• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Keystore Generation in Java Code

 
Mathew Anderson
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I wrote some code to help me manage the keystores/SSLs that I use with my J2EE application server. In two places, I run the keytool command, using Runtime.getRuntime(), but I am starting to see some java.io.IOException: Not enough space errors. The diskspace looks good, and the Heap size of the jvm looks good.

Anyways, I want to try and convert this so it does not fork and execute (and will remove the issue that I am seeing), but instead use java.security.Keystore instead (or something better).

Here are the parts of the code, I'd like to convert:


// KeyStore Generation
String params[]= {"/bin/keytool", "-genkey", "-keyalg", "RSA", "-alias", keyAlias, "-keystore", keyStore,
"-dname", keyDName, "-keypass", keyPassPhrase, "-storepass", StorePassPhrase};

Process keytool = Runtime.getRuntime().exec(params);

// SSL Cert Request Creation
String params[]= {"keytool", "-certreq", "-alias", keyAlias, "-keypass", keyPassPhrase, "-keystore", keyStore, "-storepass", StorePassPhrase, "-file", keyReqFile };

Process keytool = Runtime.getRuntime().exec(params);

Looking at information on using java.security.KeyStore (KeyStore.Builder, KeystoreSpi), I got lost rather quickly. Anyone else use these? or have some good examples I could use to help muddle my way into fixing this?

Thanks
 
Rob Spoor
Sheriff
Pie
Posts: 20546
56
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you think this is a problem for beginners, you must be quite a programmer!
I think the intermediate forum is a bit better ;)
 
Mathew Anderson
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, after I posted, I realized it should be in the intermediate forum. Would it be possible for you to move it? I did not want to cross post.

Edit - Ah, I see you did move it. thank you!
 
Martijn Verburg
author
Bartender
Posts: 3275
5
Eclipse IDE Java Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Matthew,

What version of the JDK are you using? Have you looked at the process builder APIs under JDK1.5+?
 
Mathew Anderson
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
JDK is 1.5

I have not looked at the process builder, I'll take a look at that. It might get around the IOException error. Though, I would ultimately like to move this inside the code.. but if changeing to this processbuilder, it will work for now. thanks!
 
Martijn Verburg
author
Bartender
Posts: 3275
5
Eclipse IDE Java Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No worries, there have been several discussions on this forum lately about runtime.exec() and why ProcessBuilder is 'better'. I'm too lazy right now to dig them up but if you search this forum for runtime.exec you'll see some useful discussions and links.
 
Mathew Anderson
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ProcessBuilder did seem to help, but it only delayed the error some. So my initial question still remains open.


Has anyone done keystore generations in java code? If so, any pointers?
 
Martijn Verburg
author
Bartender
Posts: 3275
5
Eclipse IDE Java Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you able to take a look at the JVM while this is running (jstat, jvmstat will do the trick). Mind you out of space usually indicates a file I/O issue..
 
Mathew Anderson
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Not really. I only see the error on our production server and I am unable to take it down. Our Development and Quality seem fine.

We run Weblogic 9.2 as the j2ee engine (running on Solaris, if that helps), using that I looked at the memory usage
Before:
Heap Size Current: 3758096384
Heap Free Current: 1364779736
Heap Free Percent: 36
Heap Size Max: 3758096384
Total Physical Memory: 17179869184

After:
Heap Size Current: 3758096384
Heap Free Current: 1295966936
Heap Free Percent: 34
Heap Size Max: 3758096384
Total Physical Memory: 17179869184

The production server is rather busy, we have about 80 applications deployed on it. But the Heap Free seems rather reasonable.

 
Martijn Verburg
author
Bartender
Posts: 3275
5
Eclipse IDE Java Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for that, I think you're right it looks like there's enough JVM memory. Next Q, do you know where the keystore work is being done on the physical disk, the IOException indicating out of space could be referring to a genuine out of space on physical disk problem (perhaps it is writing to a small mount point, or a user dir that is restricted in size).
 
Mathew Anderson
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The generation is done on the root partition of the disk:

/dev/dsk/c1t0d0s0 131112519 62008144 67793250 48% /


plenty of space.


I do notice, that once the system is rebooted (we do that weekly), it works for a while.. but as time goes on, the error pops up.
 
Carey Evans
Ranch Hand
Posts: 225
Debian Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Getting hold of a key store and saving a key isn’t hard:Generating the X509Certificate is a bit harder. I think the Bouncy Castle library includes everything you need.

Have a look at the JCA Reference Guide for much more information.
 
Carey Evans
Ranch Hand
Posts: 225
Debian Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
With respect to your problems with exec() and ProcessBuilder, could you be running out of file descriptors? Each Process has an output stream and one or two input streams which should be closed once you’re finished with them. Otherwise they will eventually be closed some time after the process and the streams are garbage collected.
 
Mathew Anderson
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Carey - How did I miss those. Thanks, I am changing the code to close the steams. Whoops.

I started to look at Bouncy Castle, seems like some good stuff. I'll try and sit down more with it.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic