Welcome!

Article

Audit Certificate Inventory in WebSphere Application Server

Generate list of Certificates used in WebSphere Application Server environment

Introduction

A digital certificate is an electronic "passport" that allows a person, computer or organization to exchange information securely over the Internet using the public key infrastructure. A digital certificate may also be referred to as a public key certificate. The main purpose of the digital certificate is to ensure that the public key contained in the certificate belongs to the entity to which the certificate was issued.

Digital certificates package public keys, information about the algorithms used, owner or subject data, the digital signature of a Certificate Authority that has verified the subject data, and a date range during which the certificate can be considered valid. Certificates are signed by the Certificate Authority (CA) that issues them. In essence, a CA is a commonly trusted third party that is relied upon to verify the matching of public keys to identity, e-mail name, or other such information.

Any WebSphere administrator already know that managing the SSL certificates in a large complex environment becomes hectic and troublesome because of the different expiration dates of the certificates that WebSphere uses and also the SSL certificates of the external systems that WebSphere Application Server interact with using a secure connection. Multiple administrators in any organization renewing and managing certificates but not keeping track of the expiration dates of certificates.

The purpose of this document describes how to generate a report for all the certificates using in the WebSphere environment by using a simple Jython script. The script checks all certificates that are stored in keystores under Cell management. The script generates a report in the form of CSV file and the report contains the certificate type, Issues to (common name), Issued by, Expire in number of Days, Expiration Date, Keystore name and the scope of the certificate information.

Procedure

1- Create the following Jython script and name it “listCerts.jy”:

# --------------------------------------------------------------------------------

# listCerts.jy - Lists all the certs in WebSphere Application Server

# --------------------------------------------------------------------------------

# --------------------------------------------------------------------------------

# Setup

# --------------------------------------------------------------------------------

import re

import sys

import time

import os

import javaos

import shutil

from java.text import SimpleDateFormat ;

dateFormat = SimpleDateFormat("dd-MMM-yyyy");

expiryDateFormat = SimpleDateFormat("MMMMM dd, yyyy");

reportFile="/tmp/certs.csv"

try:

os.remove(reportFile)

except OSError:

pass

print "Generating certificate list in " + reportFile

#### Write CSV Headers ####

file = open(reportFile,'a')

file.write('"Cert Type","Issues To","Issued By","Expires In (days)","Expiry Date","Keystore Name", "Scope"' + "\n");

file.close()

# --------------------------------------------------------------------------------

# Define Subroutines

# --------------------------------------------------------------------------------

def dateDiff(keyStoreType, keystoreName, issuedTo, issuedBy, expString, scopeName):

todayString = time.strftime("%d-%b-%Y", time.gmtime())

todayDate = dateFormat.parse(todayString)

expiryDate = expiryDateFormat.parse(expString)

e = expiryDate.getTime()

t = todayDate.getTime()

d = e - t

days = d / (1000 * 60 * 60 * 24)

file = open(reportFile,'a')

file.write(str(keyStoreType) + ',"' + fmtStr(str(issuedTo)) + '","' + fmtStr(issuedBy) + '","' + fmtStr(str(days)) + '","' + str(expString) + '","' + fmtStr(str(keystoreName)) + '","' + fmtStr(str(scopeName)) + '"' + "\n");

file.close()

def find_between( s, first, last ):

try:

start = s.index( first ) + len( first )

end = s.index( last, start )

return s[start:end]

except ValueError:

return ""

def fmtStr(str):

str = str.replace('"', '')

str = str.replace(',',' ')

return str

# ---------------------------------------------------------------------------------------------------------------

# Main

# ---------------------------------------------------------------------------------------------------------------

# Iterate through all keystores, and generate list

for ks in AdminTask.listKeyStores('[-all true -keyStoreUsage SSLKeys ]').splitlines():

keystoreName = AdminConfig.showAttribute(ks, 'name')

ms = AdminConfig.showAttribute(ks, 'managementScope')

scopeName = AdminConfig.showAttribute(ms, 'scopeName')

personalCertsFound=0

for cert in AdminTask.listPersonalCertificates('[-keyStoreName '+keystoreName+' -keyStoreScope '+scopeName+']').splitlines():

personalCertsFound=1

issuedTo=""

issuedBy=""

for property in re.split("\] \[", cert):

if(re.search("\[\[", property)):

tmp = property

property = re.split("\[\[",tmp)[1]

if(re.search("] ]", property)):

tmp = property

property = re.split("] ]",tmp)[0]

if(re.search("alias", property)):

alias = re.split("\s+", property)[1]

if(re.search("issuedTo", property)):

issuedTo=property

if(re.search("issuedBy", property)):

issuedBy=property

if(re.search("validity", property)):

expString = find_between(property,"to ",".")

