java_ks

Manage arbitrary Java keystore files

Project URL RSS Feed Report issues

Module Stats

4,036,566 downloads

14,727 latest version

3.8 quality score

Version information

released May 5th 2012

Start using this module

Installation method

Add this module to your Puppetfile:

mod 'puppetlabs-java_ks', '0.0.2'

Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppetlabs-java_ks

Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppetlabs-java_ks --version 0.0.2

Tags: java, mcollective, ssl, certs, activemq, keystore, composite-namevars

Documentation

puppetlabs/java_ks — version 0.0.2 May 5th 2012

This modules ships a type called java_ks and a single provider named keytool. The purpose is to be able to import arbitrary, already generated and signed certificates into a java keystore for use by various applications. It has a concept of absent, present, and latest. Absent and present are self explanatory but latest will actually verify md5 certificate fingerprints for the stored certificate and the source file. Support for multiple certificates with the same alias but different keystores has been implemented using Puppet's composite namevar functionality. The mapping of title to namevars is $alias:$target (alias of certificate, colon, on disk path to the keystore). If you create dependencies on these resources you need to remember to use the same title syntax outlined for generating the composite namevars. To have a java application server use a specific certificate for incoming connections you will need to import the private key accompanying signed certificate you want to use at the same time, this is a limitation of keytool. As long as you provide the path to the key and the certificate the provider will do the conversion for you.

Note about composite namevars. The way they currently work you must have the colon in the title. YES even if you define name and target parameters. The title can be 'foo:bar' but the name and target parameters be 'broker.example.com' and '/etc/activemq/broker.ks' and it will do as you expect and correctly create an entry in the broker.ks keystore with the alias of broker.example.com...I think you could consider this a bug.

Example Usage:

  java_ks { 'puppetca:truststore':
    ensure       => latest,
    certificate  => '/etc/puppet/ssl/certs/ca.pem',
    target       => '/etc/activemq/broker.ts',
    password     => 'puppet',
    trustcacerts => true,
  }
  java_ks { 'puppetca:keystore':
    ensure       => latest,
    certificate  => '/etc/puppet/ssl/certs/ca.pem',
    target       => '/etc/activemq/broker.ks',
    password     => 'puppet',
    trustcacerts => true,
  }
  java_ks { 'broker.example.com:/etc/activemq/broker.ks':
    ensure      => latest,
    certificate => '/etc/puppet/ssl/certs/broker.example.com.pe-internal-broker.pem',
    private_key => '/etc/puppet/ssl/private_keys/broker.example.com.pe-internal-broker.pem',
    password    => 'puppet',
  }

Types in this module release

java_ks

Manages entries in a java keystore. Uses composite namevars to accomplish the same alias spread across multiple target keystores.

Parameters
certificate	An already signed certificate that we can place in the keystore. We autorequire the file for convenience.
ensure	Has three states, the obvious present and absent plus latest. Latest will compare the on disk MD5 fingerprint of the certificate and to that in keytool to determine if insync? returns true or false. We redefine insync? for this paramerter to accomplish this.
name	The alias that is used to identify the entry in the keystore. We are down casing it for you here because keytool will do so for you too.
password	The password used to protect the keystore. If private keys are sebsequently also protected this password will be used to attempt unlocking...P.S. Let me know if you eve need a seperate private key password parameter...
private_key	If you desire for an application to be a server and encrypt traffic you will need a private key. Private key entries in a keystore must be accompanied by a signed certificate for the keytool provider.
provider
target	Destination file for the keystore. We autorequire the parent directory for convenience.
trustcacerts	When inputing certificate authorities into a keystore, they aren't by default trusted so if you are adding a CA you need to set this to true.

Providers
keytool	Uses a combination of openssl and keytool to manage Java keystores

Modules

Discover

Contribute

Resources

About Forge

Getting Started

java_ks

PDK

Supported

Version information

Start using this module

Documentation

Types in this module release

java_ks