How can you access "other" Keychains in MacOS using Java?

Question

By default, we have the following items as keychains under MacOS's Keychain Access tool.

login
Local Items
System
System Roots

And it seems that out of the box, the Mac has problem dealing with smart card... so I had to install a 3rd party tool, Centify, in order to propagate the certificates from a smart card into Apple's KeyChain. However, this 3rd party tool seems to create a brand new keychain on its own for the inserted smart card. The keychain seems to have the following naming format:

PIV-< Name of the cert >

I had been using Java's KeyStore to access the Apple Keychain, but I am unable to access any certificates nor keychain installed by the Centify tool.

Currently I'm accessing the Apple Keychain like this:

KeyStore ks = KeyStore.getInstance("KeychainStore", "Apple");
ks.load(null, null);

And I am able to load and access the certificates that are under login keychain but not the ones imported by Centrify.

Does anyone know the proper way to access other keychains?

We are having the same problem and didn't find any way to get the system root certificates. Did you find another way to achieve them? — Strassenrenner, Jul 26 '18 at 14:37
No. `Centrify` would need to add the support for it. Shame. :( — codenamezero, Jul 31 '18 at 12:37

score 0 · Answer 1 · answered Jun 02 '17 at 08:23

0

This is Albert from Centrify. The PIV-<> keychain is a PIN-protected keychain which secures the use of smartcard credential. Because of this, the keystore is not able to retrieve it unless it is unlocked. It will be similar to get certificates from system keychain as it is allowed only for users with admin privilege.

You can go to the idea exchange to raise the idea so we will understand the need for this kind of use case: http://community.centrify.com/t5/Centrify-Idea-Exchange/idb-p/Centrify-Idea-Exchange

Also, you may want to take a look at derived credential feature in Centrify SaaS product which should be doing the same you wished: https://docs.centrify.com/en/centrify/adminref/index.html?version=1495753737#page/cloudhelp%2FderivedCreds.html

Best Regards,

Albert

answered Jun 02 '17 at 08:23

Albert

1

LOL you've already gave the exact same reply to my post in your company's forum but what I need is a way to access the credentials that Centrify has pushed in the Apple Keystore. Without any means of reading them, they may as well be not there. – codenamezero Jun 02 '17 at 13:19
Hi There, The express version is decided for websites. For the integration with 3rd party software, it will be an enhancement request as we mentioned earlier. I will go ahead and file an enhancement request to our PM for this use case on behalf of you. Will keep you posted with any updates regarding the request. Also, the PIN-protected keychain is used to secure the use of the certificate to make sure the person is the one who owns the certificate. Thanks. Regards, Albert – Albert Jun 05 '17 at 10:41

How can you access "other" Keychains in MacOS using Java?

1 Answers1