Comments
yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Expo on Google News
SYS-CON.TV
Cloud Expo & Virtualization 2009 East
PLATINUM SPONSORS:
IBM
Smarter Business Solutions Through Dynamic Infrastructure
IBM
Smarter Insights: How the CIO Becomes a Hero Again
Microsoft
Windows Azure
GOLD SPONSORS:
Appsense
Why VDI?
CA
Maximizing the Business Value of Virtualization in Enterprise and Cloud Computing Environments
ExactTarget
Messaging in the Cloud - Email, SMS and Voice
Freedom OSS
Stairway to the Cloud
Sun
Sun's Incubation Platform: Helping Startups Serve the Enterprise
POWER PANELS:
Cloud Computing & Enterprise IT: Cost & Operational Benefits
How and Why is a Flexible IT Infrastructure the Key To the Future?
Click For 2008 West
Event Webcasts
Audit Certificate Inventory in Java/JDK | @CloudExpo #API #Java #Cloud
Generate list of Certificates used in Java environment

A digital certificate is an electronic "passport" that allows a person, computer or organization to exchange information securely over the Internet using the public key infrastructure. A digital certificate may also be referred to as a public key certificate. The main purpose of the digital certificate is to ensure that the public key contained in the certificate belongs to the entity to which the certificate was issued.

Digital certificates package public keys, information about the algorithms used, owner or subject data, the digital signature of a Certificate Authority that has verified the subject data, and a date range during which the certificate can be considered valid. Certificates are signed by the Certificate Authority (CA) that issues them. In essence, a CA is a commonly trusted third party that is relied upon to verify the matching of public keys to identity, e-mail name, or other such information.

Any WebSphere administrator already know that managing the SSL certificates in a large complex environment becomes hectic and troublesome because of the different expiration dates of the certificates that WebSphere uses and also the SSL certificates of the external systems that WebSphere Application Server interact with using a secure connection. Multiple administrators in any organization renewing and managing certificates but not keeping track of the expiration dates of certificates.

The purpose of this document describes how to generate a report for all the certificates using in the Java environment by using a simple shell script. The script checks all certificates that are stored in Keystores. The script generates a report in the form of CSV file and the report contains the hostname, Keystore Name, Certificate Alias, Issues to (common name), Issued by, Expire in number of Days and Expiration Date.

Procedure

1- Create the following Jython script and name it "certsAudit.sh":

#!/bin/bash

# How to run: ./certsAudit.sh (doesn't take any arguments

# Checks for expiring certificates inside a java keystore

todayDate=$(date)

keytoolPath="/opt/IBM/ibm-java-i386-60/bin/keytool"

keystores=("/opt/IBM/ibm-java-i386-60/jre/lib/security/cacerts" "/opt/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security/cacerts")

password="changeit"

#########################################

############## PROPERTIES ###############

#########################################

baseDirectory=$(dirname "$0")

# load from properties file

###abc. "${baseDirectory}/keyProperties.sh"

newLine=$'\n'

#########################################

################ SCRIPT #################

#########################################

# get the current timestamp

currentTimestamp=$(date +%s)

# return an error if the threshold is less than or equal to the current timestamp

declare -i totalNumOfExipringCerts=0

rm -f /tmp/certLogFile.csv

echo -e "Hostname, Keystore Name, Certifcate Alias, Issue To, Issued By, Expire in Days, Expiry Date" >> /tmp/certLogFile.csv

for keystore in "${keystores[@]}"; do

declare -i numberOfExpiringCerts=0

# try opening the keystore

$keytoolPath -list -v -keystore "$keystore" -storepass "$password" > /dev/null 2>&1

if [ $? -gt 0 ]; then

echo "Error opening the keystore."

exit 1

fi

$keytoolPath -list -v -keystore "$keystore" -storepass "$password" | grep Alias | sed 's/Alias name: //' > /tmp/allAliases

while read alias; do

# iterate through all the certificate aliases

until=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }')

untilSeconds=$(date -d "$until" +%s)

remainingDays=$(((untilSeconds-$(date +%s))/60/60/24))

owner=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Owner | sed 's/Owner: //' | sed -r 's/[,]+/./g')

issuer=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Issuer | sed 's/Issuer: //' | sed -r 's/[,]+/./g')

expDate=$(date -d "$until" '+%Y-%b-%d')

###echo -e "\t $HOSTNAME, $keystore, $alias, $owner, $issuer, $remainingDays, $expDate"

echo -e "\t $HOSTNAME, $keystore, $alias, $owner, $issuer, $remainingDays, $expDate" >> /tmp/certLogFile.csv

let numberOfExpiringCerts++

done < /tmp/allAliases

rm -f /tmp/allAliases

done

2- Copy the “certsAudit.sh” file on the WebSphere server (in /tmp folder).

3- Make sure the target server has any version of Java installed. A “keytool” utility is used by the script which comes with Java

4- Edit the “certsAudit.sh” file and update the “keytoolPath” parameter with the location of the keytool file. Usually it is “JAVA_HOME/bin/keytool”.

keytoolPath=<path of keytool>

For example:

keytoolPath="/opt/IBM/ibm-java-i386-60/bin/keytool"

5- Edit the “certsAudit.sh” file and update the “keystores” parameter with the targeted Java keystore file name(s) with the path.

keystores=(<keystore files>)

For example:

keystores=("/opt/IBM/ibm-java-i386-60/jre/lib/security/cacerts" "/opt/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security/cacerts")

6- Edit the “certsAudit.sh” file and update the “password” parameter with the targeted Java keystore password.

password=<keystore password>

For example:

password="changeit"

7- Change the user to WASUSER and the file permission, if needed

8- Go to the “/tmp” folder, where the script file is copied

9- Run the following command.

/tmp/certsAudit.sh

10- Once the script executed, it will create "/tmp/certsLogFile.csv" file

11- Copy the "certsLogFile.csv" file the desktop by using the ftp/scp client

12- Review the csv file

Conclusion
The generated report captures the hostname, Keystore Name, Certificate Alias, Issues to (common name), Issued by, Expire in number of Days and Expiration Date. By running the script weekly or monthly basis and reviewing the generated report timely manner can avoid any server or SSL communication disruption due to expire certificate.

About Asim Saddal
Asim Saddal works in the Middleware (WebSphere Application Server, WebSphere Datapower, WebSphere Process Server, WebSphere VE) practice of IBM Software Services for WebSphere.

Latest Cloud Developer Stories
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build ...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and l...
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial...
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product beg...
Whenever a new technology hits the high points of hype, everyone starts talking about it like it will solve all their business problems. Blockchain is one of those technologies. According to Gartner's latest report on the hype cycle of emerging technologies, blockchain has just ...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021



SYS-CON Featured Whitepapers
ADS BY GOOGLE