SSL certificate
In order to replace the default SSL certificate, Jazz instructions ask users to create a .kdb file, submit request of a new certificate (.arm file), and then accept the certificate which updates the .kdb file.
However, it doe snot state what to do next. How to let Jazz server/Tomcat reference the new certificate? Thanks.
However, it doe snot state what to do next. How to let Jazz server/Tomcat reference the new certificate? Thanks.
10 answers
You will need to change the server.xml file that Tomcat uses. (\jazz\server\tomcat\conf\server.xml)
<Connector port="9443"
connectionTimeout="20000"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
keystoreFile="ibm-team-ssl.keystore"
keystorePass="ibm-team"
sslProtocol="SSL"
algorithm="IbmX509"
URIEncoding="UTF-8" />
If you copy the certificate file to the "\jazz\server\tomcat" directory you can just change the "keystoreFile" attribute to reference the new certificate filename. Also change the "keystorePass" attribute to reference the certificate file's password.
Richard
Jazz Web UI and Server Development
<Connector port="9443"
connectionTimeout="20000"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
keystoreFile="ibm-team-ssl.keystore"
keystorePass="ibm-team"
sslProtocol="SSL"
algorithm="IbmX509"
URIEncoding="UTF-8" />
If you copy the certificate file to the "\jazz\server\tomcat" directory you can just change the "keystoreFile" attribute to reference the new certificate filename. Also change the "keystorePass" attribute to reference the certificate file's password.
Richard
Jazz Web UI and Server Development
In order to replace the default SSL certificate, Jazz instructions ask users to create a .kdb file, submit request of a new certificate (.arm file), and then accept the certificate which updates the .kdb file.
However, it doe snot state what to do next. How to let Jazz server/Tomcat reference the new certificate? Thanks.
Thanks, Richard.
I had tried this. The server.xml file references the ibm-team-ssl.keystore. However, iKeyMan was not able to create such file (to my knoweledge). iKeyMan generates ket store file in the extension of .kdb, .jks, etc. When I replaced ibm-team-ssl.keystore with a file like this myKeys.kdb, the server returned error of invalid keystore format. Any idea? Thanks.
In addition, I also generated a key and imported the key into ibm-team-ssl.keystore. But, Tomcat only picked up the ibm-team key, not the one I imported. I also tried removing the ibm-team key from ibm-team-ssl.keystore so that only my key was inside the keystore. That did not help either - I cannot remember the exact error message.
-----
SEVERE: Error initializing endpoint
java.io.IOException: Invalid keystore format
at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1173)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:287)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:227)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:142)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:110)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:89)
at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:293)
at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:139)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
I had tried this. The server.xml file references the ibm-team-ssl.keystore. However, iKeyMan was not able to create such file (to my knoweledge). iKeyMan generates ket store file in the extension of .kdb, .jks, etc. When I replaced ibm-team-ssl.keystore with a file like this myKeys.kdb, the server returned error of invalid keystore format. Any idea? Thanks.
In addition, I also generated a key and imported the key into ibm-team-ssl.keystore. But, Tomcat only picked up the ibm-team key, not the one I imported. I also tried removing the ibm-team key from ibm-team-ssl.keystore so that only my key was inside the keystore. That did not help either - I cannot remember the exact error message.
-----
SEVERE: Error initializing endpoint
java.io.IOException: Invalid keystore format
at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1173)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:287)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:227)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:142)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:110)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:89)
at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:293)
at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:139)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Gary,
There is some tomcat specific documentation on SSL setup (including
certificate setup) here :
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
This might provide some alternatives to using the ikeyman tool
Richard
Jazz Web UI and Server Development
gdang wrote:
There is some tomcat specific documentation on SSL setup (including
certificate setup) here :
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
This might provide some alternatives to using the ikeyman tool
Richard
Jazz Web UI and Server Development
gdang wrote:
Thanks, Richard.
I had tried this. The server.xml file references the
ibm-team-ssl.keystore. However, iKeyMan was not able to create such
file (to my knoweledge). iKeyMan generates ket store file in the
extension of .kdb, .jks, etc. When I replaced ibm-team-ssl.keystore
with a file like this myKeys.kdb, the server returned error of
invalid keystore format. Any idea? Thanks.
