9.11.2. Create a Java Keystore to Store Sensitive Strings
keytoolcommand must be available to use. It is provided by the Java Runtime Environment (JRE). Locate the path for the file. In Red Hat Enterprise Linux, it is installed to
Procedure 9.14. Task
Create a directory to store your keystore and other encrypted information.Create a directory to hold your keystore and other important information. The rest of this procedure assumes that the directory is
Determine the parameters to use with
keytool.Determine the following parameters:
- The alias is a unique identifier for the vault or other data stored in the keystore. The alias in the example command at the end of this procedure is
vault. Aliases are case-insensitive.
- The algorithm to use for encryption. The default is
DSA. The example in this procedure uses
RSA. Check the documentation for your JRE and operating system to see which other choices may be available to you.
- The size of an encryption key impacts how difficult it is to decrypt through brute force. The default size of keys is 1024. It must be between 512 and 1024, and a multiple of 64. The example in this procedure uses
- The keystore a database which holds encrypted information and the information about how to decrypt it. If you do not specify a keystore, the default keystore to use is a file called
.keystorein your home directory. The first time you add data to a keystore, it is created. The example in this procedure uses the
keystorecommand has many other options. Refer to the documentation for your JRE or your operating system for more details.
Determine the answers to questions the
keystorecommand will ask.The
keystoreneeds the following information in order to populate the keystore entry:
All of this information together will create a hierarchy for your keystores and certificates, ensuring that they use a consistent naming structure but are unique.
- Keystore password
- When you create a keystore, you must set a password. In order to work with the keystore in the future, you need to provide the password. Create a strong password that you will remember. The keystore is only as secure as its password and the security of the file system and operating system where it resides.
- Key password (optional)
- In addition to the keystore password, you can specify a password for each key it holds. In order to use such a key, the password needs to be given each time it is used. Usually, this facility is not used.
- First name (given name) and last name (surname)
- This, and the rest of the information in the list, helps to uniquely identify the key and place it into a hierarchy of other keys. It does not necessarily need to be a name at all, but it should be two words, and must be unique to the key. The example in this procedure uses
Accounting Administrator. In directory terms, this becomes the common name of the certificate.
- Organizational unit
- This is a single word that identifies who uses the certificate. It may be the application or the business unit. The example in this procedure uses
AccountingServices. Typically, all keystores used by a group or application use the same organizational unit.
- This is usually a single-word representation of your organization's name. This typically remains the same across all certificates used by an organization. This example uses
- City or municipality
- Your city.
- State or province
- Your state or province, or the equivalent for your locality.
- The two-letter code for your country.
keytoolcommand, supplying the information that you gathered.
Example 9.25. Example input and output of
$ keytool -genkey -alias vault -keyalg RSA -keysize 1024 -keystore /home/USER/vault/vault.keystore Enter keystore password: vault22 Re-enter new password:vault22 What is your first and last name? [Unknown]:
Accounting AdministratorWhat is the name of your organizational unit? [Unknown]:
AccountingServicesWhat is the name of your organization? [Unknown]:
MyOrganizationWhat is the name of your City or Locality? [Unknown]:
RaleighWhat is the name of your State or Province? [Unknown]:
NCWhat is the two-letter country code for this unit? [Unknown]:
USIs CN=Accounting Administrator, OU=AccountingServices, O=MyOrganization, L=Raleigh, ST=NC, C=US correct? [no]:
yesEnter key password for <vault> (RETURN if same as keystore password):
A file named
vault.keystore is created in the
/home/USER/vault/ directory. It stores a single key, called
vault, which will be used to store encrypted strings, such as passwords, for the JBoss Enterprise Application Platform.