Keystores and keytools

vnovotny98 · December 12, 2022, 2:59pm

Hello,
can anybody give me a hint how keytools and keystores work? And what is the difference between them?

I would like to store password for logstash connecting to opensearch and for my own scripts that controls, monitors and cross cluster replicate data but in my scripts i have passwords in plain-text, too.

My logstash output looks like:

opensearch {
hosts => ["AA:9200","BB:9200","CC:9200"]
ssl => true
ssl_certificate_verification => false
user => "logstash-acount"
password => "****"
index => "example"
manage_template => false

And I think for scripts that i have in Python and Bash, i cant use any of these key functions, right? Its values are readable only for apps?

Gsmitt · December 13, 2022, 6:05am

Hey,

Here is a quick Lesson.

KeyTool

Java includes the keytool utility in its releases. We use it to manage keys and certificates and store them in a keystore. The keytool command allows us to create self-signed certificates and show information about the keystore.

Keystore

A keystore can be a repository where private keys, certificates and symmetric keys can be stored. This is typically a file, but the storage can also be handled in different ways.

Example:

change the default password for Java CAcert store. Default password is changeit

keytool -storepasswd -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/security/cacerts

— Type “changeit”
— New-PASS Type “secret” /// this will be configured in graylog configuration file

In the above example “cacerts” is java default keystore, it has been known to copy this keystore incase of issues,etc…

Insert Certificate in keystore.

keytool -importcert -keystore /path/to/cacerts.jks -storepass changeit -alias opensearch-self-signed -file cert.pem

Normally when creating Self-signed certs using openssl it will ask for a pasphrase , this would be the password needed. or if the application needs to access the keystore this would be the password used and shown above.

vnovotny98 · December 15, 2022, 2:17pm

Okay thanks, I think I better understand now.

I got requirements to ship data to Opensearch with 2FA (USR/PWD + OTP) or Certificates.
I know that I can ship data to Opensearch with user/password and cacert, but I think, it won´t be enought secure.
Can Logstash connect with certificate authentication? Connect by Cert/Key and Cacert validation?
Then I can store these certs in keystore.

Gsmitt · December 17, 2022, 4:11am

hello,

I think so but unfortantly I do not use Logstash at this monment. So im not 100% sure.
You can look here for more details.

Configuring Security in Logstash | Logstash Reference [7.17] | Elastic