10.11.2. Create a Java Keystore to Store Sensitive Strings

Procedure 10.5. Setup a Java Keystore

1. Create a directory to store your keystore and other encrypted information.

   Create a directory to hold your keystore and other important information. The rest of this procedure assumes that the directory is /home/USER/vault/.

2. Determine the parameters to use with keytool.

   Determine the following parameters:

   alias

   The alias is a unique identifier for the vault or other data stored in the keystore. The alias in the example command at the end of this procedure is vault. Aliases are case-insensitive.

   keyalg

   The algorithm to use for encryption. The example in this procedure uses RSA. Use the documentation for your JRE and operating system to see which other choices may be available to you.

   keysize

   The size of an encryption key impacts how difficult it is to decrypt through brute force. The example in this procedure uses 2048. For information on appropriate values, see the documentation distributed with the keytool.

   keystore

   The keystore is a database which holds encrypted information and the information about how to decrypt it. If you do not specify a keystore, the default keystore to use is a file called .keystore in your home directory. The first time you add data to a keystore, it is created. The example in this procedure uses the vault.keystore keystore.

   The keytool command has many other options. Refer to the documentation for your JRE or your operating system for more details.

3. Determine the answers to questions the keystore command will ask.

   The keystore needs the following information in order to populate the keystore entry:

   Keystore password

   When you create a keystore, you must set a password. In order to work with the keystore in the future, you need to provide the password. Create a strong password that you will remember. The keystore is only as secure as its password and the security of the file system and operating system where it resides.

   Key password (optional)

   In addition to the keystore password, you can specify a password for each key it holds. In order to use such a key, the password needs to be given each time it is used. Usually, this facility is not used.

   First name (given name) and last name (surname)

   This, and the rest of the information in the list, helps to uniquely identify the key and place it into a hierarchy of other keys. It does not necessarily need to be a name at all, but it should be two words, and must be unique to the key. The example in this procedure uses Accounting Administrator. In directory terms, this becomes the common name of the certificate.

   Organizational unit

   This is a single word that identifies who uses the certificate. It may be the application or the business unit. The example in this procedure uses AccountingServices. Typically, all keystores used by a group or application use the same organizational unit.

   Organization

   This is usually a single-word representation of your organization's name. This typically remains the same across all certificates used by an organization. This example uses MyOrganization.

   City or municipality

   Your city.

   State or province

   Your state or province, or the equivalent for your locality.

   Country

   The two-letter code for your country.

   All of this information together will create a hierarchy for your keystores and certificates, ensuring that they use a consistent naming structure but are unique.

4. Run the keytool command, supplying the information that you gathered.

   Example 10.10. Example input and output of keystore command

   $ keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault22 -keypass vault22 -keystore /home/USER/vault/vault.keystore
   Enter keystore password: vault22 
   Re-enter new password:vault22 
   What is your first and last name?
     [Unknown]:  Accounting Administrator
   What is the name of your organizational unit?
     [Unknown]:  AccountingServices
   What is the name of your organization?
     [Unknown]:  MyOrganization
   What is the name of your City or Locality?
     [Unknown]:  Raleigh
   What is the name of your State or Province?
     [Unknown]:  NC
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is CN=Accounting Administrator, OU=AccountingServices, O=MyOrganization, L=Raleigh, ST=NC, C=US correct?
     [no]:  yes
   
   Enter key password for <vault>
           (RETURN if same as keystore password):
   

   Copy to Clipboard Toggle word wrap