Comments
yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Computing
Conference & Expo
November 2-4, 2009 NYC
Register Today and SAVE !..

2008 West
DIAMOND SPONSOR:
Data Direct
SOA, WOA and Cloud Computing: The New Frontier for Data Services
PLATINUM SPONSORS:
Red Hat
The Opening of Virtualization
GOLD SPONSORS:
Appsense
User Environment Management – The Third Layer of the Desktop
Cordys
Cloud Computing for Business Agility
EMC
CMIS: A Multi-Vendor Proposal for a Service-Based Content Management Interoperability Standard
Freedom OSS
Practical SOA” Max Yankelevich
Intel
Architecting an Enterprise Service Router (ESR) – A Cost-Effective Way to Scale SOA Across the Enterprise
Sensedia
Return on Assests: Bringing Visibility to your SOA Strategy
Symantec
Managing Hybrid Endpoint Environments
VMWare
Game-Changing Technology for Enterprise Clouds and Applications
Click For 2008 West
Event Webcasts

2008 West
PLATINUM SPONSORS:
Appcelerator
Get ‘Rich’ Quick: Rapid Prototyping for RIA with ZERO Server Code
Keynote Systems
Designing for and Managing Performance in the New Frontier of Rich Internet Applications
GOLD SPONSORS:
ICEsoft
How Can AJAX Improve Homeland Security?
Isomorphic
Beyond Widgets: What a RIA Platform Should Offer
Oracle
REAs: Rich Enterprise Applications
Click For 2008 Event Webcasts
In many cases, the end of the year gives you time to step back and take stock of the last 12 months. This is when many of us take a hard look at what worked and what did not, complete performance reviews, and formulate plans for the coming year. For me, it is all of those things plus a time when I u...
SYS-CON.TV
Audit Certificate Inventory in Java/JDK | @CloudExpo #API #Java #Cloud
Generate list of Certificates used in Java environment

A digital certificate is an electronic "passport" that allows a person, computer or organization to exchange information securely over the Internet using the public key infrastructure. A digital certificate may also be referred to as a public key certificate. The main purpose of the digital certificate is to ensure that the public key contained in the certificate belongs to the entity to which the certificate was issued.

Digital certificates package public keys, information about the algorithms used, owner or subject data, the digital signature of a Certificate Authority that has verified the subject data, and a date range during which the certificate can be considered valid. Certificates are signed by the Certificate Authority (CA) that issues them. In essence, a CA is a commonly trusted third party that is relied upon to verify the matching of public keys to identity, e-mail name, or other such information.

Any WebSphere administrator already know that managing the SSL certificates in a large complex environment becomes hectic and troublesome because of the different expiration dates of the certificates that WebSphere uses and also the SSL certificates of the external systems that WebSphere Application Server interact with using a secure connection. Multiple administrators in any organization renewing and managing certificates but not keeping track of the expiration dates of certificates.

The purpose of this document describes how to generate a report for all the certificates using in the Java environment by using a simple shell script. The script checks all certificates that are stored in Keystores. The script generates a report in the form of CSV file and the report contains the hostname, Keystore Name, Certificate Alias, Issues to (common name), Issued by, Expire in number of Days and Expiration Date.

Procedure

1- Create the following Jython script and name it "certsAudit.sh":

#!/bin/bash

# How to run: ./certsAudit.sh (doesn't take any arguments

# Checks for expiring certificates inside a java keystore

todayDate=$(date)

keytoolPath="/opt/IBM/ibm-java-i386-60/bin/keytool"

keystores=("/opt/IBM/ibm-java-i386-60/jre/lib/security/cacerts" "/opt/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security/cacerts")

password="changeit"

#########################################

############## PROPERTIES ###############

#########################################

baseDirectory=$(dirname "$0")

# load from properties file

###abc. "${baseDirectory}/keyProperties.sh"

newLine=$'\n'

#########################################

################ SCRIPT #################

#########################################

# get the current timestamp

currentTimestamp=$(date +%s)

