Java Keystore (JKS)
SecTrail CM enables automatic management of SSL certificates by establishing agentless connections to applications using Java Keystore (JKS/PKCS12).
SecTrail CM supports Java KeyStores running on both Linux and Windows systems. You can perform automatic certificate deployment and management for both platforms.
Use Casesβ
- Java Applications: Standalone Java applications
- Microservices: Spring Boot, Quarkus, Micronaut microservices
- Message Brokers: Apache Kafka, RabbitMQ (TLS)
- Databases: Elasticsearch, Cassandra (SSL/TLS)
Connection Requirementsβ
Linux Systemsβ
| Requirement | Detail | Description |
|---|---|---|
| Protocol | SSH (Secure Shell) | Secure remote connection protocol |
| Port | 22 | Standard SSH port or custom port |
| Authentication | SSH Key or Password | Authentication via SSH key or password |
| User Permission | Keystore read/write permission | Access and edit permission to keystore files |
Windows Systemsβ
| Requirement | Detail | Description |
|---|---|---|
| Protocol | WinRM (Windows Remote Management) | Windows remote management protocol |
| Port | 5985 (HTTP) / 5986 (HTTPS) | Standard WinRM ports |
| Authentication | Username and Password | Windows user authentication |
| User Permission | Keystore read/write permission | Access and edit permission to keystore files |
Automated Operationsβ
SecTrail CM automatically performs the following operations on Java KeyStore:
- Keystore Backup: Backing up the existing keystore
- Certificate Import: Importing new certificate and private key with
keytool - Truststore Update: Adding Root/Intermediate CA certificates to truststore
- Validation: SSL/TLS connection testing and validation
Configuration Stepsβ
1. Creating Java KeyStore Linux Userβ
Navigate to Automation > Device Users and create a user for Java KeyStore.
2. Adding Java KeyStore Device to SecTrail CMβ
Click Automation > Devices > Add New Device button and enter the following information:
- Name: Provide a descriptive name for the device
- Device Users: Select the user created in Step 1
- IP: Enter the IP address of the Java KeyStore server
- Device Type: Select
Java KeyStore Linuxfrom the dropdown menu - Become Method: Select privilege escalation method (e.g.,
sudo) - Custom Path: (Optional) You can specify a custom path
- KeyStore Path: Enter the path to the KeyStore file
- KeyStore Storepass: Enter the KeyStore password
- Service Name to Restart: (Optional) Enter the service name to restart
After the Java KeyStore device is added to SecTrail CM, certificates in the KeyStore are automatically included in the discovery period and scanned regularly. Automatic alarms are created for certificates that are about to expire or have issues.
3. Viewing Device Informationβ
After the device is added, it will be displayed in the Automation > Devices list. Click on the row to view device details:
The following information is displayed in device details:
- Certificate Subject: Certificate subject information (CN, ST, L, O, OU)
- Issuer: CA information that issued the certificate
- Not After: Certificate expiration date
- Store Path: KeyStore file path
- Alias Name: Certificate alias name
- Deploy: For certificate deployment
Certificate Deploymentβ
Step 1: KeyStore and Certificate Selectionβ
- Select your Java KeyStore device from Automation > Devices
- In the device details, find the KeyStore where you want to deploy the certificate
- Click the Deploy button on the relevant row
- In the Deploy Certificate window that opens:
- Virtual Servers: Target KeyStore information is displayed (IP, Subject, Alias Name)
- Certificate: Select the certificate you want to deploy from the dropdown menu
Step 2: Starting the Deployment Processβ
Click the Deploy button to start the certificate deployment process.
Step 3: Process Trackingβ
The deployment process can be tracked from Automation > Processes:
Operation Detailsβ
The following steps are performed during deployment:
| Step | Operation Description |
|---|---|
| 1 | Certificate file is uploaded to the server |
| 2 | New certificate is added to existing keystore file |
Certificate Removal (Remove)β
SecTrail CM supports certificate removal from Java KeyStore.
Removal Operation Stepsβ
- Select your Java KeyStore device from Automation > Devices
- Select the relevant operation in the row of the certificate you want to remove
- Confirm to start the removal operation
Removal Operation Task Detailsβ
The removal operation can be tracked from Automation > Processes. The following steps are performed during the operation:
| Step | Operation Description |
|---|---|
| 1 | Existing keystore file is backed up |
| 2 | Certificate is deleted from keystore with specified alias |