<dependency> <groupId>org.picketbox</groupId> <artifactId>picketbox-keystore</artifactId> <version>2012aug21</version> </dependency>
Java ecosystem is equipped with the file based keystores. "keytool" is the command line interactive tool available to interact with the keystore.
As part of PicketBox, we provide a database backed keystore.
A DB backed Keystore is very useful in a clustered environment which rely on a keystore. Instead of relying on a file based keystore at each node in the cluster that needs to be kept in sync, a central DB based Keystore is useful.
We plan to extend this functionality to a full fledged Certificate Management System.
<dependency> <groupId>org.picketbox</groupId> <artifactId>picketbox-keystore</artifactId> <version>2012aug21</version> </dependency>
The jar is available from https://repository.jboss.org/nexus/content/groups/public/org/picketbox/picketbox-keystore/2012aug21/picketbox-keystore-2012aug21.jar
The dbkey.sh script is available from: https://github.com/picketbox/picketbox-keystore/blob/master/scripts/dbkey.sh
Provider provider = new PicketBoxKeyStoreDBProvider("PicketBox/Keystore", 1.0, "KeyStore by PicketBox");
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType(), provider);
As you can see, we use the org.picketbox.keystore.PicketBoxKeyStoreDBProvider class as the Keystore provider to the standard keystore instantiation method.
You will need to provide a properties file called as "picketbox-keystore-db.properties" on the classpath.
connection.url=jdbc:h2:file:target/test.db connection.class=org.h2.Driver connection.username=sa connection.password= store.table=STORE metadata.table=METADATA
The database needs to have two tables STORE and METADATA with the following structure:
create table STORE (ID varchar(255), KEY varchar(5000), CERT varchar(5000), CHAIN varchar(15000), KEYPASS varchar(150), CREATED varchar(250))
create table METADATA (SALT varchar(255), PASS varchar(5000))
You will need to add an arbitrary string to the column "SALT" in the METADATA table.
We provide interactive command line scripts to interact with the DB based Keystore.
The Tools are:
dbkey.sh (For Unix derived environments including Linux)
dbkey.bat (Not yet available)
$ ./dbkey.sh Enter 1: Import KeyPair 2: Create a KeyPair and Certificate 3: Create CSR 4: Check Master Password Exists 5: Check Master Salt Exists 6: Add Master Salt 7: Add Master Password 8: Exit Enter Your Choice:4 Master Password Exists=false Enter 1: Import KeyPair 2: Create a KeyPair and Certificate 3: Create CSR 4: Check Master Password Exists 5: Check Master Salt Exists 6: Add Master Salt 7: Add Master Password 8: Exit Enter Your Choice:6 Enter Master Salt=xyz Enter Master Salt Again=xyz Storing Master Salt in the DB Stored Master Salt in the DB [1 rows affected] Enter 1: Import KeyPair 2: Create a KeyPair and Certificate 3: Create CSR 4: Check Master Password Exists 5: Check Master Salt Exists 6: Add Master Salt 7: Add Master Password 8: Exit Enter Your Choice:4 Master Password Exists=false Enter 1: Import KeyPair 2: Create a KeyPair and Certificate 3: Create CSR 4: Check Master Password Exists 5: Check Master Salt Exists 6: Add Master Salt 7: Add Master Password 8: Exit Enter Your Choice:7 Enter Master Password= Enter Master Password Again= Master Password stored in DB Enter 1: Import KeyPair 2: Create a KeyPair and Certificate 3: Create CSR 4: Check Master Password Exists 5: Check Master Salt Exists 6: Add Master Salt 7: Add Master Password 8: Exit Enter Your Choice:1 Enter Keystore URL=jbid_test_keystore.jks Enter KeyStore Password= Java JKS KeyStore loaded from jbid_test_keystore.jks Enter alias=servercert Enter Key Password= Retrieved Private Key and Certificate from JKS Keystore:jbid_test_keystore.jks Enter 1: Import KeyPair 2: Create a KeyPair and Certificate 3: Create CSR 4: Check Master Password Exists 5: Check Master Salt Exists 6: Add Master Salt 7: Add Master Password 8: Exit Enter Your Choice:8 Good Bye!
The Interactive Tool scripts require the configuration of 3 paths:
PicketBox KeyStore Jar.
Database Driver
BouncyCastle Jars.
You will need to adjust the paths accordingly.
You will need to provide the keystore url. Ideally, put the keystore file in the same directory as the dbkey scripts.
This is the standard keystore functionality. You get to create a keypair in the keystore.
When you need to send your certificate for signing to a Certificate Authority (CA), you will need the CSR. In this, you provide the name of a file where the CSR will be stored.
This is the master keystore password. This option checks whether a master password is stored in the DB. It depends on the existence of master salt in the database.
This option checks whether a master salt is stored in the DB.
If there is no salt saved in the DB, the tool provides a one time opportunity to save a salt. Remember, once it goes into the DB, only a DBA can change/delete a salt.
If the DB has a salt but no master password, the tool provides an option to save a master password.
You will need this properties file in the same directory as the dbkey scripts.
connection.url=jdbc:h2:file:target/test.db connection.class=org.h2.Driver connection.username=sa connection.password= store.table=STORE metadata.table=METADATA
In this example, I am using the H2Database.
Interactive Tool needs:
Import Certificate Chain.
Password Masking in the configuration properties file.
Support additional store types such as JCEKS etc.
Support JDBC Connection Pooling via Datasource.
Salt
The Salt needs to be added by either the DBA or via the interactive tool. Once the salt exists in the DB, only a DBA can change it. This is done for security reasons.
The Salt can only be deleted by a DBA.
KeyStore Password (Master Password)
Depends on the availability of master salt.
Deletion requires DBA assitance.