Welcome!

Machine Learning Authors: Pat Romanski, Liz McMillan, Yeshim Deniz, Elizabeth White, Corey Roth

Related Topics: Java IoT, Machine Learning , Cloud Security

Java IoT: Blog Post

Audit Certificate Inventory in Java/JDK | @CloudExpo #API #Java #Cloud

Generate list of Certificates used in Java environment

A digital certificate is an electronic "passport" that allows a person, computer or organization to exchange information securely over the Internet using the public key infrastructure. A digital certificate may also be referred to as a public key certificate. The main purpose of the digital certificate is to ensure that the public key contained in the certificate belongs to the entity to which the certificate was issued.

Digital certificates package public keys, information about the algorithms used, owner or subject data, the digital signature of a Certificate Authority that has verified the subject data, and a date range during which the certificate can be considered valid. Certificates are signed by the Certificate Authority (CA) that issues them. In essence, a CA is a commonly trusted third party that is relied upon to verify the matching of public keys to identity, e-mail name, or other such information.

Any WebSphere administrator already know that managing the SSL certificates in a large complex environment becomes hectic and troublesome because of the different expiration dates of the certificates that WebSphere uses and also the SSL certificates of the external systems that WebSphere Application Server interact with using a secure connection. Multiple administrators in any organization renewing and managing certificates but not keeping track of the expiration dates of certificates.

The purpose of this document describes how to generate a report for all the certificates using in the Java environment by using a simple shell script. The script checks all certificates that are stored in Keystores. The script generates a report in the form of CSV file and the report contains the hostname, Keystore Name, Certificate Alias, Issues to (common name), Issued by, Expire in number of Days and Expiration Date.

Procedure

1- Create the following Jython script and name it "certsAudit.sh":

#!/bin/bash

# How to run: ./certsAudit.sh (doesn't take any arguments

# Checks for expiring certificates inside a java keystore

todayDate=$(date)

keytoolPath="/opt/IBM/ibm-java-i386-60/bin/keytool"

keystores=("/opt/IBM/ibm-java-i386-60/jre/lib/security/cacerts" "/opt/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security/cacerts")

password="changeit"

#########################################

############## PROPERTIES ###############

#########################################

baseDirectory=$(dirname "$0")

# load from properties file

###abc. "${baseDirectory}/keyProperties.sh"

newLine=$'\n'

#########################################

################ SCRIPT #################

#########################################

# get the current timestamp

currentTimestamp=$(date +%s)

# return an error if the threshold is less than or equal to the current timestamp

declare -i totalNumOfExipringCerts=0

rm -f /tmp/certLogFile.csv

echo -e "Hostname, Keystore Name, Certifcate Alias, Issue To, Issued By, Expire in Days, Expiry Date" >> /tmp/certLogFile.csv

for keystore in "${keystores[@]}"; do

declare -i numberOfExpiringCerts=0

# try opening the keystore

$keytoolPath -list -v -keystore "$keystore" -storepass "$password" > /dev/null 2>&1

if [ $? -gt 0 ]; then

echo "Error opening the keystore."

exit 1

fi

$keytoolPath -list -v -keystore "$keystore" -storepass "$password" | grep Alias | sed 's/Alias name: //' > /tmp/allAliases

while read alias; do

# iterate through all the certificate aliases

until=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }')

untilSeconds=$(date -d "$until" +%s)

remainingDays=$(((untilSeconds-$(date +%s))/60/60/24))

owner=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Owner | sed 's/Owner: //' | sed -r 's/[,]+/./g')

issuer=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Issuer | sed 's/Issuer: //' | sed -r 's/[,]+/./g')

expDate=$(date -d "$until" '+%Y-%b-%d')

###echo -e "\t $HOSTNAME, $keystore, $alias, $owner, $issuer, $remainingDays, $expDate"

echo -e "\t $HOSTNAME, $keystore, $alias, $owner, $issuer, $remainingDays, $expDate" >> /tmp/certLogFile.csv

let numberOfExpiringCerts++

done < /tmp/allAliases

rm -f /tmp/allAliases

done

2- Copy the “certsAudit.sh” file on the WebSphere server (in /tmp folder).

3- Make sure the target server has any version of Java installed. A “keytool” utility is used by the script which comes with Java

4- Edit the “certsAudit.sh” file and update the “keytoolPath” parameter with the location of the keytool file. Usually it is “JAVA_HOME/bin/keytool”.

keytoolPath=<path of keytool>

For example:

keytoolPath="/opt/IBM/ibm-java-i386-60/bin/keytool"

5- Edit the “certsAudit.sh” file and update the “keystores” parameter with the targeted Java keystore file name(s) with the path.

keystores=(<keystore files>)

For example:

keystores=("/opt/IBM/ibm-java-i386-60/jre/lib/security/cacerts" "/opt/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security/cacerts")

6- Edit the “certsAudit.sh” file and update the “password” parameter with the targeted Java keystore password.

password=<keystore password>

For example:

password="changeit"

7- Change the user to WASUSER and the file permission, if needed

8- Go to the “/tmp” folder, where the script file is copied

9- Run the following command.

/tmp/certsAudit.sh

10- Once the script executed, it will create "/tmp/certsLogFile.csv" file

11- Copy the "certsLogFile.csv" file the desktop by using the ftp/scp client

12- Review the csv file

Conclusion
The generated report captures the hostname, Keystore Name, Certificate Alias, Issues to (common name), Issued by, Expire in number of Days and Expiration Date. By running the script weekly or monthly basis and reviewing the generated report timely manner can avoid any server or SSL communication disruption due to expire certificate.

