ConfigureCACertificateIn703 < Deployment

Engineering Lifecycle Management Wiki - Deployment
Community information and contribution guidelines
TWiki > Deployment Web > DeploymentAdminstering > ConfigureCACertificates > ConfigureCACertificateIn703
Revision 10 - 2024-01-08 - 08:10:41 - Main.rschoon
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%">
---+!! Configure CA and Self-Signed Certificates in Liberty or IHS for ELM Applications 7.0.3  
%DKGRAY% Authors: Main.ShradhaSrivastav <br>
Build basis: ELM 7.0.3
%ENDCOLOR%</div></sticky>

<!-- Page contents top of page on right hand side in box -->
<sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;">
%TOC{title="Page contents"}%
</div></sticky>

<sticky><div style="margin:15px;"></sticky>

ELM 703 is shipped with *Java 11 which no longer ship Ikeyman utility* to manage certificate and keystore using GUI.

This article will share sample commands that can be used in place of ikeyman to create or generate new keystore and manage CA certificates.

---++ *Understanding SSL Certificates*

All applications which run on HTTPS via the web require a Security Certificate, or Public Key Certificate. This is used to validate that the data is coming from a trusted source. The security certificate bundled with the Jazz Team Server and ELM applications is signed to localhost. As soon as the application is accessed with a URL other than localhost (for example, hostname or IP address), the browser will present the following errors:  <br />
   * The security certificate presented by this website was not issued by a trusted certificate authority.
   * The security certificate presented by this website was issued for a different website's address.
 <br />
These errors occur because:
   * The security certificate was self-signed, meaning that the server being accessed created the certificate, and
   * The security certificate was created for localhost, and you are accessing the server using a different hostname, IP address or the appropriate Public URI.
<br />
In order to resolve these errors, you can:
   * Purchase a certificate from a well-known trusted Certificate Authority and install it.
   * If you do not need encryption, configure the server for HTTP rather than HTTPS access.
   * Configure the browser to ignore or accept this invalid certificate

In this article we will provide a guide on how to configure CA Certificate purchased from well-known Authority or internal CA certificate.
---++ *Configure Liberty Profile*
The Application server needs to be configured to pick up a valid certificate. For Liberty Profile, the certificate needs to be configured in the file
<verbatim>[ServerInstallDir]\JazzTeamServer\server\liberty\servers\clm\server.xml</verbatim> The entry [[https://openliberty.io/docs/latest/reference/config/keyStore.html][keystore]] is, where the certificate is configured. By default,
the entry looks like

<verbatim><keyStore id="defaultKeyStore" location="ibm-team-ssl.p12" type="PKCS12" password="{xor}Nj0ycis6PjI="/></verbatim>

The location defines the path and name of the keystore. The keystore shipped with the product <verbatim>[ServerInstallDir]\JazzTeamServer\server\liberty\servers\clm\resources\security\ibm-team-ssl.p12</verbatim>
Please see the [[https://openliberty.io/docs/latest/reference/config/keyStore.html][documentation for the keystore entry]] for more options. You can change the path to a different keystore file. You can
place your keystore file into the same folder and just rename the location. The password is encrypted. 
The type of the keystore can be different based on choice e.g. PKCS12 or JKCS. See the documentation. It is best practice to always provide the keystore type when operation on the keystore.

After changing the server.xml settings restart the server.

---+++  Encrypt the password for a new key store

If you use a *new keystore*, the keystore is created with a password. The password has to be provided in the keystore entry. You can encrypt the password to be able to put it input the server.xml. See the description [[https://www.ibm.com/support/pages/how-encrypt-passwords-elm-configuration-files][how to encrypt the password]]. See the image below.

<img src="%ATTACHURLPATH%/2.png" alt="2.png" width="960" height="95" />

---++ *Server name for the certificate*
The certificate needs to contain the information about the server name. The server name is usually a unique name containing the fully qualified domain name. Examples would be

   * elmserv1.fyre.ibm.com
   * elm.example.com

To provide the server name as command line parameter *-dname* the above examples are provided this way:

   * elmserv1.fyre.ibm.com equals to <verbatim>-dname CN=elmserv1,DC=fyre,DC=ibm,DC=com</verbatim>
   * elm.example.com  equals to <verbatim>-dname CN=elm,DC=example,DC=com</verbatim>

---++ *keytool command*

The new tool for working with certificates is *keytool*. The keytool can be found in a Java JRE folder. As an example it is shipped with ELM server in the folder
<verbatim>[ServerInstallDir]\JazzTeamServer\server\jre\bin\</verbatim>. 

Tip: To work with the keytool copy the path to the keytool and keep it in an editor. Open a console in a folder you want to use to store your work. 
You can now use <verbatim>[ServerInstallDir]\JazzTeamServer\server\jre\bin\keytool [Parameters]</verbatim>to run the keytool. The files involved in the work can all be kept in the dedicated folder.
See the next paragraphs for examples how to use *keytool* 

---+++ Create a new keystore with self-signed Certificate 
It is possible to create a self signed certificate. Todays browser will not trust a self signed certificate, but accept it if asked to. A self signed certificate is interesting, because it can be locally created without depending on a Certificate Authority (CA). The command requires several parameters such as the keystore name and type to use. As an example the command below creates a new self signed certificate in the file keystore.p12.
 
