Feature Request - Manage Java keystore

[m87carlson]

We currently "manage" java keystores by simply pushing out a cacerts (or trustedcerts) we've created, but this is not really maintainable since we update once and sort of forget about it.

We also have certain java applications that are unable to launch with a separate certificate databases, and will always use the systems default jre/lib/security/certs

It would be really useful if there was a salt module to add CA's and trusted certificates to the keystore files.

Doing this seems relatively simple, since the command can basically shell out the keystore executable (and if not password is specified, use 'changeit'). It should probably check for an alias first, and then add it if it is not in the database, but there is some overhead there as it would have to run two separate commands.

[basepi]

This sounds quite reasonable to me, and you're right, I think it would be fairly straightforward to implement. Thanks for the request!

[verydragon]

I was researching ways to get the cacert added for JVM, and then I have an alternative method (just cmd.run) ; D

cmd.run:
- name: "sudo pathto/keytool -import -trustcacerts -alias xxx-cacert -keystore pathto/cacerts -file xxx.pem -storepass changeit -noprompt"

[sastorsl]

Did anybody get around to look into this?
I'm managing a keystore for an application with both public and private keys and have scripted (shell...) the part where I'm creating the keystore from the bottom up, but of course should support verifying if a key is allready added, and if so under which alias, and add if it's not in the keystore.
I'll be happy to come up with use-cases and do some testing.

[jbouse]

I've ran into the same issue as we have to maintain certificates inside a java keystore for one of our applications. Right now I've simply got a state that reads information from pillar about what certs need to be deployed and executes the keytool calls via cmd.run.

That said I will be working on trying to make a java keystore execute & state module to handle this for me after I finish writing my other 2 I'm currently working on for other applications.

[sastorsl]

Cool. I'll keep watching this thread and will be interested in testing - if needed.

[rterbush]

Wanted to share the following set of states that I worked up to deal with this keystore task. I'd welcome any input as to how to do this better and would also welcome the addition of keystore state to manage this more directly.

set_keystore_passwd:
  cmd.run:
    - name: '
      keytool -storepasswd -storepass changeme -new {{ pillar['keystorepass'] }}' && touch /var/cache/salt/.keystorepass
    - shell: /bin/sh
    - creates: /var/cache/salt/.keystorepass

install_keystore:
  file.managed:
    - name: /tmp/example.com.pkcs12
    - source: s3://bucket/example.com.pkcs12
    - source_hash: s3://bucket/example.com.pkcs12.sha1sum
  cmd.run:
    - name: |
        keytool -importkeystore -srckeystore /tmp/example.com.pkcs12 -srcstoretype PKCS12 -destkeystore keystore -deststorepass {{ pillar['keystorepass'] }} -srcstorepass {{ pillar['keystorepass'] }} && touch /var/cache/salt/.keystoreimport
    - shell: /bin/sh
    - creates: /var/cache/salt/.keystoreimport
    - require:
      - cmd: set_keystore_passwd

remove_keystore_input:
  file.absent:
    - name: /tmp/example.com.pkcs12
    - require:
      - cmd: install_keystore

I've misread the doc and thought that I understood that the - creates: ... conditional created the file if the state ran successfully. That would be a nice improvement. 😄
Edited to add the touch commands if the keytool runs successfully.

[JensRantil]

I'd welcome any input as to how to do this better and would also welcome the addition of keystore state to manage this more directly.

Nice solution! Best so far! This solution works as long as s3://bucket/example.com.pkcs12 never is updated without patching the Salt state. The nice thing with a keytool state is that it would be able to conditionally check if the certificate is previously added or not.

I've misread the doc and thought that I understood that the - creates: ... conditional created the file if the state ran successfully. That would be a nice improvement.

@rterbush File a separate issue for it ;)

[peter-funktionIT]

I too would like a state and execution module for managing java keystores.
Meanwhile, this is my alternative to @rterbush solution:

Add cert to keystore:
  cmd.run:
  - name: /path/to/keytool -keystore /path/to/cacerts -storepass changeit -import -alias my_cert -file /path/to/cert.crt -noprompt
  - unless: /path/to/keytool -keystore /path/to/cacerts -storepass changeit -list -alias my_cert >/dev/null

Of course, this only does checks against the alias name but is sufficient for my needs. A real state module would probably check against the certificate thumbprint and verify the existing certs in the keystore.
Should be possible to do that with a state similar to mine above as well, but you would probably have to use a script instead of a one-liner.

[eapugo]

4 years later....no update on this request :/ come on saltstack :)

[rhbvkleef]

Please give us this. That would make people immensely happy!

[PetrusKiendys]

Would love to see this implemented as well.

[a-wildman]

5 years (- 2 days) since "Approved for future release" was indicated... here's my vote for this as well.

[Oloremo]

Ansible has it https://docs.ansible.com/ansible/latest/modules/java_keystore_module.html :-(