Using the Java keytool with Bouncy Castle Key and Trust Stores
Use the Java keytool
command to manipulate key and trust stores, which
includes listing the aliases or contents, exporting certificates, and merging trust
stores.
keytool Requires Additional Parameters
The Bouncy Castle BCFKS provider is not installed as part of the JDK but is bundled with
the HPE Ezmeral Data Fabric core distribution. The Java
keytool
command needs additional options to specify the BCFKS provider
and path. The following example of the keytool command shows how to view the
fips9.cluster.com
alias. Boldface items are additional, required, and
highlighted parameters.
{JAVA_HOME}/bin/keytool -list -alias fips9.cluster.com \
-storepass JNMdxFTlFZ5iMlusFE4l0oaqV06InHYr \
-keystore /opt/mapr/conf/ssl_keystore.bcfks \
-storetype bcfks \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \
-providername BCFIPS \
FIPS-Approved Key and Trust Stores
Two key and trust stores are approved for hosts in FIPS mode:
- For Java applications, the Bouncy Castle BCFKS key and trust stores are used. This is new for release 7.0.0.
- For non-Java applications, the existing PKCS#12 key and trust stores, as well as PEM
files are used. The
keytool
command cannot be used for the PKCS#12 key and trust stores in FIPS mode. You must use the openssl PKCS 12 commands.
Key and Trust Stores for Java Applications
The Bouncy Castle FIPS-approved BCFKS store format is the only store type that is used by the HPE Ezmeral Data Fabric core platform if FIPS mode is enabled. In addition to the regular parameters for manipulating BCFKS key and trust stores, you must specify the boldface parameters shown in the following examples.
For example, supposing the key store password is
4HHXZzoU665Lt_ZOyLNMAtqnW_t7SQcT
. (Obtain key and trust store passwords
from the key or trust store property in
${MAPR_HOME}/conf/store-passwords.txt
after installation.) Use a new
keytool
to generate a key pair, and add it to the key store as shown
below:# keytool -keystore /opt/mapr/conf/ssl_keystore.bcfks \
-storetype BCFKS \
-providername BCFIPS \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath bc-fips-1.0.2.jar \
-alias hpe188.cluster.com \
-genkeypair -sigalg SHA512withRSA -keyalg RSA -storepass 4HHXZzoU665Lt_ZOyLNMAtqnW_t7SQcT \
-dname CN=hpe188.cluster.com -keypass 4HHXZzoU665Lt_ZOyLNMAtqnW_t7SQcT
To import a certificate into the key store
manually:
# keytool -keystore /opt/mapr/conf/ssl_keystore.bcfks \
-storetype BCFKS \
-providername BCFIPS \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath bc-fips-1.0.2.jar \
-alias qaclient \
-storepass 4HHXZzoU665Lt_ZOyLNMAtqnW_t7SQcT \
-keypass 4HHXZzoU665Lt_ZOyLNMAtqnW_t7SQcT \
-import \
-file <path-to-certificate-file>
To view the contents of the keystore, use the
keytool
command. The
storetype, providername, providerclass, provider, providerpath, alias
and
storepass
options are required. The storetype, providername,
providerclass, provider,
and providerpath
fields must always be
set to the boldface values as shown
below:# keytool -keystore /opt/mapr/conf/ssl_keystore.bcfks \
-storetype BCFKS \
-providername BCFIPS \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath bc-fips-1.0.2.jar \
-alias hpe186.cluster.com\
-storepass 4HHXZzoU665Lt_ZOyLNMAtqnW_t7SQcT \
-list
hpe186.cluster.com, Mar 1, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 69:30:5A:50:6F:4C:17:7F:CD:EA:B3:F9:FE:FE:96:A5:40:05:C2:FF:76:C0:86:35:1E:93:E9:A5:2C:12:96:C3