Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

How to install CA cert to liberty?

I am using RTC 601 which is on liberty. Currently the admin provide me the DigiCertCA.crt mydomainxx.crt and mydomainxx.key. 
<div>
I see liberty has a self-signed cert in server.xml as following line show. How can I do to import my cert?
</div>
<div>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;">&lt;keyStore id=&quot;defaultKeyStore&quot; location=&quot;ibm-team-ssl.keystore&quot; type=&quot;JCEKS&quot; password=&quot;{xor}Nj0ycis6PjI=&quot;/&gt;</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;">
<br>
</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;"><span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">I tried&nbsp;</span></span><span style="color: rgb(195, 55, 32); font-variant-ligatures: no-common-ligatures;"><b>keytool</b></span><span style="font-variant-ligatures: no-common-ligatures;"> -import -trustcacerts -alias root -file /var/tmp/DigiCertCA.crt -keystore ibm-team-ssl.keystore</span><span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">&nbsp;</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">with password ibm-team</span>
</p>
<p style="line-height: normal; margin-bottom: 0px; margin-top: 0px;">
I also want to import mydomainxx.crt with&nbsp;passed ibm-team but fail with msg &quot;<font face="Menlo"><span style="font-size: 11px;">Public keys in reply and keystore don't match</span></font><span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">&quot;</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="color: #c33720; font-variant-ligatures: no-common-ligatures;"><b>keytool</b></span><span style="font-variant-ligatures: no-common-ligatures;"> -import -trustcacerts -alias default -file mydomainxx.crt -keystore ibm-team-ssl.keystore</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;">
<br>
</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">I think I should use mydomainxx.key, but how to use it? Or I need to create the new keystore? But how to set the&nbsp;</span>storetype?
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<br>
</p>
<p style="line-height: normal; margin-bottom: 0px; margin-top: 0px;">
Or should I use openssl? If openssl, anyone can provide me the detail steps? Thanks!
</p>
</div>

0 votes

Comments

any one can help?

This is not a CLM issue but a security certificate issue. You did not provide details how you generate your certificate. But you can find many discussion if you google this error on other public forums,



2 answers

Permanent link
The CLM documentation page here http://www.ibm.com/support/knowledgecenter/en/SSYMRC_6.0.1/com.ibm.jazz.install.doc/topics/t_install_server_certificates.html describes the process

0 votes

Comments

Thanks Alan, I read this link yesterday. But there is no detail instruction of how to run keytool to add CA cert. I tried to use keytool to add mydomain cert, but fail. Could you help more for that?

Jia Jia Li:  Please remember to post your comments as "comments" rather than "answers".


Permanent link
You need to understand what you have got in order to import the keys and certificates successfully. The file DigiCertCA.crt is the certificate for the intermediate CA, mydomainxx.crt is the personal certificate for the domain, and mydomainxx.key the private key associated with the personal certificate - the root CA certificate (TrustedRoot.crt) appears to be missing according to the below document. Ask the admin for this missing file.
https://www.digicert.com/ssl-support/pem-ssl-creation.htm

I suggest you use iKeyMan to import these files, as keytool seems not able to import keys. You can find this tool in the IBM JRE bundled with CLM. You would use the below document as reference.
http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm

1. Follow the "Store the root certificate of a CA" instructions to import the root/intermediate CA certificates (TrustedRoot.crt and DigiCertCA.crt).
2. Follow the "Import a key from another database or PKCS12 file" instructions to import the private key from mydomainxx.key - you may need a password for the import, and ask the admin for it if required.
3. Follow the "Receive a CA-signed certificate into a key databas" instructions to import the personal certificate for the domain.
4. Validate the newly imported personal certificate to make sure that the certificate chain is complete.

P.S. All the files should be in PCKS12 format (looks like plain text). If in doubt, ask the admin to confirm.

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details

Question asked: Jul 06 '16, 5:59 a.m.

Question was seen: 5,066 times

Last updated: Jul 13 '16, 12:58 a.m.

Confirmation Cancel Confirm