Wrong keystore is used for x509 authentication

Customer has the admin console and the idp on the same box and for some reason when x509 auth is done it uses the /opt/novell/jdk1.6.0_26/jre/lib/security/cacerts keystore rather then the truststore keystore.
Now when they upgrade and there is a newer cacerts file it breaks there x.509 authentication.