SSL certificate
In order to replace the default SSL certificate, Jazz instructions ask users to create a .kdb file, submit request of a new certificate (.arm file), and then accept the certificate which updates the .kdb file.
However, it doe snot state what to do next. How to let Jazz server/Tomcat reference the new certificate? Thanks. |
10 answers
|
|
You will need to change the server.xml file that Tomcat uses. (\jazz\server\tomcat\conf\server.xml)
<Connector port="9443" connectionTimeout="20000" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" keystoreFile="ibm-team-ssl.keystore" keystorePass="ibm-team" sslProtocol="SSL" algorithm="IbmX509" URIEncoding="UTF-8" /> If you copy the certificate file to the "\jazz\server\tomcat" directory you can just change the "keystoreFile" attribute to reference the new certificate filename. Also change the "keystorePass" attribute to reference the certificate file's password. Richard Jazz Web UI and Server Development In order to replace the default SSL certificate, Jazz instructions ask users to create a .kdb file, submit request of a new certificate (.arm file), and then accept the certificate which updates the .kdb file. |
|
Thanks, Richard.
I had tried this. The server.xml file references the ibm-team-ssl.keystore. However, iKeyMan was not able to create such file (to my knoweledge). iKeyMan generates ket store file in the extension of .kdb, .jks, etc. When I replaced ibm-team-ssl.keystore with a file like this myKeys.kdb, the server returned error of invalid keystore format. Any idea? Thanks. In addition, I also generated a key and imported the key into ibm-team-ssl.keystore. But, Tomcat only picked up the ibm-team key, not the one I imported. I also tried removing the ibm-team key from ibm-team-ssl.keystore so that only my key was inside the keystore. That did not help either - I cannot remember the exact error message. ----- SEVERE: Error initializing endpoint java.io.IOException: Invalid keystore format at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source) at java.security.KeyStore.load(KeyStore.java:1173) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:287) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:227) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:142) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:110) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:89) at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:293) at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:139) at org.apache.catalina.connector.Connector.initialize(Connector.java:1017) at org.apache.catalina.core.StandardService.initialize(StandardService.java:578) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782) at org.apache.catalina.startup.Catalina.load(Catalina.java:504) at org.apache.catalina.startup.Catalina.load(Catalina.java:524) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:618) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) |
|
Gary,
There is some tomcat specific documentation on SSL setup (including certificate setup) here : http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html This might provide some alternatives to using the ikeyman tool Richard Jazz Web UI and Server Development gdang wrote: Thanks, Richard. |
|
Generated a new keystore and generetd/imported new key by followong the Tomcat How-To. However, the following error was displayed after trying to start Jazz server.
"RSA KeyManagerFactory not available". |
|
Gary,
It has been suggested to me that you should be able to do the following using keytool : 1) Export your certificate from the .kdb file you have created. keytool -export -alias root -file <cert_file> -trustcacerts -keystore <your> 2) Import the certificate into the ibm-team-ssl.keystore file. keytool -import -alias tomcat -file <cert_file> -trustcacerts -keystore ibm-team-ssl.keystore Richard Jazz Web UI and Server Development gdang wrote: Generated a new keystore and generetd/imported new key by followong |
|
Thanks, Richard. I tried that and that did not help, but not sure why.
I eventually ended up with creatign a brand new keystore and that was working for a testing project. I will try to test the new procedure on another project. One thing to keep in mind was that the RSA algorithm cannot be specified when creating new keystores. I think this is something very common when setting a RTC server. I wish IBM will do better documentation and testing in user perspective. Thanks. |
|
Gary,
Another thing to try if possible is to use a Sun JVM. You will need to modify the SSL Connector to change the sslProtocol attribute to "TLS" and remove the algorithm attrribute. That will show if the IBM JVM is the culprit. Richard Jazz Web UI and Server Development gdang wrote: Thanks, Richard. I tried that and that did not help, but not sure |
|
Thank you, Richard, for all your comments and help. Right now, I will stay with the IBM JVM and create a new keystore for each RTC deployment. This may not be ideal, but is seems working and let us bring a few projects alive. Of course, if IBM can document the best practices in this area and test them, that will be great. I may play around what you suggested later on as well. Thanks again.
|
|
Gary,
If you get a chance can you document the issues you have seen in a WorkItem. Thanks Richard Jazz Web UI and Server Development gdang wrote: Thank you, Richard, for all your comments and help. Right now, I will |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.