# return an error if the threshold is less than or equal to the current timestamp

declare -i totalNumOfExipringCerts=0

rm -f /tmp/certLogFile.csv

echo -e "Hostname, Keystore Name, Certifcate Alias, Issue To, Issued By, Expire in Days, Expiry Date" >> /tmp/certLogFile.csv

for keystore in "${keystores[@]}"; do

declare -i numberOfExpiringCerts=0

# try opening the keystore

$keytoolPath -list -v -keystore "$keystore" -storepass "$password" > /dev/null 2>&1

if [ $? -gt 0 ]; then

echo "Error opening the keystore."

exit 1

fi

$keytoolPath -list -v -keystore "$keystore" -storepass "$password" | grep Alias | sed 's/Alias name: //' > /tmp/allAliases

while read alias; do

# iterate through all the certificate aliases

until=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }')

untilSeconds=$(date -d "$until" +%s)

remainingDays=$(((untilSeconds-$(date +%s))/60/60/24))

owner=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Owner | sed 's/Owner: //' | sed -r 's/[,]+/./g')

issuer=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Issuer | sed 's/Issuer: //' | sed -r 's/[,]+/./g')

expDate=$(date -d "$until" '+%Y-%b-%d')

###echo -e "\t $HOSTNAME, $keystore, $alias, $owner, $issuer, $remainingDays, $expDate"

echo -e "\t $HOSTNAME, $keystore, $alias, $owner, $issuer, $remainingDays, $expDate" >> /tmp/certLogFile.csv

let numberOfExpiringCerts++

done < /tmp/allAliases

rm -f /tmp/allAliases

done

2- Copy the “certsAudit.sh” file on the WebSphere server (in /tmp folder).

3- Make sure the target server has any version of Java installed. A “keytool” utility is used by the script which comes with Java

4- Edit the “certsAudit.sh” file and update the “keytoolPath” parameter with the location of the keytool file. Usually it is “JAVA_HOME/bin/keytool”.

keytoolPath=<path of keytool>

For example:

keytoolPath="/opt/IBM/ibm-java-i386-60/bin/keytool"

5- Edit the “certsAudit.sh” file and update the “keystores” parameter with the targeted Java keystore file name(s) with the path.

keystores=(<keystore files>)

For example:

keystores=("/opt/IBM/ibm-java-i386-60/jre/lib/security/cacerts" "/opt/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security/cacerts")

6- Edit the “certsAudit.sh” file and update the “password” parameter with the targeted Java keystore password.

password=<keystore password>

For example:

password="changeit"

7- Change the user to WASUSER and the file permission, if needed

8- Go to the “/tmp” folder, where the script file is copied

9- Run the following command.

/tmp/certsAudit.sh

10- Once the script executed, it will create "/tmp/certsLogFile.csv" file

11- Copy the "certsLogFile.csv" file the desktop by using the ftp/scp client

12- Review the csv file

Conclusion
The generated report captures the hostname, Keystore Name, Certificate Alias, Issues to (common name), Issued by, Expire in number of Days and Expiration Date. By running the script weekly or monthly basis and reviewing the generated report timely manner can avoid any server or SSL communication disruption due to expire certificate.

About Asim Saddal
Asim Saddal works in the Middleware (WebSphere Application Server, WebSphere Datapower, WebSphere Process Server, WebSphere VE) practice of IBM Software Services for WebSphere.

SOA World Latest Stories
Lori MacVittie is a subject matter expert on emerging technology responsible for outbound evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations, in addition to network and sy...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand usin...
When building large, cloud-based applications that operate at a high scale, it’s important to maintain a high availability and resilience to failures. In order to do that, you must be tolerant of failures, even in light of failures in other areas of your application. “Fly two mistakes ...
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portabil...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is founda...
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder an...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021


SYS-CON Featured Whitepapers
Most Read This Week
ADS BY GOOGLE