. (You can just remove the jsadebug,jinfo,jmap binaries in build/macosx-universal/bin instead of cleaning everything.)