keyStoreType = "personal"

dateDiff(keyStoreType, keystoreName, issuedTo, issuedBy, expString, scopeName)

#if(personalCertsFound==0):

# print '\tNo personal certificates found in '+keystoreName+' in scope '+scopeName

signerCertsFound=0

for cert in AdminTask.listSignerCertificates('[-keyStoreName '+keystoreName+' -keyStoreScope '+scopeName+']').splitlines():

signerCertsFound=1

issuedTo=""

issuedBy=""

for property in re.split("\] \[", cert):

if(re.search("\[\[", property)):

tmp = property

property = re.split("\[\[",tmp)[1]

if(re.search("] ]", property)):

tmp = property

property = re.split("] ]",tmp)[0]

if(re.search("alias", property)):

alias = re.split("\s+", property)[1]

if(re.search("issuedTo", property)):

issuedTo=property

if(re.search("issuedBy", property)):

issuedBy=property

if(re.search("validity", property)):

expString = find_between(property,"to ",".")

type="signer"

dateDiff(type, keystoreName, issuedTo, issuedBy, expString, scopeName)

#if(signerCertsFound==0):

# print '\tNo signer certificates found in '+keystoreName+' in scope '+scopeName


2- Copy the “listCerts.jy” file on the Deployment manager server (in /tmp folder).

3- Change the user to WASUSER and the file permission, if needed

4- Go to the bin folder of the Deployment manager and run the following command

wsadmin.sh –lang jython –f /tmp/listCerts.jy –username <WASUSER> –password <WASPASSWORD>

5- Once the script executed, it will create “/tmp/certs.csv” file

6- Copy the “certs/csv” file on the desktop by using ftp/scp client

7- Review the csv file

Conclusion

The generated report captures the certificate type, Issues to (common name), Issued by, Expire in number of Days, Expiration Date, Keystore name and the scope of the certificate information. By running the script weekly or monthly basis and reviewing the generated report timely manner can avoid any server or SSL communication disruption due to expire certificate.


More Stories By Asim Saddal

Asim Saddal works in the Middleware (WebSphere Application Server, WebSphere Datapower, WebSphere Process Server, WebSphere VE) practice of IBM Software Services for WebSphere.

Latest Stories
"The Striim platform is a full end-to-end streaming integration and analytics platform that is middleware that covers a lot of different use cases," explained Steve Wilkes, Founder and CTO at Striim, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution and join Akvelon expert and IoT industry leader, Sergey Grebnov, in his session at @ThingsExpo, for an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, will examine the regulations and provide insight on how it affects technology, challenges the established rules and will usher in new levels of diligence...
SYS-CON Events announced today that Calligo has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Calligo is an innovative cloud service provider offering mid-sized companies the highest levels of data privacy. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalized support service from its globally located cloud platfor...
SYS-CON Events announced today that Calligo, an innovative cloud service provider offering mid-sized companies the highest levels of data privacy and security, has been named "Bronze Sponsor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalised support service from its globally located cloud plat...
What sort of WebRTC based applications can we expect to see over the next year and beyond? One way to predict development trends is to see what sorts of applications startups are building. In his session at @ThingsExpo, Arin Sime, founder of WebRTC.ventures, discussed the current and likely future trends in WebRTC application development based on real requests for custom applications from real customers, as well as other public sources of information.
FinTechs use the cloud to operate at the speed and scale of digital financial activity, but are often hindered by the complexity of managing security and compliance in the cloud. In his session at 20th Cloud Expo, Sesh Murthy, co-founder and CTO of Cloud Raxak, showed how proactive and automated cloud security enables FinTechs to leverage the cloud to achieve their business goals. Through business-driven cloud security, FinTechs can speed time-to-market, diminish risk and costs, maintain continu...
SYS-CON Events announced today that SkyScale will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. SkyScale is a world-class provider of cloud-based, ultra-fast multi-GPU hardware platforms for lease to customers desiring the fastest performance available as a service anywhere in the world. SkyScale builds, configures, and manages dedicated systems strategically located in maximum-securit...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
"With Digital Experience Monitoring what used to be a simple visit to a web page has exploded into app on phones, data from social media feeds, competitive benchmarking - these are all components that are only available because of some type of digital asset," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"Outscale was founded in 2010, is based in France, is a strategic partner to Dassault Systémes and has done quite a bit of work with divisions of Dassault," explained Jackie Funk, Digital Marketing exec at Outscale, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We were founded in 2003 and the way we were founded was about good backup and good disaster recovery for our clients, and for the last 20 years we've been pretty consistent with that," noted Marc Malafronte, Territory Manager at StorageCraft, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"DivvyCloud as a company set out to help customers automate solutions to the most common cloud problems," noted Jeremy Snyder, VP of Business Development at DivvyCloud, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.