Using the Java keytool with Bouncy Castle Key and Trust Stores

Use the Java keytool command to manipulate key and trust stores, which includes listing the aliases or contents, exporting certificates, and merging trust stores.

keytool Requires Additional Parameters

The Bouncy Castle BCFKS provider is not installed as part of the JDK but is bundled with the HPE Ezmeral Data Fabric core distribution. The Java keytool command needs additional options to specify the BCFKS provider and path. The following example of the keytool command shows how to view the fips9.cluster.com alias. Boldface items are additional, required, and highlighted parameters.
{JAVA_HOME}/bin/keytool -list -alias fips9.cluster.com \ 
    -storepass JNMdxFTlFZ5iMlusFE4l0oaqV06InHYr \
    -keystore /opt/mapr/conf/ssl_keystore.bcfks \ 
    -storetype bcfks \ 
    -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ 
    -providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \ 
    -providername BCFIPS \

FIPS-Approved Key and Trust Stores

Two key and trust stores are approved for hosts in FIPS mode:
  • For Java applications, the Bouncy Castle BCFKS key and trust stores are used. This is new for release 7.0.0.
  • For non-Java applications, the existing PKCS#12 key and trust stores, as well as PEM files are used. The keytool command cannot be used for the PKCS#12 key and trust stores in FIPS mode. You must use the openssl PKCS 12 commands.

Key and Trust Stores for Java Applications

The Bouncy Castle FIPS-approved BCFKS store format is the only store type that is used by the HPE Ezmeral Data Fabric core platform if FIPS mode is enabled. In addition to the regular parameters for manipulating BCFKS key and trust stores, you must specify the boldface parameters shown in the following examples.

For example, supposing the key store password is 4HHXZzoU665Lt_ZOyLNMAtqnW_t7SQcT. (Obtain key and trust store passwords from the key or trust store property in ${MAPR_HOME}/conf/store-passwords.txt after installation.) Use a new keytool to generate a key pair, and add it to the key store as shown below:
# keytool -keystore /opt/mapr/conf/ssl_keystore.bcfks \ 
  -storetype BCFKS \ 
  -providername BCFIPS \ 
  -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ 
  -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ 
  -providerpath bc-fips-1.0.2.jar \ 
  -alias hpe188.cluster.com \ 
  -genkeypair -sigalg SHA512withRSA -keyalg RSA -storepass 4HHXZzoU665Lt_ZOyLNMAtqnW_t7SQcT \ 
  -dname CN=hpe188.cluster.com -keypass 4HHXZzoU665Lt_ZOyLNMAtqnW_t7SQcT 
To import a certificate into the key store manually:
# keytool -keystore /opt/mapr/conf/ssl_keystore.bcfks \ 
  -storetype BCFKS \ 
  -providername BCFIPS \ 
  -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ 
  -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ 
  -providerpath bc-fips-1.0.2.jar \ 
  -alias qaclient \ 
  -storepass 4HHXZzoU665Lt_ZOyLNMAtqnW_t7SQcT \ 
  -keypass 4HHXZzoU665Lt_ZOyLNMAtqnW_t7SQcT \ 
  -import \ 
  -file <path-to-certificate-file> 
To view the contents of the keystore, use the keytool command. The storetype, providername, providerclass, provider, providerpath, alias and storepass options are required. The storetype, providername, providerclass, provider, and providerpath fields must always be set to the boldface values as shown below:
# keytool -keystore /opt/mapr/conf/ssl_keystore.bcfks \ 
  -storetype BCFKS \ 
  -providername BCFIPS \ 
  -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ 
  -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ 
  -providerpath bc-fips-1.0.2.jar \ 
  -alias hpe186.cluster.com\ 
  -storepass 4HHXZzoU665Lt_ZOyLNMAtqnW_t7SQcT \ 
  -list 
hpe186.cluster.com, Mar 1, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 69:30:5A:50:6F:4C:17:7F:CD:EA:B3:F9:FE:FE:96:A5:40:05:C2:FF:76:C0:86:35:1E:93:E9:A5:2C:12:96:C3