Comments
yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Expo on Google News
SYS-CON.TV

2008 West
DIAMOND SPONSOR:
Data Direct
SOA, WOA and Cloud Computing: The New Frontier for Data Services
PLATINUM SPONSORS:
Red Hat
The Opening of Virtualization
GOLD SPONSORS:
Appsense
User Environment Management – The Third Layer of the Desktop
Cordys
Cloud Computing for Business Agility
EMC
CMIS: A Multi-Vendor Proposal for a Service-Based Content Management Interoperability Standard
Freedom OSS
Practical SOA” Max Yankelevich
Intel
Architecting an Enterprise Service Router (ESR) – A Cost-Effective Way to Scale SOA Across the Enterprise
Sensedia
Return on Assests: Bringing Visibility to your SOA Strategy
Symantec
Managing Hybrid Endpoint Environments
VMWare
Game-Changing Technology for Enterprise Clouds and Applications
Click For 2008 West
Event Webcasts

2008 West
PLATINUM SPONSORS:
Appcelerator
Get ‘Rich’ Quick: Rapid Prototyping for RIA with ZERO Server Code
Keynote Systems
Designing for and Managing Performance in the New Frontier of Rich Internet Applications
GOLD SPONSORS:
ICEsoft
How Can AJAX Improve Homeland Security?
Isomorphic
Beyond Widgets: What a RIA Platform Should Offer
Oracle
REAs: Rich Enterprise Applications
Click For 2008 Event Webcasts
Audit Certificate Inventory in Java/JDK | @CloudExpo #API #Java #Cloud
Generate list of Certificates used in Java environment

A digital certificate is an electronic "passport" that allows a person, computer or organization to exchange information securely over the Internet using the public key infrastructure. A digital certificate may also be referred to as a public key certificate. The main purpose of the digital certificate is to ensure that the public key contained in the certificate belongs to the entity to which the certificate was issued.

Digital certificates package public keys, information about the algorithms used, owner or subject data, the digital signature of a Certificate Authority that has verified the subject data, and a date range during which the certificate can be considered valid. Certificates are signed by the Certificate Authority (CA) that issues them. In essence, a CA is a commonly trusted third party that is relied upon to verify the matching of public keys to identity, e-mail name, or other such information.

Any WebSphere administrator already know that managing the SSL certificates in a large complex environment becomes hectic and troublesome because of the different expiration dates of the certificates that WebSphere uses and also the SSL certificates of the external systems that WebSphere Application Server interact with using a secure connection. Multiple administrators in any organization renewing and managing certificates but not keeping track of the expiration dates of certificates.

The purpose of this document describes how to generate a report for all the certificates using in the Java environment by using a simple shell script. The script checks all certificates that are stored in Keystores. The script generates a report in the form of CSV file and the report contains the hostname, Keystore Name, Certificate Alias, Issues to (common name), Issued by, Expire in number of Days and Expiration Date.

Procedure

1- Create the following Jython script and name it "certsAudit.sh":

#!/bin/bash

# How to run: ./certsAudit.sh (doesn't take any arguments

# Checks for expiring certificates inside a java keystore

todayDate=$(date)

keytoolPath="/opt/IBM/ibm-java-i386-60/bin/keytool"

keystores=("/opt/IBM/ibm-java-i386-60/jre/lib/security/cacerts" "/opt/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security/cacerts")

password="changeit"

#########################################

############## PROPERTIES ###############

#########################################

baseDirectory=$(dirname "$0")

# load from properties file

###abc. "${baseDirectory}/keyProperties.sh"

newLine=$'\n'

#########################################

################ SCRIPT #################

#########################################

# get the current timestamp

currentTimestamp=$(date +%s)

