Saturday, April 27, 2013

Java keytool quick tips

Creating a keystore from an SSL key and cert


To store an SSL key for Jetty or other Java based webserver, you usually use keytool. You'll first need to convert the key to pkcs12 (we're calling the output file jetty.pkcs12) format like so (we're assuming your key is generated with openssl or something similar - also, we're in the same directory as the keys):

Convert mykey,key and mykey.crt to a pkcs12  format using openssl
( I highly recommend using a passphrase on the key)


openssl pkcs12 -inkey ./mykey.key -in ./mykey.crt -export -out ./jetty.pkcs12

Let's take that pkcs12 key and convert it into a Java keystore (we're calling the keystore mykeystore)

 


keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype pkcs12 -destkeystore mykeystore

Let's list the contents of this keystore:

keytool -list -storename mykeystore


Add an CA certificate to the default java CA cert keystore

 

Java keeps its own CA cert repo - which can be frustrating if you don't update java on your server frequently. To add a new CA cert (let's assume you just bought an SSL cert online and your cert CA's certificates were created recently)

1. Find cacerts for your installation - note that many commercial java programs like to install their own java. If you're looking at the default java location, try:

find /usr -name cacerts

1b. If you're trying to find the cacerts for an application you installed, figure out where java is being called from:

ps wwaux | grep java

(you'll likely see a path for java - i.e., /opt/java/bin/java  or something similar)

Now, find the cacerts  
 find /opt -name cacerts

2. Add the CA cert to your cacerts file:

keytool -import -trustcacerts -alias MyCAsName -file /path/to/ca-certificatec -keystore /path/to/keystore


 
 

 

Thursday, April 18, 2013

Dell Perc 5i RAID Controller - Two Drives Show Up as Foreign

I recently had a strange problem to troubleshoot. A client's ESXi 5.1 box crashed hard. Unfortunately, the server (a Dell PowerEdge 2950 g3) had no iDrac card.

When I arrived, I discovered that someone had unplugged two of the drives in a RAID 5 set of 5 drives. There was a hot spare, but both drives were pulled at the same time (long story.) The RAID 5 volume was down. I looked into the Perc BIOS. Two of the five drives now showed up as foreign. While I've certainly imported foreign sets, I've rarely seen this situation on some of the drives and not all of them.

When a foreign disk is detected in the Dell Perc BIOS (this is, of course, a rebadged LSI RAID card), a new tab shows up - foreign. I went into the foreign tab and imported the configs from both drives. The volume was now online (rebuilding, of course.) I waited a while then let ESXi boot. I stopped the VMs from starting and waited till the rebuild finished, just to be safe - a power outage at that moment might have been particularly bad (this building has unreliable power and the UPS can only keep a server up so long, of course.) After the disks had quieted down, I started the VMs. There was some data loss, of course, and the startup took over an hour (there was a snapshot in place - so the hard crash probably damaged the snapshot). However, the server was back. There's something to be said for lockable bezels.