16.7.2. Create a Java Keystore to Store Sensitive Strings
keytoolcommand must be available to use. It is provided by the Java Runtime Environment (JRE). Locate the path for the file. In Red Hat Enterprise Linux, it is installed to
keytoolfrom the same vendor as the JDK you use.
keytoolfrom one vendor's JDK in an EAP instance running on a JDK from a different vendor results in the following exception:
Procedure 16.6. Setup a Java Keystore
Create a directory to store your keystore and other encrypted information.Create a directory to hold your keystore and other important information. The rest of this procedure assumes that the directory is
EAP_HOME/vault/. Since this directory will contain sensitive information it should be accessible to only limited users. At a minimum the user account under which JBoss EAP is running requires read-write access.
Determine the parameters to use with
keytool.Determine the following parameters:
- The alias is a unique identifier for the vault or other data stored in the keystore. The alias in the example command at the end of this procedure is
vault. Aliases are case-insensitive.
- The algorithm to use for encryption. The example in this procedure uses
AES. Use the documentation for your JRE and operating system to see which other choices may be available to you.
- The size of an encryption key impacts how difficult it is to decrypt through brute force. The example in this procedure uses
128. For information on appropriate values, see the documentation distributed with the
- The keystore is a database which holds encrypted information and the information about how to decrypt it. If you do not specify a keystore, the default keystore to use is a file called
.keystorein your home directory. The first time you add data to a keystore, it is created. The example in this procedure uses the
keytoolcommand has many other options. See the documentation for your JRE or your operating system for more details.
Determine the answers to questions the
keystorecommand will ask.The
keystoreneeds the following information in order to populate the keystore entry:
All of this information together will create a hierarchy for your keystores and certificates, ensuring that they use a consistent naming structure but are unique.
- Keystore password
- When you create a keystore, you must set a password. In order to work with the keystore in the future, you need to provide the password. Create a strong password that you will remember. The keystore is only as secure as its password and the security of the file system and operating system where it resides.
- Key password (optional)
- In addition to the keystore password, you can specify a password for each key it holds. In order to use such a key, the password needs to be given each time it is used. Usually, this facility is not used.
- First name (given name) and last name (surname)
- This, and the rest of the information in the list, helps to uniquely identify the key and place it into a hierarchy of other keys. It does not necessarily need to be a name at all, but it should be two words, and must be unique to the key. The example in this procedure uses
Accounting Administrator. In directory terms, this becomes the common name of the certificate.
- Organizational unit
- This is a single word that identifies who uses the certificate. It may be the application or the business unit. The example in this procedure uses
AccountingServices. Typically, all keystores used by a group or application use the same organizational unit.
- This is usually a single-word representation of your organization's name. This typically remains the same across all certificates used by an organization. This example uses
- City or municipality
- Your city.
- State or province
- Your state or province, or the equivalent for your locality.
- The two-letter code for your country.
keytoolcommand, supplying the information that you gathered.
Example 16.16. Example input and output of
$ keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault22 -keypass vault22 -validity 730 -keystore
EAP_HOME/vault/vault.keystore Enter keystore password: vault22 Re-enter new password:vault22 What is your first and last name? [Unknown]:
Accounting AdministratorWhat is the name of your organizational unit? [Unknown]:
AccountingServicesWhat is the name of your organization? [Unknown]:
MyOrganizationWhat is the name of your City or Locality? [Unknown]:
RaleighWhat is the name of your State or Province? [Unknown]:
NCWhat is the two-letter country code for this unit? [Unknown]:
USIs CN=Accounting Administrator, OU=AccountingServices, O=MyOrganization, L=Raleigh, ST=NC, C=US correct? [no]:
yesEnter key password for <vault> (RETURN if same as keystore password):
A file named
vault.keystore is created in the
EAP_HOME/vault/ directory. It stores a single key, called
vault, which will be used to store encrypted strings, such as passwords, for JBoss EAP 6.