Java Keystore Management Best Practices

Posted on 12/07/2018 ,

A keystore file is a database for storing application secrets (private keys), trust certificates and CA chains. Proper keystore management is extremely important for application security.

We’ve compiled a list of keystore-related best practices in our keystore management document.

Here is a brief summary of the document:

  • Do not use default keystore files
  • Change default keystore passwords
  • Update keystore (and keypair) passwords on a frequent basis
  • Properly secure your keystore passwords, don’t store them unencrypted
  • Keep private keys in a separate keystore file
  • Clean up your keystores, get rid of all the expired/unused keys, certs, and CAs
  • Do not package keystores inside jar/war files
  • Do not package keystores inside Docker containers
  • Do not store kystores in the application’s Git repo
  • Use different keystore files for different environments
  • Use the PKCS12 format

Certificate Management Best Practices Summary

Posted on 11/25/2018 ,

For more details, please refer to our certificate management document.

Best practices list:

  • Restrict certificate validity to short periods of time
  • Automate certificate renewal/refresh
  • Implement certificate validation/revocation mechanism (OSCP)
  • Do not use self-signed certs
  • Do not use wildcard certs
  • Establish and maintain a complete certificate inventory—you must know where each certificate is deployed, its expiration, etc.
  • Run frequent endpoint/port scans to detect self-signed and other out-of-policy certificates.
  • Go beyond HTTPS endpoints—also scan TCP endpoints, certs on disk, etc.
  • Minimize trust between system components, don’t blindly trust all certs/all CAs
  • Disable trusting to all public CAs by default
  • Use the internal CA for internal communications/calls
  • Implement certificate pinning
  • Implement a comprehensive approach to protecting private keys (passwords, keep the keys separate from public certificates, do not keep keys in the same git repo with the code)
  • Keep certificates outside of docker containers, put them on volumes where they can be easily updated

Certificate Management Best Practices Document

Posted on 11/08/2018 ,

We're incorporating more security reporting/compliance features into DPBuddy and we're also working on a new product related to certificate management.

As part of this work, we're attempting to compile and aggregate best practices related to certificates and key management.

A lot of it is just common sense, however, as we all know, even simple steps require some effort from developers and security professionals.

We're hoping that our document can be used as a checklist for everyone involved with the application security. We're also planning to automate some if not all of these guidelines in the new version of DPBuddy and in our upcoming new product.

Please review our security best practices document and be sure to register for updates.

DataPower Buddy Release 3.4

Posted on 05/30/2018 ,

We're pleased to announce the availability of DataPower Buddy 3.4.

This release provides support for DataPower firmware upgrades, extensive configuration reporting and diffing, DataPower operational analytics and many other features.

Please see release notes for more information.

Download PBuddy 3.4 from this page and follow our Quick Start Guide.

DataPower Buddy Roadmap

Posted on 05/29/2018 ,

Next DPBuddy release will provide improved operational analytics and certificate management. We're also working on improved configuration reports and configuration diff.

We're also planning on implementing native plugins for Maven and Gradle.

What else would you like to see in the upcoming versions of the product? Please let us know.

Running DPBuddy from Docker

Posted on 05/05/2018 ,

You can now use our DPBuddy docker image that comes pre-installed with Java, Apache Ant and DPBuddy.
Simply run "docker pull myarch/dpbuddy:3.4" and follow our documentation.

DPBuddy Cookbook

Posted on 10/09/2017 ,

Our cookbook contains quick examples/samples/code snippets to help with the most common DataPower development and administration tasks. The cookbook is a live document and it is frequently updated with new information.

Collecting and Analyzing DataPower Logs with DPBuddy and Elastic Stack

Posted on 08/30/2017 ,

Please follow this link.

Automating DataPower Firmware Upgrades with DPBuddy

Posted on 01/29/2017 ,

How to Deal with Generated DataPower Policies

Posted on 07/25/2016 ,

How to Manage and Remotely Tail DataPower Logs

Posted on 07/25/2016 ,

DataPower Buddy Release 3.3

Posted on 06/08/2016 ,

We're pleased to announce the availability of DataPower Buddy 3.3.

New Tasks/Commands and Notable New Feature

  • Support for encrypted properties and configuration settings. This can be used for encrypting DataPower account passwords. It can also be used for encrypting any sensitive data inside DataPower configuration/export files or inside any files that are copied to DataPower using DPBuddy's copy command.
  • PasswordAlias task/command to create DataPower password aliases. The password can be stored encrypted.
  • New format for configuration settings and properties/variables based on the open-source HOCON (Human-Optimized Config Object Notation) library. HOCON is a less restrictive JSON superset geared towards defining configuration settings. HOCON allows for comments, it does not require string quotes, it supports variable substitution and includes. For more details please refer to HOCON documentation. HOCON provides many benefits over the property/prefix-based format introduced in earlier DPBuddy releases. The properties format, however, is still fully supported, migration to HOCON is completely optional.
  • Support for DataPower firmware 7.5
  • Secure restore task/command. The command performs restoration of a secure backup and optionally waits for the completion of the secure restore process. This command can be used for automated sync of multiple appliances in production or for managing disaster recovery appliances.
  • Restore task/command. This command restores multiple domains (or all of the domains in an appliance) form the backup taken by the backup command. This command can also be used for appliance syncing and for DR.
  • RestartDP task/command. This command restarts the appliance and optionally waits for the completion of the restart process.
  • License command that prints DPBuddy's license information.

