11.13.2. Create a Java Keystore to Store Sensitive Strings


  • The keytool utility, provided by the Java Runtime Environment (JRE). Locate the path for the file, which on Red Hat Enterprise Linux is /usr/bin/keytool.


JCEKS keystore implementations differ between Java vendors so you must generate the keystore using the keytool utility from the same vendor as the JDK you use.
Using a keystore generated by the keytool from one vendor's JDK in a JBoss EAP instance running on a JDK from a different vendor results in the following exception:
java.io.IOException: com.sun.crypto.provider.SealedObjectForKeyProtector

Procedure 11.41. Set up a Java Keystore

  1. Create a directory to store your keystore and other encrypted information.

    Create a directory to store your keystore and other important information. The rest of this procedure assumes that the directory is EAP_HOME/vault/. Since this directory will contain sensitive information it should be accessible to only limited users. At a minimum the user account under which JBoss EAP is running requires read-write access.
  2. Determine the parameters to use with keytool utility.

    Decide on values for the following parameters:
    The alias is a unique identifier for the vault or other data stored in the keystore. Aliases are case-insensitive.
    The storetype specifies the keystore type. The value jceks is recommended.
    The algorithm to use for encryption. Use the documentation for your JRE and operating system to see which other choices may be available to you.
    The size of an encryption key impacts how difficult it is to decrypt through brute force. For information on appropriate values, see the documentation distributed with the keytool utility.
    The value of storepass is the password is used to authenticate to the keystore so that the key can be read. The password must be at least 6 characters long and must be provided when the keystore is accessed. If you omit this parameter, you will be prompted to enter it when you execute the command.
    The value of keypass is the password used to access the specific key and must match the value of the storepass parameter.
    The value of validity is the period (in days) for which the key will be valid.
    The value of keystore is the filepath and filename in which the keystore's values are to be stored. The keystore file is created when data is first added to it.
    Ensure you use the correct file path separator: / (forward slash) for Red Hat Enterprise Linux and similar operating systems, \ (backslash) for Microsoft Windows Server.
    The keytool utility has many other options. See the documentation for your JRE or your operating system for more details.
  3. Run the keytool command

    Launch your operating system's command line interface and run the keytool utility, supplying the information that you gathered.

Example 11.36. Create a Java Keystore

$ keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault22 -keypass vault22 -validity 730 -keystore EAP_HOME/vault/vault.keystore

In this a keystore has been created in the file EAP_HOME/vault/vault.keystore. It stores a single key, with the alias vault, which will be used to store encrypted strings, such as passwords, for JBoss EAP.