3.8.2. Create a Java Keystore to Store Sensitive Strings


  • The keytool command must be available to use. It is provided by the Java Runtime Environment (JRE). Locate the path for the file. In Red Hat Enterprise Linux, it is installed to /usr/bin/keytool.

Procedure 3.2. Setup a Java Keystore

  1. Create a directory to store your keystore and other encrypted information.

    Create a directory to hold your keystore and other important information. The rest of this procedure assumes that the directory is /home/USER/vault/.
  2. Determine the parameters to use with keytool.

    Determine the following parameters:
    The alias is a unique identifier for the vault or other data stored in the keystore. The alias in the example command at the end of this procedure is vault. Aliases are case-insensitive.
    The algorithm to use for encryption. The default is DSA. The example in this procedure uses RSA. Check the documentation for your JRE and operating system to see which other choices may be available to you.
    The size of an encryption key impacts how difficult it is to decrypt through brute force. The default size of keys is 1024. It must be between 512 and 2048, and a multiple of 64. The example in this procedure uses 2048.
    The keystore is a database which holds encrypted information and the information about how to decrypt it. If you do not specify a keystore, the default keystore to use is a file called .keystore in your home directory. The first time you add data to a keystore, it is created. The example in this procedure uses the vault.keystore keystore.
    The keytool command has many other options. Refer to the documentation for your JRE or your operating system for more details.
  3. Determine the answers to questions the keystore command will ask.

    The keystore needs the following information in order to populate the keystore entry:
    Keystore password
    When you create a keystore, you must set a password. In order to work with the keystore in the future, you need to provide the password. Create a strong password that you will remember. The keystore is only as secure as its password and the security of the file system and operating system where it resides.
    Key password (optional)
    In addition to the keystore password, you can specify a password for each key it holds. In order to use such a key, the password needs to be given each time it is used. Usually, this facility is not used.
    First name (given name) and last name (surname)
    This, and the rest of the information in the list, helps to uniquely identify the key and place it into a hierarchy of other keys. It does not necessarily need to be a name at all, but it should be two words, and must be unique to the key. The example in this procedure uses Accounting Administrator. In directory terms, this becomes the common name of the certificate.
    Organizational unit
    This is a single word that identifies who uses the certificate. It may be the application or the business unit. The example in this procedure uses AccountingServices. Typically, all keystores used by a group or application use the same organizational unit.
    This is usually a single-word representation of your organization's name. This typically remains the same across all certificates used by an organization. This example uses MyOrganization.
    City or municipality
    Your city.
    State or province
    Your state or province, or the equivalent for your locality.
    The two-letter code for your country.
    All of this information together will create a hierarchy for your keystores and certificates, ensuring that they use a consistent naming structure but are unique.
  4. Run the keytool command, supplying the information that you gathered.

    Example 3.10. Example input and output of keystore command

    $ keytool -genkey -alias vault -keyalg RSA -keysize 2048 -keystore /home/USER/vault/vault.keystore
    Enter keystore password: vault22 
    Re-enter new password:vault22 
    What is your first and last name?
      [Unknown]:  Accounting Administrator
    What is the name of your organizational unit?
      [Unknown]:  AccountingServices
    What is the name of your organization?
      [Unknown]:  MyOrganization
    What is the name of your City or Locality?
      [Unknown]:  Raleigh
    What is the name of your State or Province?
      [Unknown]:  NC
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=Accounting Administrator, OU=AccountingServices, O=MyOrganization, L=Raleigh, ST=NC, C=US correct?
      [no]:  yes
    Enter key password for <vault>
            (RETURN if same as keystore password):
A file named vault.keystore is created in the /home/USER/vault/ directory. It stores a single key, called vault, which will be used to store encrypted strings, such as passwords, for JBoss EAP 6.