In addition, I also generated a key and imported the key into
ibm-team-ssl.keystore. But, Tomcat only picked up the ibm-team key,
not the one I imported. I also tried removing the ibm-team key from
ibm-team-ssl.keystore so that only my key was inside the keystore.
That did not help either - I cannot remember the exact error
message.
-----
SEVERE: Error initializing endpoint
java.io.IOException: Invalid keystore format
at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1173)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:287)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:227)
at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:142)
at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:110)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:89)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:293)
at
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:139)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Gary,
It has been suggested to me that you should be able to do the following
using keytool :
1) Export your certificate from the .kdb file you have created.
keytool -export -alias root -file <cert_file> -trustcacerts -keystore
<your>
2) Import the certificate into the ibm-team-ssl.keystore file.
keytool -import -alias tomcat -file <cert_file> -trustcacerts -keystore
ibm-team-ssl.keystore
Richard
Jazz Web UI and Server Development
gdang wrote:
It has been suggested to me that you should be able to do the following
using keytool :
1) Export your certificate from the .kdb file you have created.
keytool -export -alias root -file <cert_file> -trustcacerts -keystore
<your>
2) Import the certificate into the ibm-team-ssl.keystore file.
keytool -import -alias tomcat -file <cert_file> -trustcacerts -keystore
ibm-team-ssl.keystore
Richard
Jazz Web UI and Server Development
gdang wrote:
Generated a new keystore and generetd/imported new key by followong
the Tomcat How-To. However, the following error was displayed after
trying to start Jazz server.
"RSA KeyManagerFactory not available".
Thanks, Richard. I tried that and that did not help, but not sure why.
I eventually ended up with creatign a brand new keystore and that was working for a testing project. I will try to test the new procedure on another project.
One thing to keep in mind was that the RSA algorithm cannot be specified when creating new keystores.
I think this is something very common when setting a RTC server. I wish IBM will do better documentation and testing in user perspective. Thanks.
I eventually ended up with creatign a brand new keystore and that was working for a testing project. I will try to test the new procedure on another project.
One thing to keep in mind was that the RSA algorithm cannot be specified when creating new keystores.
I think this is something very common when setting a RTC server. I wish IBM will do better documentation and testing in user perspective. Thanks.
Gary,
Another thing to try if possible is to use a Sun JVM. You will need to
modify the SSL Connector to change the sslProtocol attribute to "TLS"
and remove the algorithm attrribute. That will show if the IBM JVM is
the culprit.
Richard
Jazz Web UI and Server Development
gdang wrote:
Another thing to try if possible is to use a Sun JVM. You will need to
modify the SSL Connector to change the sslProtocol attribute to "TLS"
and remove the algorithm attrribute. That will show if the IBM JVM is
the culprit.
Richard
Jazz Web UI and Server Development
gdang wrote:
Thanks, Richard. I tried that and that did not help, but not sure
why.
I eventually ended up with creatign a brand new keystore and that was
working for a testing project. I will try to test the new procedure
on another project.
One thing to keep in mind was that the RSA algorithm cannot be
specified when creating new keystores.
I think this is something very common when setting a RTC server. I
wish IBM will do better documentation and testing in user
perspective. Thanks.
Thank you, Richard, for all your comments and help. Right now, I will stay with the IBM JVM and create a new keystore for each RTC deployment. This may not be ideal, but is seems working and let us bring a few projects alive. Of course, if IBM can document the best practices in this area and test them, that will be great. I may play around what you suggested later on as well. Thanks again.
Gary,
If you get a chance can you document the issues you have seen in a
WorkItem.
Thanks
Richard
Jazz Web UI and Server Development
gdang wrote:
If you get a chance can you document the issues you have seen in a
WorkItem.
Thanks
Richard
Jazz Web UI and Server Development
gdang wrote:
Thank you, Richard, for all your comments and help. Right now, I will
stay with the IBM JVM and create a new keystore for each RTC
deployment. This may not be ideal, but is seems working and let us
bring a few projects alive. Of course, if IBM can document the best
practices in this area and test them, that will be great. I may play
around what you suggested later on as well. Thanks again.