More Stories By Asim Saddal

Asim Saddal works in the Middleware (WebSphere Application Server, WebSphere Datapower, WebSphere Process Server, WebSphere VE) practice of IBM Software Services for WebSphere.

@CloudExpo Stories
HyperConvergence came to market with the objective of being simple, flexible and to help drive down operating expenses. It reduced the footprint by bundling the compute/storage/network into one box. This brought a new set of challenges as the HyperConverged vendors are very focused on their own proprietary building blocks. If you want to scale in a certain way, let's say you identified a need for more storage and want to add a device that is not sold by the HyperConverged vendor, forget about it...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
Historically, some banking activities such as trading have been relying heavily on analytics and cutting edge algorithmic tools. The coming of age of powerful data analytics solutions combined with the development of intelligent algorithms have created new opportunities for financial institutions. In his session at 20th Cloud Expo, Sebastien Meunier, Head of Digital for North America at Chappuis Halder & Co., discussed how these tools can be leveraged to develop a lasting competitive advantage ...
From 2013, NTT Communications has been providing cPaaS service, SkyWay. Its customer’s expectations for leveraging WebRTC technology are not only typical real-time communication use cases such as Web conference, remote education, but also IoT use cases such as remote camera monitoring, smart-glass, and robotic. Because of this, NTT Communications has numerous IoT business use-cases that its customers are developing on top of PaaS. WebRTC will lead IoT businesses to be more innovative and address...
Evan Kirstel is an internationally recognized thought leader and social media influencer in IoT (#1 in 2017), Cloud, Data Security (2016), Health Tech (#9 in 2017), Digital Health (#6 in 2016), B2B Marketing (#5 in 2015), AI, Smart Home, Digital (2017), IIoT (#1 in 2017) and Telecom/Wireless/5G. His connections are a "Who's Who" in these technologies, He is in the top 10 most mentioned/re-tweeted by CMOs and CIOs (2016) and have been recently named 5th most influential B2B marketeer in the US. H...
In this presentation, you will learn first hand what works and what doesn't while architecting and deploying OpenStack. Some of the topics will include:- best practices for creating repeatable deployments of OpenStack- multi-site considerations- how to customize OpenStack to integrate with your existing systems and security best practices.
DXWorldEXPO LLC announced today that Kevin Jackson joined the faculty of CloudEXPO's "10-Year Anniversary Event" which will take place on November 11-13, 2018 in New York City. Kevin L. Jackson is a globally recognized cloud computing expert and Founder/Author of the award winning "Cloud Musings" blog. Mr. Jackson has also been recognized as a "Top 100 Cybersecurity Influencer and Brand" by Onalytica (2015), a Huffington Post "Top 100 Cloud Computing Experts on Twitter" (2013) and a "Top 50 C...
"Venafi has a platform that allows you to manage, centralize and automate the complete life cycle of keys and certificates within the organization," explained Gina Osmond, Sr. Field Marketing Manager at Venafi, in this SYS-CON.tv interview at DevOps at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
"This week we're really focusing on scalability, asset preservation and how do you back up to the cloud and in the cloud with object storage, which is really a new way of attacking dealing with your file, your blocked data, where you put it and how you access it," stated Jeff Greenwald, Senior Director of Market Development at HGST, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
In a world where the internet rules all, where 94% of business buyers conduct online research, and where e-commerce sales are poised to fall between $427 billion and $443 billion by the end of this year, we think it's safe to say that your website is a vital part of your business strategy. Whether you're a B2B company, a local business, or an e-commerce site, digital presence is key to maintain in your drive towards success. Digital Performance will take priority in 2018 for the following reason...
Rodrigo Coutinho is part of OutSystems' founders' team and currently the Head of Product Design. He provides a cross-functional role where he supports Product Management in defining the positioning and direction of the Agile Platform, while at the same time promoting model-based development and new techniques to deliver applications in the cloud.
Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
In his session at Cloud Expo, Alan Winters, U.S. Head of Business Development at MobiDev, presented a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to maximize project result...
"Software-defined storage is a big problem in this industry because so many people have different definitions as they see fit to use it," stated Peter McCallum, VP of Datacenter Solutions at FalconStor Software, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
"Our strategy is to focus on the hyperscale providers - AWS, Azure, and Google. Over the last year we saw that a lot of developers need to learn how to do their job in the cloud and we see this DevOps movement that we are catering to with our content," stated Alessandro Fasan, Head of Global Sales at Cloud Academy, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...
As organizations shift towards IT-as-a-service models, the need for managing and protecting data residing across physical, virtual, and now cloud environments grows with it. Commvault can ensure protection, access and E-Discovery of your data – whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise. In his general session at 18th Cloud Expo, Randy De Meno, Chief Technologist - Windows Products and Microsoft Part...
Andi Mann, Chief Technology Advocate at Splunk, is an accomplished digital business executive with extensive global expertise as a strategist, technologist, innovator, marketer, and communicator. For over 30 years across five continents, he has built success with Fortune 500 corporations, vendors, governments, and as a leading research analyst and consultant.
"Cloud computing is certainly changing how people consume storage, how they use it, and what they use it for. It's also making people rethink how they architect their environment," stated Brad Winett, Senior Technologist for DDN Storage, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.