Converting Between Key and Trust Store Formats

Describes enhancements to the manageSSLKeys.sh convert command to enable the conversion of key and trust stores from JKS to BCFKS format or vice versa.

Release 7.0.0 enhanced the convert command in the ${MAPR_HOME}/server/manageSSLKeys.sh utility to support the conversion of key and trust stores from JKS to BCFKS format and vice versa. Key- and trust-store conversion is required if you configure mixed clusters containing both FIPS and non-FIPS enabled nodes. For example:

Adding a secure non-FIPS node to an existing cluster consisting of only FIPS-enabled nodes.
Adding a FIPS-enabled node to an existing cluster consisting of only secure non-FIPS enabled nodes.

The node being added can be a server node, such as a CLDB, MFS-only, or another server or client node. Since the JKS store type is not supported on FIPS-enabled node, this command must be run on a secure non-FIPS node.

If you are adding a secure non-FIPS node to an existing cluster consisting of only FIPS-enabled nodes, copy the BCFKS key or trust store from the ${MAPR_HOME}/conf directory of the FIPS-enabled node to a temporary location in the secure non-FIPS node. Do so before running the manageSSLKeys.sh convert command. Specify the destination location as ${MAPR_HOME}/conf/<store> in the manageSSLKeys.sh convert command so that the newly converted JKS key or trust store is written to the ${MAPR_HOME}/conf directory.
If you are adding a FIPS-enabled node to an existing cluster consisting of only secure non-FIPS-enabled nodes, the source JKS-format key or trust store already exists in the ${MAPR_HOME}conf directory of the secure non-FIPS node. It can then be used directly as the source file in manageSSLKeys.sh convert. There is no need to copy it. After the key/trust store is converted to BCFKS format, copy the newly converted BCFKS key/trust store from the temporary location in the secure non-FIPS enabled node to the ${MAPR_HOME}/conf directory of the FIPS enabled node.

After the converted JKS (for secure non-FIPS) or BCFKS (for FIPS) is added to the ${MAPR_HOME}/conf directory, run configure.sh with the -storepasswds parameter to generate the credential stores and complete the configuration. This process is described in greater detail in Enabling Security.

The basic syntax for the manageSSLKeys.sh convert command with new arguments in bold face is shown below.

/opt/mapr/server/manageSSLKeys.sh convert \ 
    [-N <clustername> ] [-k] [-n] [-p <passwd>]  
    [-srcType JKS|bcfks|pkcs12] [-dstType JKS|bcfks|pkcs12] 
    <in key/trust store> <out key/trust store>

Conversion between JKS and BCFKS key and trust stores require the arguments listed in the table below.

Parameter	Description
`-p <passwd>`	The password for the source key or trust store. The destination key or trust store is set to the same password.
`-srcType`	The type of the source key or trust store. Supported types for conversion are `JKS` or `bcfks`. The value of the `-srcType` argument must be different from the `-dstType` argument. That is, if the `-srcType` is `JKS`, then the `-dstType` should be `bcfks`, and vice versa.
`-dstType`	The type of the destination key or trust store. Supported types for conversion are `JKS` or `bcfks`. The value of the `-dstType` argument must be different from the `-srcType` argument. For example, if the `-dstType` is `JKS`, then the `-srcType` should be `bcfks`, and vice versa.
`In key/trust store`	Full or relative path name of the source key or trust store to convert from. This store must exist.
`Out key/trust store`	Full or relative path name of the destination key or trust store which holds the same contents as the source key or trust store but in a different store format. If this file does not exist, it is created. If the file already exists, the contents are overwritten.

Example: Converting JKS to BCFKS Store

The following example converts the JKS trust store in /opt/mapr/conf/ssl_truststore to BCFKS format, and places the BCFKS trust store in ssl_truststore.bcfks in the current directory. This conversion is the case if you are adding a FIPS-enabled node to a cluster containing only secure non-FIPS nodes. Upon successful creation of the BCFKS key or trust store, copy it to the FIPS-enabled node before running configure.sh on that node to complete the configuration.

# /opt/mapr/server/manageSSLKeys.sh convert \ 
    -p BrqLhVcjGmYo8y5_qABS6YZetRpKfpqB \ 
    -srcType JKS \ 
    -dstType bcfks \ 
    /opt/mapr/conf/ssl_truststore \ 
    ssl_truststore.bcfks

Verify that the BCFKS trust store is correctly converted by verifying that both source JKS and destination BCFKS trust stores have the same contents with the same fingerprints.

# keytool -list -keystore /opt/mapr/conf/ssl_truststore -storepass BrqLhVcjGmYo8y5_qABS6YZetRpKfpqB  
Keystore type: JKS 
Keystore provider: SUN 

Your keystore contains 3 entries 
hpe186.cluster.com, Dec 13, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): C8:60:B3:AB:79:FC:6E:E0:4D:5E:32:92:A3:16:04:01:38:D3:38:D5:5A:08:80:F4:A6:ED:AE:12:AB:F5:10:AE 
hpe186.cluster.com-root-ca-chain, Dec 13, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): 3F:3B:2A:C7:CC:2D:F0:50:20:97:E0:DD:61:4E:CF:C8:F0:D6:DC:E2:A1:04:99:1F:39:71:67:93:AD:01:01:DD 

hpe186.cluster.com-root-signing-ca, Dec 13, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): 61:C6:0E:12:18:20:D6:E6:79:78:32:A4:4C:18:AA:80:9E:84:DC:F1:CF:ED:6F:E2:60:6C:62:9B:81:B8:78:7F 
$ keytool -list -keystore /root/ssl_truststore.bcfks -storepass BrqLhVcjGmYo8y5_qABS6YZetRpKfpqB -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar -providername BCFIPS -storetype bcfks Keystore type: BCFKS 
Keystore provider: BCFIPS 