<verbatim>[ServerInstallDir]\JazzTeamServer\server\jre\bin\keytool -genkey -alias default -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore keystore.p12 -validity 3650</verbatim>
You will be prompted for some information such as a password and additional data. See an example below. The parameters needed are the password and the name. All other entries can be left blank. The password will be requested twice, if the keystore does not exist.

<pre>
Password: *********
What is your first and last name? elmserv1.fyre.ibm.com
What is the name of your organizational unit? SW
What is the name of your organization? IBM
What is the name of your City or Locality? Rochester
What is the name of your State or Province? Massachusetts
</pre>

To avoid having to deal with the prompt, it is possible to provide the parameters required in the command. The example below will perform the creation without prompt.

<verbatim>[ServerInstallDir]\JazzTeamServer\server\jre\bin\keytool -genkey -dname CN=elmserv1,DC=fyre,DC=ibm,DC=com -alias default -keyalg RSA -keysize 2048 -validity 3650 -storetype PKCS12 -keystore keystore.p12 -storepass *********  </verbatim>

 <br />
     <img src="%ATTACHURLPATH%/SelfSigned1.png" alt="SelfSigned1.png" width="1136" height="147" />

This concludes the creation of the self signed certificate. The certificate is now in the keystore *keystore.p12*. After creating (or updating) the keystore, configure the application server to use it by updating the server.xml file as suggested above.

---+++  To Configure A CA Certificate
For a real certificate that is also trusted by servers and browsers, it is necessary to request a certificate from a CA. Then this request is sent to a CA and the CA provides the valid certificate to you. 
 
---++++ Generate certificate Request<br>

To get a CA Certificate you have to generate a certificate request from your keystore. See an example below. The generated file certreq.csr is later used with your CA to receive the final certificate.
How the process works is dependent on the CA. 

<verbatim>[ServerInstallDir]\JazzTeamServer\server\jre\bin\keytool -certreq -alias default -keyalg RSA -file certreq.csr -storetype PKCS12 -keystore keystore.p12 -storepass *********  </verbatim>

 
See more examples below.

<pre>

keytool -keystore keystore.p12 -certreq -alias default -keyalg RSA -file certreq.csr -storepass 123456
</pre>
<img src="%ATTACHURLPATH%/4.png" alt="4.png" width="1000" height="100" /> <br /><br/>
 <img src="%ATTACHURLPATH%/5.png" alt="5.png" width="1000" height="90" />

---++++ Use the certificate request with the CA authority

The generated file certreq.csr is used with your CA to receive the final certificate. How the process works is dependent on the CA. 

---++++ Import/Receive Certificate and Add it to Keystore
The CA provides with a *signed or CA certificate* for the server. The *signed or CA certificate* is received or can be downloaded. Obtain the *signed or CA certificate*. There can be different formats and file names. In this case the certificate is a file named *cert.der*

The CA also provides with 
   * A root certificate
   * An intermediate certificate. 

The *signed or CA certificate*, the *root* and the *intermediate* certificate need to be added to the keystore. This is done using an import operation. 
Import the *Intermediate certificate first* --> then the *root certificate* --> and then the *signed or CA certificate*. See the example below.


<verbatim>
[ServerInstallDir]\JazzTeamServer\server\jre\bin\keytool -import -alias inter -file caintermediatecert.der -keystore keystore.p12  -storepass *********  
[ServerInstallDir]\JazzTeamServer\server\jre\bin\keytool -import -alias root -file carootcert.der -keystore keystore.p12 -storepass *********  
[ServerInstallDir]\JazzTeamServer\server\jre\bin\keytool -alias default -file cert.der -keystore keystore.p12 -storepass *********  
</verbatim>


<br /><br /><img src="%ATTACHURLPATH%/6.png" alt="6.png" width="900" height="100" /> <br /><br /><img src="%ATTACHURLPATH%/7.png" alt="7.png" width="800" height="100" /> <br /><br />


*Note*:- The intermediate and root certificate should have different alias name, but the *signed certificate should be imported with the same alias* that was used while creating a certificate pair. 
After importing all three certificates you should see : *"Certificate reply was installed in keystore"* message.

---++ *Using IKEYCMD CLI*

As IBM HTTP Server (IHS) still bundles Java 8, you can use ikeyman(GUI) or gskcmd (also known as iKeycmd) to manage certificate and keystores.

For more please refer to [[https://jazz.net/wiki/bin/view/Deployment/ConfigureCACertificates][ConfigureCACertificates]]

---+++++!! Related topics: [[DeploymentWebHome][Deployment web home]], [[https://www.ibm.com/docs/en/sdk-java-technology/8?topic=guide-keytool][Keytool Guide]]

---+++++!! External links:          

   * [[https://www.ibm.com][IBM]]

---+++++!! Additional contributors: Main.ShradhaSrivastav, [[Main.RalphSchoon][Ralph Schoon]]
<sticky></div></sticky>
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.