Creating the Keystore and Truststore

Note: For backward compatibility, customers on older versions will have a default keystore and truststore created upon upgrade with backward compatible values.

Note: If the keystore and truststore is not present, Oracle Utilities Application Framework will revert to the internal cryptography used in previous releases.

Note: Passwords encrypted using this keystore will be prefixed with ENCKS and legacy password encryption uses prefix ENC.

Note: The settings in this section are defaulted in installation and can be altered using overrides in templates FW_spl.properties.keystore.truststore.include as outlined in the Server Administration Guide.

Typically, a keystore and truststore are created using the java keytool utility manually but the Oracle Utilities Application Framework utilities have been extended to allow customers to create and manage the keystore from the command line.

Before creating the keystore the following settings must be set in the installation, as per the Server Administration Guide:

• KS_ALIAS - The alias used to encrypt/decrypt passwords by the Oracle Utilities Application Framework to access the keystore. By default, this is set to ouaf.system.

• KS_ALIAS_KEYALG - The algorithm to be used by the KS_ALIAS entry in keystore to encrypt the passwords. By default, this is set to AES.

• KS_ALIAS_KEYSIZE - The strength of the keystore for the KS_ALIAS entry. By default, this is set to 256.

• KS_HMAC_ALIAS - The HMAC alias used by the Encryption Feature Type of the Oracle Utilities Application Framework. By default this is set to ouaf.system.hmac.

• KS_HMAC_ALIAS_KEYALG - The algorithm to be used by the KS_HMAC_ALIAS entry in keystore to encrypt the data. By default, this is set to HmacSHA256.

• KS_HMAC_ALIAS_KEYSIZE - The strength of the keystore for the KS_HMAC_ALIAS entry. By default, this is set to 256.

• KS_KEYSTORE_FILE - Location of the keystore file.

• KS_MODE - Keystore Padding mode. By default, this is set to CBC.

• KS_PADDING - Key padding algorithm used for keystore. By default, this is set to PKCS5Padding.

• KS_STOREPASS_FILE - Keystore Password file.

• KS_STORETYPE - Keystore type. By default, this is set to JCEKS.

• TS_ALIAS – Alias used for trust store. By default this is set to ouaf.system

• TS_ALIAS_KEYALG - The algorithm to be used by the TS_ALIAS entry in truststore. By default, this is set to AES.

• TS_ALIAS_KEYSIZE - The strength of the truststore for the TS_ALIAS entry. By default, this is set to 256.

• TS_HMAC_ALIAS - The HMAC alias used by the truststore. By default, this is set to ouaf.system.hmac.

• TS_HMAC_ALIAS_KEYALG - The algorithm to be used by the TS_HMAC_ALIAS entry in truststore to encrypt the data. By default, this is set to HmacSHA256.

• TS_HMAC_ALIAS_KEYSIZE - The strength of the truststore for the TS_HMAC_ALIAS entry. By default, this is set to 256.

• TS_KEYSTORE_FILE - Location of the truststore file.

• TS_MODE - Truststore Padding mode. By default, this is set to CBC.

• TS_PADDING - Key padding algorithm used for truststore. By default, this is set to PKCS5Padding.

• TS_STOREPASS_FILE - Truststore Password file.

• TS_STORETYPE - Truststore type. By default, this is set to JCEKS.

Once these settings are specified the keystore/truststore is created using the following command:

initialSetup.sh –k|-K

This generates the keystore (-k) or truststore (-K) using the credentials outlined in the Keystore or Truststore Password file.