Your keystore contains 3 entries 
hpe186.cluster.com, Dec 14, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): C8:60:B3:AB:79:FC:6E:E0:4D:5E:32:92:A3:16:04:01:38:D3:38:D5:5A:08:80:F4:A6:ED:AE:12:AB:F5:10:AE 
hpe186.cluster.com-root-ca-chain, Dec 14, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 3F:3B:2A:C7:CC:2D:F0:50:20:97:E0:DD:61:4E:CF:C8:F0:D6:DC:E2:A1:04:99:1F:39:71:67:93:AD:01:01:DD 13hpe186.cluster.com-root-signing-ca, Dec 14, 2021, trustedCertEntry, 14Certificate fingerprint (SHA-256): 61:C6:0E:12:18:20:D6:E6:79:78:32:A4:4C:18:AA:80:9E:84:DC:F1:CF:ED:6F:E2:60:6C:62:9B:81:B8:78:7F

Example: Converting BCFKS to JKS Store

The following example converts the BCFKS trust store to JKS format when adding a secure non-FIPS node to a cluster containing only FIPS-enabled nodes. Only secure non-FIPS nodes can support both the JKS and BCFKS store formats. First, copy the BCFKS store from the FIPS-enabled node to a temporary directory in the secure non-FIPS node. Upon successful creation of the JKS key or trust store, run configure.sh to complete the configuration.

# /opt/mapr/server/manageSSLKeys.sh convert \ 
    -p 4hmQRWSpkMj0oWNT_0UEa_kD9djXpgb4 \ 
    -srcType bcfks \ 
    -dstType JKS \ 
    ssl_truststore.bcfks \ 
    /opt/mapr/conf/ssl_truststore

Verify that the JKS trust store is correctly converted by verifying that both source BCFKS and destination JKS trust stores have the same contents with the same fingerprints.

# keytool -list -keystore ssl_truststore.bcfks \ 
    -storepass 4hmQRWSpkMj0oWNT_0UEa_kD9djXpgb4 \ 
    -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ 
     -providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \ 
    -providername BCFIPS -storetype bcfks 
Keystore type: BCFKS 
Keystore provider: BCFIPS 


Your keystore contains 3 entries 

 
fips0.cluster.com, Dec 14, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 8B:37:56:29:F4:09:67:9C:A3:FB:AA:5F:7C:84:7F:AB:6F:45:31:18:B6:55:26:54:90:AC:8A:60:5C:91:B1:E1 
fips0.cluster.com-root-ca-chain, Dec 14, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 3B:57:F2:A7:01:44:27:AC:C9:22:74:D8:2E:A7:F4:3C:8F:6F:56:E5:73:0B:1D:51:9B:82:0F:DA:77:1D:06:E6 
fips0.cluster.com-root-signing-ca, Dec 14, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 65:C6:83:B2:8D:0B:CE:98:B9:1A:08:06:B4:78:5F:A9:31:BC:42:F5:A9:83:91:F2:0E:35:C4:B2:B9:59:48:07 
# keytool -list -keystore /opt/mapr/conf/ssl_truststore \ 
    -storepass 4hmQRWSpkMj0oWNT_0UEa_kD9djXpgb4 
Keystore type: JKS 
Keystore provider: SUN 

 
Your keystore contains 3 entries 

 
fips0.cluster.com, Dec 15, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 8B:37:56:29:F4:09:67:9C:A3:FB:AA:5F:7C:84:7F:AB:6F:45:31:18:B6:55:26:54:90:AC:8A:60:5C:91:B1:E1 
fips0.cluster.com-root-ca-chain, Dec 15, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 3B:57:F2:A7:01:44:27:AC:C9:22:74:D8:2E:A7:F4:3C:8F:6F:56:E5:73:0B:1D:51:9B:82:0F:DA:77:1D:06:E6 
fips0.cluster.com-root-signing-ca, Dec 15, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 65:C6:83:B2:8D:0B:CE:98:B9:1A:08:06:B4:78:5F:A9:31:BC:42:F5:A9:83:91:F2:0E:35:C4:B2:B9:59:48:07 
[root@m2-mapreng-vm167186 ~]# keytool -list -keystore /opt/mapr/conf/ssl_truststore -storepass 4hmQRWSpkMj0oWNT_0UEa_kD9djXpgb4 
Keystore type: JKS 
Keystore provider: SUN 
 
Your keystore contains 3 entries 

fips0.cluster.com, Dec 15, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 8B:37:56:29:F4:09:67:9C:A3:FB:AA:5F:7C:84:7F:AB:6F:45:31:18:B6:55:26:54:90:AC:8A:60:5C:91:B1:E1 
fips0.cluster.com-root-ca-chain, Dec 15, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 3B:57:F2:A7:01:44:27:AC:C9:22:74:D8:2E:A7:F4:3C:8F:6F:56:E5:73:0B:1D:51:9B:82:0F:DA:77:1D:06:E6 
fips0.cluster.com-root-signing-ca, Dec 15, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 65:C6:83:B2:8D:0B:CE:98:B9:1A:08:06:B4:78:5F:A9:31:BC:42:F5:A9:83:91:F2:0E:35:C4:B2:B9:59:48:07