JAVA Keytool

Ohhhh Goodness......!

Dealing with lots of Java stuff now a days, that too with SSL certificates

So though of sharing some information ( commands rather which I commonly use) on it..

This world is no more secure....! . Especially when it comes to communication, needs to be more cautious.

To protect information passed to and from a web site we use encryption using SSL/TLS. we need a way to certify the identity of either the client or the server or the both (in the case of two way SSL) . The client can authenticate using using a username and password, but the server needs some mechanism to prove that the information you are sending to it actually ends up in the right hands.

Take the case of a credit card transaction. We need to know that we are communicating to the correct party and that the information we are passing are transmitted in a secure way and also that the the message is not tampered. HTTPS solves the above problems. It guarantees the identity of the server (and optionally, also the identity of the client) through the usage of certificates as well as provide encryption for the communication.

PKI - Every entity is associated with one public and one private key. When two entities communicate both parties use their own private key and their counterparts use the public key, to make sure that only the two entities can talk to each other.

A public key is essentially a publically available number associated with a particular entity, and everyone who is supposed to communicate securely with the entity should know this number.

A private key is also a number, but one that is kept a secret. In a typical public key crypto system, such as DSA, a private key corresponds to exactly one public key.

Only the private key can be used to create a signature, but the public key can be used to verfiy the signature. This means that the private/public key combination means that an entity can guarantee that it knows its private key without giving away what it is.

"keytool is a key and certificate management utility. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers."

Java Keytool is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. Java Keytool stores the keys and certificates in what is called a keystore. A Keytool keystore contains the private key and any certificates necessary to complete a chain of trust and establish the trustworthiness of the primary certificate.

Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key. You will then generate a CSR and have a certificate generated from it. Then you will import the certificate to the keystore including any root certificates.

Below, we have listed the most common Java Keytool keystore commands and their usage:

Java Keytool Commands for Creating and Importing

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

• Generate a certificate signing request (CSR) for an existing Java keystore

keytool -certreq -alias "mydomain" -keystore keystore.jks -file mydomain.csr

• Import a root or intermediate CA certificate to an existing Java keystore

keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

• Import a signed primary certificate to an existing Java keystore

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

• Generate a keystore and self-signed certificate

keytool -genkey -keyalg RSA -alias "selfsigned" -keystore keystore.jks -storepass "password" -validity 360

Java Keytool Commands for Checking

If you need to check the information within a certificate, or Java keystore, use these commands.

• Check a stand-alone certificate

keytool -printcert -v -file mydomain.crt

• Check which certificates are in a Java keystore

keytool -list -v -keystore keystore.jks

• Check a particular keystore entry using an alias

keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

• Delete a certificate from a Java Keytool keystore

keytool -delete -alias "mydomain" -keystore keystore.jks

• Change a Java keystore password

keytool -storepasswd -new new_storepass -keystore keystore.jks

• Export a certificate from a keystore

keytool -export -alias mydomain -file mydomain.crt

• List Trusted CA Certs

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

• Import New CA into Trusted Certs

keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

Changing Console resolution

To change console resolution

Just add vga=value in the kernel parameter line in /boot/grub/grub.cfg

kernel /boot/vmlinuz-2.6.15-26-386 root=/dev/hda3 ro quiet splash vga=794

C0lordepth 640x480 800x600 1024x768 1280x1024
256 colors 768 771 773 775
32K colors 784 787 790 793
64K colors 785 788 791 794
16M colors 786 789 792 795

Commonly used switches in grep

grep cheat sheet
------------------
-i : ignore case
-w : Match the exact word
-A n : displays n lines after the match
-B n : displays n lines before the match
-C n : displays n lines on both sides of the match
-v : inverting the match
-e : for including multiple matches ( extending the match)
-c : counting the number of match
-l : displays only the file name of the match
-o : displays only the matched string
-b : displays the position of the match in the file
-n : line number will be displayed along with the match

Timestamp with history

$ history

can be used to retrive the history of commands. It may be beneficial to display the timestamp along with the command for auditing purpose. HISTTIMEFORMAT variable can be used to achive the purpose

$ export HISTTIMEFORMAT=’%F %T ‘

Now the out put of the 'history' will be similer to this

Include the variable in your appropriate shell initialization file to make it permanent.

Customise vi/vim - I

Correcting spelling mistakes automatically
------------------------------------------------
You can customise vi/vim according to your requirement using the ~/.vimrc file. You can even make vim learn the spellings of words also.

Suppose, you identified that usually commint some typoes ( teh for the, for example). We will see how to teach vi/vim to correct these mistakes automatically.
Open the file ~/.virmrc file and key in the contents as below and save the file.

iab teh the

The syntax is as follows.
ia incorrect_word correct_word

A plug-in for vim is available from http://www.vim.org/ , which is actually a collection of common mistakes we make, it is quite big repository which we can make use of.

Installing the autocorrect.tar plug-in
------------------------------------------
wget -O autocorrect.tar http://www.vim.org/scripts/download_script.php?src_id=9900

$ tar xf autocorrect.tar
Edit the ~/.vimrc file and key in the contents as below
$ vi ~/.vimrc
:source ~/autocorrect.vim

Note: If you dont want the auto correction permenently, you can add the source while in a vim session as below
:source

If you want to temporarly stop abbreviation for a word, you can use ' : uab teh' while in vim
:uab teh

Directory stack

Navigating directories using dirs, pushd and popd

Stack is a temporary data storage based on LIFO. The last item you push to stack, will be the first item you pop out.

we need pushd, popd and dirs to play around with stack

pushd: pushes or adds the directory to the directory stack

popd: pops or removes the directory from the directory stack (last in first out LIFO)

dirs: displays the contents of the stack

Directory stack can be really usful if you need to navigate to some directories which is very lengthy and you need to do it very often.

/tmp/very/long/directory/structure/that/is/too/deep

/tmp/hard/to/navigate/this/directory/structure

/some/structure/which/i/donot/prefer/navigating/often

Let us take the sample directory structures given above.

One way to make the navigation easy if you have to do it requenty is to set aliases, as given below

$ alias godeep="cd /tmp/very/long/directory/structure/that/is/too/deep"

OR, you can make use of the the directory stack.

The dirs command list the contents of the directory stack. The first entry it shows is not the contents, but the current directory. In this case the stack is empty.

$ cd /tmp/very/long/directory/structure/that/is/too/deep

$ pushd .

$ cd /some/structure/which/i/donot/prefer/navigating/often

$ pushd .

$ cd /some/structure/which/i/donot/prefer/navigating/often

$ pushd .

The out put of the dirs command will be as follows,

If you want to navigate to the third directory issue the following command

$ cd `dirs +3`

To remove the element from the stack issue the popd command as follows

$ popd

Running jobs in background

When you login to the linux machine, the shell creates three I/O channels that will be used by all the processes spawned from that shell. The I/O channels are stdin (standard input), stdout (standard output) and stderr (standard error).

Jobs can be put into background by using ^z and 'bg' commands. These job will be using the three I/O channels which we discussed above.

Once you log out from the shell those I/O channels are destroyed even though they are used by the job running in the background. The operating system will inteligently reassign the I/O channels to '/dev/null', means that all the output is dumped to the endless pit, and the jobs will not be shown in the jobs list, available while using the 'jobs' command , and also you will not have any trace of the process (will not dump the output to the console) even though it shows up in the process list 'ps -elf'.

To have a better idea about the process running in the background, start the process in the background using 'nohup'.
eg: $ nohup tail -f /var/log/messages > message.out &
$ tail -f message.out

OR, you can use of the 'screen' command as discussed some where in this blog.