Welcome!

Machine Learning Authors: Elizabeth White, Liz McMillan, Yeshim Deniz, Pat Romanski, Shelly Palmer

Related Topics: Java IoT, Machine Learning , Cloud Security

Java IoT: Blog Post

Audit Certificate Inventory in Java/JDK | @CloudExpo #API #Java #Cloud

Generate list of Certificates used in Java environment

A digital certificate is an electronic "passport" that allows a person, computer or organization to exchange information securely over the Internet using the public key infrastructure. A digital certificate may also be referred to as a public key certificate. The main purpose of the digital certificate is to ensure that the public key contained in the certificate belongs to the entity to which the certificate was issued.

Digital certificates package public keys, information about the algorithms used, owner or subject data, the digital signature of a Certificate Authority that has verified the subject data, and a date range during which the certificate can be considered valid. Certificates are signed by the Certificate Authority (CA) that issues them. In essence, a CA is a commonly trusted third party that is relied upon to verify the matching of public keys to identity, e-mail name, or other such information.

Any WebSphere administrator already know that managing the SSL certificates in a large complex environment becomes hectic and troublesome because of the different expiration dates of the certificates that WebSphere uses and also the SSL certificates of the external systems that WebSphere Application Server interact with using a secure connection. Multiple administrators in any organization renewing and managing certificates but not keeping track of the expiration dates of certificates.

The purpose of this document describes how to generate a report for all the certificates using in the Java environment by using a simple shell script. The script checks all certificates that are stored in Keystores. The script generates a report in the form of CSV file and the report contains the hostname, Keystore Name, Certificate Alias, Issues to (common name), Issued by, Expire in number of Days and Expiration Date.

Procedure

1- Create the following Jython script and name it "certsAudit.sh":

#!/bin/bash

# How to run: ./certsAudit.sh (doesn't take any arguments

# Checks for expiring certificates inside a java keystore

todayDate=$(date)

keytoolPath="/opt/IBM/ibm-java-i386-60/bin/keytool"

keystores=("/opt/IBM/ibm-java-i386-60/jre/lib/security/cacerts" "/opt/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security/cacerts")

password="changeit"

#########################################

############## PROPERTIES ###############

#########################################

baseDirectory=$(dirname "$0")

# load from properties file

###abc. "${baseDirectory}/keyProperties.sh"

newLine=$'\n'

#########################################

################ SCRIPT #################

#########################################

# get the current timestamp

currentTimestamp=$(date +%s)

# return an error if the threshold is less than or equal to the current timestamp

declare -i totalNumOfExipringCerts=0

rm -f /tmp/certLogFile.csv

echo -e "Hostname, Keystore Name, Certifcate Alias, Issue To, Issued By, Expire in Days, Expiry Date" >> /tmp/certLogFile.csv

for keystore in "${keystores[@]}"; do

declare -i numberOfExpiringCerts=0

# try opening the keystore

$keytoolPath -list -v -keystore "$keystore" -storepass "$password" > /dev/null 2>&1

if [ $? -gt 0 ]; then

echo "Error opening the keystore."

exit 1

fi

$keytoolPath -list -v -keystore "$keystore" -storepass "$password" | grep Alias | sed 's/Alias name: //' > /tmp/allAliases

while read alias; do

# iterate through all the certificate aliases

until=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }')

untilSeconds=$(date -d "$until" +%s)

remainingDays=$(((untilSeconds-$(date +%s))/60/60/24))

owner=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Owner | sed 's/Owner: //' | sed -r 's/[,]+/./g')

issuer=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Issuer | sed 's/Issuer: //' | sed -r 's/[,]+/./g')

expDate=$(date -d "$until" '+%Y-%b-%d')

###echo -e "\t $HOSTNAME, $keystore, $alias, $owner, $issuer, $remainingDays, $expDate"

echo -e "\t $HOSTNAME, $keystore, $alias, $owner, $issuer, $remainingDays, $expDate" >> /tmp/certLogFile.csv

let numberOfExpiringCerts++

done < /tmp/allAliases

rm -f /tmp/allAliases

done

2- Copy the “certsAudit.sh” file on the WebSphere server (in /tmp folder).

3- Make sure the target server has any version of Java installed. A “keytool” utility is used by the script which comes with Java

4- Edit the “certsAudit.sh” file and update the “keytoolPath” parameter with the location of the keytool file. Usually it is “JAVA_HOME/bin/keytool”.

keytoolPath=<path of keytool>

For example:

keytoolPath="/opt/IBM/ibm-java-i386-60/bin/keytool"

5- Edit the “certsAudit.sh” file and update the “keystores” parameter with the targeted Java keystore file name(s) with the path.

keystores=(<keystore files>)

For example:

keystores=("/opt/IBM/ibm-java-i386-60/jre/lib/security/cacerts" "/opt/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security/cacerts")

6- Edit the “certsAudit.sh” file and update the “password” parameter with the targeted Java keystore password.

password=<keystore password>

For example:

password="changeit"

7- Change the user to WASUSER and the file permission, if needed

8- Go to the “/tmp” folder, where the script file is copied

9- Run the following command.

/tmp/certsAudit.sh

10- Once the script executed, it will create "/tmp/certsLogFile.csv" file

11- Copy the "certsLogFile.csv" file the desktop by using the ftp/scp client

12- Review the csv file

Conclusion
The generated report captures the hostname, Keystore Name, Certificate Alias, Issues to (common name), Issued by, Expire in number of Days and Expiration Date. By running the script weekly or monthly basis and reviewing the generated report timely manner can avoid any server or SSL communication disruption due to expire certificate.