# return an error if the threshold is less than or equal to the current timestamp

declare -i totalNumOfExipringCerts=0

rm -f /tmp/certLogFile.csv

echo -e "Hostname, Keystore Name, Certifcate Alias, Issue To, Issued By, Expire in Days, Expiry Date" >> /tmp/certLogFile.csv

for keystore in "${keystores[@]}"; do

declare -i numberOfExpiringCerts=0

# try opening the keystore

$keytoolPath -list -v -keystore "$keystore" -storepass "$password" > /dev/null 2>&1

if [ $? -gt 0 ]; then

echo "Error opening the keystore."

exit 1

fi

$keytoolPath -list -v -keystore "$keystore" -storepass "$password" | grep Alias | sed 's/Alias name: //' > /tmp/allAliases

while read alias; do

# iterate through all the certificate aliases

until=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }')

untilSeconds=$(date -d "$until" +%s)

remainingDays=$(((untilSeconds-$(date +%s))/60/60/24))

owner=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Owner | sed 's/Owner: //' | sed -r 's/[,]+/./g')

issuer=$($keytoolPath -list -v -keystore "$keystore" -storepass "$password" -alias "$alias" | grep Issuer | sed 's/Issuer: //' | sed -r 's/[,]+/./g')

expDate=$(date -d "$until" '+%Y-%b-%d')

###echo -e "\t $HOSTNAME, $keystore, $alias, $owner, $issuer, $remainingDays, $expDate"

echo -e "\t $HOSTNAME, $keystore, $alias, $owner, $issuer, $remainingDays, $expDate" >> /tmp/certLogFile.csv

let numberOfExpiringCerts++

done < /tmp/allAliases

rm -f /tmp/allAliases

done

2- Copy the “certsAudit.sh” file on the WebSphere server (in /tmp folder).

3- Make sure the target server has any version of Java installed. A “keytool” utility is used by the script which comes with Java

4- Edit the “certsAudit.sh” file and update the “keytoolPath” parameter with the location of the keytool file. Usually it is “JAVA_HOME/bin/keytool”.

keytoolPath=<path of keytool>

For example:

keytoolPath="/opt/IBM/ibm-java-i386-60/bin/keytool"

5- Edit the “certsAudit.sh” file and update the “keystores” parameter with the targeted Java keystore file name(s) with the path.

keystores=(<keystore files>)

For example:

keystores=("/opt/IBM/ibm-java-i386-60/jre/lib/security/cacerts" "/opt/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security/cacerts")

6- Edit the “certsAudit.sh” file and update the “password” parameter with the targeted Java keystore password.

password=<keystore password>

For example:

password="changeit"

7- Change the user to WASUSER and the file permission, if needed

8- Go to the “/tmp” folder, where the script file is copied

9- Run the following command.

/tmp/certsAudit.sh

10- Once the script executed, it will create "/tmp/certsLogFile.csv" file

11- Copy the "certsLogFile.csv" file the desktop by using the ftp/scp client

12- Review the csv file

Conclusion
The generated report captures the hostname, Keystore Name, Certificate Alias, Issues to (common name), Issued by, Expire in number of Days and Expiration Date. By running the script weekly or monthly basis and reviewing the generated report timely manner can avoid any server or SSL communication disruption due to expire certificate.

About Asim Saddal
Asim Saddal works in the Middleware (WebSphere Application Server, WebSphere Datapower, WebSphere Process Server, WebSphere VE) practice of IBM Software Services for WebSphere.

Latest AJAXWorld RIA Stories
Your job is mostly boring. Many of the IT operations tasks you perform on a day-to-day basis are repetitive and dull. Utilizing automation can improve your work life, automating away the drudgery and embracing the passion for technology that got you started in the first place. In...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and l...
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product beg...
CloudEXPO New York 2018, colocated with DevOpsSUMMIT and DXWorldEXPO New York 2018 will be held November 12-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI and Machine Le...
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (November 12-13, 2018, New York City) today announced the outline and schedule of the track. "The track has been designed in experience/degree order," said Schmarzo. "So, that folks w...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021


SYS-CON Featured Whitepapers
ADS BY GOOGLE