Configuration Transformation-Related Changes

  • Support for repeaters (loops). Repeaters allow for generating XML fragments in a loop based on an array or an object defined in a HOCON configuration file. For example, you may need to change the definition of a Load Balancer Group depending on the target environment (each environment can have a different number of LBG members). You can define your LBG members in the configuration file and then apply "update" action with "repeat" attribute.
  • "if" expressions are now supported at the "transform" container level (previously "if" was only supported at the action level).
  • "verbose" setting is now supported at the "transform" container and at the individual transformation action levels.
  • Improved logging of transformed element names.
  • Support for local Ant properties in Groovy expressions.
  • "antProject" is now part of the scope in all Groovy expressions.
  • Passwords are now automatically masked in all transformation logs (including verbose mode).

Changes to Existing Tasks/Commands

  • Import, copy and restore commands now stream files to DataPower, which speeds up file transfer and allows for supporting large files. Previously, DPBuddy loaded files in memory prior to import/copy.
  • Export task/command now supports sorting of the exported XML configuration file. DPBuddy will sort all DataPower configuration objects alphabetically according to their names and types. This feature can be used to make tracking of DataPower configuration changes easier since DataPower sometimes re-orders objects in the exported configuration.
  • Import task/command can now re-run import automatically in case of import errors. This feature should be enabled when importing the sorted configuration file created by the export command. DataPower requires configuration objects to be defined prior to being referenced at import. With the sorted export file, this is no longer the case, hence the import may need to be run twice.
  • Export command now automatically removes "export-manifest" from the exported xml files (can be controlled by the "defaultTransorm" option).
  • Import now supports "failOnError" option/attribute.
  • More efficient mkdir task/command -- a directory tree is now created in a single request.
  • assertState now prints error code/error description for objects in the "down" state.
  • Improved CLI help.
  • For DPBuddy CLI, config files can now reside in "/etc" directory.

To upgrade to this release, you can simply download and un-archive the distribution and point your DPBUDDY_HOME environment variable to the new location. If you're using DPBuddy from Apache Ant, you will also need to add <pathelement location="${dpbuddy.home}/conf"/> to the DPBuddy library's "taskdef" in your Ant files, otherwise, you will see verbose logging output in the console.

You can download DPBuddy 3.3 from this page.

DataPower Buddy Release 3.3 Beta

Posted on 03/15/2016 ,

We're pleased to announce the availability of DataPower Buddy 3.3 Beta.

This release introduces support for defining configuration properties/variables using HOCON (Human-Optimized Config Object Notation) format. HOCON is a superset of JSON, it is quite flexible (e.g., it supports comments, includes, substitutions) and it is more readable than raw JSON. HOCON provides a powerful alternative to defining environment-specific properties using prefix-based notation. The prefix-based mechanism, however, is still fully supported, so the use of HOCON is completely optional.

Other notable features of this release include:

  • Support for restore/import of multiple domains (or all of the domains). This could be useful for keeping multiple production appliances in sync.
  • Support for secure restore. This can also be used to maintain a DataPower cluster in sync or in a DR situation.
  • Support for appliance reboot/restart. Both secure restore and restart/reboot commands can optionally wait for the appliance to come back online.
  • Password encryption inside configuration files using open-source Jascrypt tool.
  • Under the hood, DPBuddy now streams files to the appliance during copy/import/restore, so these commands are now performed much faster and with lower memory requirements.
  • "Add" and "update" configuration transformation functions now support repeaters (loops). This can be used to generate environment-specific load-balancing group configuration with variable number of back-end servers.
  • Many minor changes and bug fixes. For example, passwords are now automatically masked when environment transformations run in verbose mode.
  • CLI help has been improved to make the use of CLI easier.

This release could also provide support for firmware 7.5; this feature will be finalized once 7.5 becomes available.

The general availability of DPBuddy 3.3 is expected in April 2016. Meanwhile, please let us know if you're interested in evaluating the beta version.

DPBuddy Release 3.2.4 (Improved Auditing)

Posted on 10/12/2015 ,

We're pleased to announce that DataPower Buddy 3.2.4 is now available. The focus of this release is on improved audit and logging.

DPBuddy now generates an audit log file in JSON format, in addition to the XML format supported in earlier releases. This file can be easily tailed, analyzed with jq and/or uploaded to an enterprise SIEM tool. DPBuddy now uses logback framework for auditing and logging. This provides a lot of flexibility in configuring log file location, rollover policies, appenders and other parameters.

Other new features include:

  • DPBuddy now captures import failures in the audit log.
  • backup command now supports the new option/attribute, "failIfNoDomain". If set to "false", "backup" will not fail if the target domain does not exist.
  • Better error handling. A root cause of an error now reported automatically, without having to run the tool in verbose mode.
  • Bug fixes.

To upgrade to this release, you can simply download and un-archive the distribution and point your DPBUDDY_HOME environment variable to the new location. If you're using DPBuddy from Apache Ant, you will also need to add <pathelement location="${dpbuddy.home}/conf"/> to the DPBuddy library's "taskdef" in your Ant files, otherwise, you will see verbose logging output in the console.

You can download DPBuddy 3.2.4 from this page.

DataPower Buddy Release 3.2.3 (Firmware 7.2)

Posted on 06/28/2015 ,

We're pleased to announce that DPBuddy 3.2.3 is now available. This release provides the support for DataPower firmware 7.2 and bug fixes.

An up-to-date version of Java 7 is required when using DPBuddy with firmware 7.2, otherwise you may encounter SSL-related error when trying to connect to DataPower. This is due to the bug in earlier versions of openjdk.

Other new features include:

  • "quiet" in "delConfig" task now suppresses all deletion errors, including the ones caused by an object being referenced by another object. This is to provide a workaround for the bug in firmware v7.2 which causes DataPower to retain references from objects that have been deleted.
  • "resetDomain", "restartDomain" and "wsrrSynchronize" now support "domain" and other common attributes/options; these attributes/options were ignored in earlier versions.

You can download DPBuddy 3.2.3 trial from this page.