It's all about the answers!

Ask a question

commad for certificate import in IHS kdb file

vowner owner (25117) | asked Nov 24 '18, 6:43 a.m.

 Hello experts,

i was following commandline installation of CLM 6.0.5 with liberty profile (distributed environment)  and i could complete the installation part of application successfully by following the ibm documents.

Also i have installed the IBM HTTP Server in seperate server and now i neeed to do the SSL certificate import and handshake with the loberty profile.

part 1 -Create a key database and self-signed certificate for IHS

i completed these steps by below 2 Using gskcmd, command line and it was success.

On the IHS machine, Open a command terminal and cd to /bin, e.g. /opt/IBM/HTTPServer/bin, 
         Create the key database
            ./gskcmd -keydb -create -db ihskeys.kdb -pw xxxxx -expire 3650 -stash -type cms 
         Create the self-signed certificate for IHS URL
            ./gskcmd -cert -create -db ihskeys.kdb  -label default -expire 3650 -size 2048 -dn "CN=xxxxx" -default_cert yes -pw xxxxx 
But in part 2-  Setup SSL Handshake between the Liberty profiles and IHS

i couldnt find any proper commandline guidance to do this through commands. From each application servers (JTS, CCM, QM, RM) i copied the defauly keystore files ([JAZZ_HOME]\server\liberty\servers\clm\resources\security\ibm-team-ssl.keystore)
to IHS server and i need to import these keystore file to IHS kdb file through command line. i tried with various option and its getting failed.

./gskcapicmd -cert -import -db /opt/IBM/HTTPServer/ibm-team-ssl.keystore -pw ibm-team -target /opt/IBM/HTTPServer/key.kdb -target_pw ibm-team

its giving error as invalid keystore format. Here my aim is to import these copied keystore files to IHS kdb file in personal certificate)

Accepted answer

permanent link
Stefan Oblinger (17010) | answered Nov 26 '18, 2:12 a.m.
You need to provide the keystore formats. Liberty servers use JCEKS, IHS uses CMS.

Try this command to import JTS keys:
./gskcmd -cert -import -db /path/to/jts-keystore -pw ibm-team -type jceks -target /path/to/IHS/keystore -target_pw secret -target_type cms -label default -new_label default_jtscert
vowner owner selected this answer as the correct answer

vowner owner commented Nov 26 '18, 8:15 a.m.

 Hello Stefan,That worked like amagic for me.. Great help by youu.. Thanks a ton.

vowner owner commented Nov 26 '18, 8:16 a.m.

 Also i have another .kdb in the same IHS server for webserver plugin(plugin-key.kdb).

as per the document, i have to extract the certificate from each liberty profiles keystore( here i created seperate keystore for each liberty eg: jts.jks, ccm.jks etc).
and i extracted certificate using below command 
 for example below for RM liberty server. 
./ikeycmd -cert -extract -db /opt/IBM/605CLM/JazzTeamServer/server/liberty/servers/clm/resources/security/RM.jks -type jks -label RM -target /opt/IBM/605CLM/JazzTeamServer/server/liberty/servers/clm/resources/security/rmcert.crt -pw mypass
Now i copied this to IHS server and tried with below command, here my aim is to add these extracted certificate to the signer part of the plugin-key.kdb
i tried below command and its getting added to signer certificate but label option is not working for me. 
./gskcapicmd -cert -import -db /opt/IBM/HTTPServer/rmcert.crt -pw mypass -target /opt/IBM/Websphere/Plugins/Config/WebsServer1/plugin-key.kdb -target_pw mypass.
here in signer its adding as fqdn name format.

Your answer

Register or to post your answer.