More Stories By Asim Saddal

Asim Saddal works in the Middleware (WebSphere Application Server, WebSphere Datapower, WebSphere Process Server, WebSphere VE) practice of IBM Software Services for WebSphere.

@CloudExpo Stories
SYS-CON Events announced today that Outscale, a global pure play Infrastructure as a Service provider and strategic partner of Dassault Systèmes, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2010, Outscale simplifies infrastructure complexities and boosts the business agility of its customers. Outscale delivers a secure, reliable and industrial strength solution for its customers, which in...
SYS-CON Events announced today that A&I Solutions has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 1999, A&I Solutions is a leading information technology (IT) software and services provider focusing on best-in-class enterprise solutions. By partnering with industry leaders in technology, A&I assures customers high performance levels across all IT environments including: mai...
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...
In order to meet the rapidly changing demands of today’s customers, companies are continually forced to redefine their business strategies in order to meet these needs, stay relevant and continue to see profitable growth. IoT deployment and development is integral in this transformation, and today businesses are increasingly seeing the value of investing their resources into IoT deployments. These technologies are able increase ROI through projects such as connecting supply chains or enabling sm...
Every successful software product evolves from an idea to an enterprise system. Notably, the same way is passed by the product owner's company. In his session at 20th Cloud Expo, Oleg Lola, CEO of MobiDev, will provide a generalized overview of the evolution of a software product, the product owner, the needs that arise at various stages of this process, and the value brought by a software development partner to the product owner as a response to these needs.
SYS-CON Events announced today that EARP will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. "We are a software house, so we perfectly understand challenges that other software houses face in their projects. We can augment a team, that will work with the same standards and processes as our partners' internal teams. Our teams will deliver the same quality within the required time and budget just as our partn...
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
SYS-CON Events announced today that Tappest will exhibit MooseFS at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. MooseFS is a breakthrough concept in the storage industry. It allows you to secure stored data with either duplication or erasure coding using any server. The newest – 4.0 version of the software enables users to maintain the redundancy level with even 50% less hard drive space required. The software func...
Most technology leaders, contemporary and from the hardware era, are reshaping their businesses to do software in the hope of capturing value in IoT. Although IoT is relatively new in the market, it has already gone through many promotional terms such as IoE, IoX, SDX, Edge/Fog, Mist Compute, etc. Ultimately, irrespective of the name, it is about deriving value from independent software assets participating in an ecosystem as one comprehensive solution.
SYS-CON Events announced today that delaPlex will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. delaPlex pioneered Software Development as a Service (SDaaS), which provides scalable resources to build, test, and deploy software. It’s a fast and more reliable way to develop a new product or expand your in-house team.
Amazon started as an online bookseller 20 years ago. Since then, it has evolved into a technology juggernaut that has disrupted multiple markets and industries and touches many aspects of our lives. It is a relentless technology and business model innovator driving disruption throughout numerous ecosystems. Amazon’s AWS revenues alone are approaching $16B a year making it one of the largest IT companies in the world. With dominant offerings in Cloud, IoT, eCommerce, Big Data, AI, Digital Assista...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
SYS-CON Events announced today that Systena America will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Systena Group has been in business for various software development and verification in Japan, US, ASEAN, and China by utilizing the knowledge we gained from all types of device development for various industries including smartphones (Android/iOS), wireless communication, security technology and IoT serv...
SYS-CON Events announced today that Outscale will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Outscale's technology makes an automated and adaptable Cloud available to businesses, supporting them in the most complex IT projects while controlling their operational aspects. You boost your IT infrastructure's reactivity, with request responses that only take a few seconds.
Everywhere we turn in our industry we can find strong opinions about the direction, type and nature of cloud’s impact on computing and business. Another word that is used in every context in our industry is “hybrid.” In his session at 20th Cloud Expo, Alvaro Gonzalez, Director of Technical, Partner and Field Marketing at Peak 10, will use a combination of a few conceptual props and some research recently commissioned by Peak 10 to offer a real-world consideration of how the various categories of...
DevOps at Cloud Expo – being held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real r...
Cloud applications are seeing a deluge of requests to support the exploding advanced analytics market. “Open analytics” is the emerging strategy to deliver that data through an open data access layer, in the cloud, to be directly consumed by external analytics tools and popular programming languages. An increasing number of data engineers and data scientists use a variety of platforms and advanced analytics languages such as SAS, R, Python and Java, as well as frameworks such as Hadoop and Spark...
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...
Five years ago development was seen as a dead-end career, now it’s anything but – with an explosion in mobile and IoT initiatives increasing the demand for skilled engineers. But apart from having a ready supply of great coders, what constitutes true ‘DevOps Royalty’? It’ll be the ability to craft resilient architectures, supportability, security everywhere across the software lifecycle. In his keynote at @DevOpsSummit at 20th Cloud Expo, Jeffrey Scheaffer, GM and SVP, Continuous Delivery Busine...
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point where organizations begin to see maximum value is when they implement tight integration deploying their code to their infrastructure. Success at this level is the last barrier to at-will deployment. Storage, for instance, is more capable than where we read and write data. In his session at @DevOpsSummit at 20th Cloud Expo, Josh Atwell, a Developer Advocate for NetApp, will discuss the role and value...