Engineering Lifecycle Management Wiki - Deployment
Deployment Web
Planning and design
Installing and upgrading
Migrating and evolving
Integrating
Administering
Monitoring
Troubleshooting
Community information and contribution guidelines
Create new topic
Topic list
Search
Advanced search
Notify
RSS
Atom
Changes
Statistics
Web preferences
Edit
Attach
P
rintable
TWiki
>
Deployment Web
>
DeploymentAdminstering
>
ConfigureCACertificates
>
ConfigureCACertificateIn703
Revision 1 - 2023-12-04 - 05:45:21 -
ShradhaSrivastav
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%"> ---+!! Configure CA and Self-Signed Certificates in Liberty for ELM Applications 7.0.3 <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/new.png" alt="new.png" width="50" height="50" align="right"> %DKGRAY% Authors: Main.ShradhaSrivastav <br> Build basis: ELM 7.0.3 %ENDCOLOR%</div></sticky> <!-- Page contents top of page on right hand side in box --> <sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;"> %TOC{title="Page contents"}% </div></sticky> <sticky><div style="margin:15px;"></sticky> ELM 703 is shipped with Java 11 which no longer ship Ikeyman utility to manage certificate and keystotre using GUI. This article will share sample commands that can be used in place of ikeyman to create or generate new keystore and manage CA certificates. ---++ *Understanding SSL Certificates* All applications which run on HTTPS via the web require a Security Certificate, or Public Key Certificate. This is used to validate that the data is coming from a trusted source. The security certificate bundled with the Jazz Team Server and ELM applications is signed to localhost. As soon as the application is accessed with a URL other than localhost (for example, hostname or IP address), the browser will present the following errors: <br /> * The security certificate presented by this website was not issued by a trusted certificate authority. * The security certificate presented by this website was issued for a different website's address. <br /> These errors occur because: * The security certificate was self-signed, meaning that the server being accessed created the certificate, and * The security certificate was created for localhost, and you are accessing the server using a different hostname, IP address or the appropriate Public URI. <br /> In order to resolve these errors, you can: * Purchase a certificate from a well-known trusted Certificate Authority and install it. * If you do not need encryption, configure the server for HTTP rather than HTTPS access. * Configure the browser to ignore or accept this invalid certificate In this article we will provide a guide on how to configure CA Certificate purchased from well-known Authority or internal CA certificate. ---++ *Using keytool command* ---+++ Create Keystore (Optional, if existing keystore is not used) a. Create a new keystore with self-signed Certificate Open a command prompt in the same directory as Java keytool; alternatively, you may specify the full path of keytool in your command. Pay close attention to the alias you specify in this command as it will be needed later on. a. Provide File name and path to the file <br /> <br /> <img src="%ATTACHURLPATH%/1.png" alt="1.png" width="440" height="196" /> ---+++ Update server.xml (Only for Liberty) to point to new key store (Optional, only if new keystore is created) a. Update server.xml located at !JazzTeamServer\server\liberty\servers\clm to point to new database file, type and password a. If type Selected while creating keystore is pk12 Type will be PKCS12, for jks Type will be JKCS a. Restart the server for changes to take effect <img src="%ATTACHURLPATH%/2.png" alt="2.png" width="705" height="59" /> ---+++ To Create A Self-Signed Certificate a. Open ikeyman (GUI) utility located at JazzTeamServer\server\jre\bin a. Key Database File -> Open -> Browse to keystore file, enter password to open the file a. Click Create -> New Self Signed Certificate and fill the required details a. Restart server for changes to take effect <img src="%ATTACHURLPATH%/3.png" alt="3.png" width="498" height="279" /> <br /><br /> <img src="%ATTACHURLPATH%/4.png" alt="4.png" width="530" height="141" /> <br /><br /> <img src="%ATTACHURLPATH%/5.png" alt="5.png" width="435" height="549" /> <br/><br /> ---+++ To Configure A CA Certificate ---++++ Generate certificate Request<br> a. Open the Keystore database file using ikeyman a. Click Create -> New Certificate request and fill the necessary details<br /><br/><img src="%ATTACHURLPATH%/6.png" alt="6.png" width="540" height="139" /> <br /><br/> a. <img src="%ATTACHURLPATH%/7.png" alt="7.png" width="495" height="576" /> ---++++ Send the certificate request generated to CA authority ---++++ Receive Certificate and Add it to Keystore a. Open the Keystore database file using ikeyman a. Select *Personal Certificates* a. Click Receive -> Browse to the certificate received<br /><br /><img src="%ATTACHURLPATH%/8.png" alt="8.png" width="602" height="170" /> <br /><br /><img src="%ATTACHURLPATH%/9.png" alt="9.png" width="586" height="140" /> <br /><br /><img src="%ATTACHURLPATH%/10.png" alt="10.png" width="276" height="140" /> ---++++ Add Intermediate and Root certificate (_In case the Intermediate certificate is not included in the certificates received or CA is not a trusted (internal CA) , add them explicitly in Signers_) <br/> a. Open the Keystore database file using ikeyman a. Switch to *Signer Certificates* a. Click Add -> Browse to Intermediate/Root certificate a. Enter a label in dialog box <br/><br/> ---++ *Using IKEYCMD CLI* <br /> %ORANGE% Installation Paths for each component will be: %ENDCOLOR% <pre> For CLM Liberty use <b>ikeycmd</b> JazzTeamServerInstall\server\jre\bin IBM HTTP Server use <b>gskcmd</b> IHSinstall_root\bin </pre> <br /> ---+++ Create !Keystore (Optional, if existing keystore is not used) <pre> ikeycmd -keydb -create -db <filename>.kdb -pw <passwd> -type cms -expire <days> -stash <filename>.sth </pre> <br /> Win: <br /> <img src="%ATTACHURLPATH%/cmd1.png" alt="cmd1.png" width="602" height="34" /> <br /> Linux: <br /> <img src="%ATTACHURLPATH%/linux1.PNG" alt="linux1.PNG" width="880" height="26" /> ---+++ Update server.xml (Only for Liberty) to point to new key store (Optional, only if new keystore is created) <img src="%ATTACHURLPATH%/cmd2.png" alt="cmd2.png" width="602" height="41" /> ---+++ Create Self-Signed certificate <pre> ikeycmd -cert -create -db <filename> -pw <password> -label <label> -dn <distinguished_name> -size <key_size> -expire <days> -sig_alg <algorithm> -default_cert <yes | no> </pre><br /> Win: <br /> <img src="%ATTACHURLPATH%/cmd3.png" alt="cmd3.png" width="626" height="42" /> <br /> Linux: <br /> <img src="%ATTACHURLPATH%/linux2.PNG" alt="linux2.PNG" width="925" height="55" /> ---+++ Configure CA Certificate 1. Generate certificate Request <pre> ikeycmd -certreq -create -db <filename>.kdb -pw <password> -label <label> -dn <distinguished_name> -size <key_size> -file <csrfilename>.arm -sig_alg <algorithm> </pre><br /> Win: <br/> <img src="%ATTACHURLPATH%/cmd4.png" alt="cmd4.png" width="628" height="53" /> <br /> Linux: <br /> <img src="%ATTACHURLPATH%/linux3.PNG" alt="linux3.PNG" width="888" height="53" /> 1. Send the certificate request generated to CA authority 1. Receive Certificate and Add it to Keystore <pre> ikeycmd -cert -receive -file <ca_cert_file> -db <filename>.kdb -pw <passwd> -format <ascii | binary> -default_cert <yes | no> </pre><br /> Win: <br /> <img src="%ATTACHURLPATH%/cmd5.png" alt="cmd5.png" width="652" height="63" /> <br /> Linux: <br /> <img src="%ATTACHURLPATH%/linux4.0.PNG" alt="linux4.0.PNG" width="947" height="55" /> <br /> *Note:* If the CA that issuing your CA-signed certificate is not a trusted CA in the key database, store the CA certificate first and designate the CA as a trusted CA. Then you can receive your CA-signed certificate into the database. You cannot receive a CA-signed certificate from a CA that is not a trusted CA. To add CA to trust store, follow Intermediate and Root certificate section ---+++ Intermediate and Root certificate In case of chain-intermediate certificate add then to Signers in keystore <pre> ikeycmd -cert -add -db <filename>.kdb -pw <passwd> -label <label> -format <ascii | binary> -trust <enable | disable> -file <rootcert> </pre> <br /> <img src="%ATTACHURLPATH%/linux4.1.PNG" alt="linux4.1.PNG" width="890" height="54" /> <br /> *Additional commands* To verify that the signer certificates were imported successfully, run the following command: <pre> ./gskcmd -cert -list CA -db <filename>.kdb -pw <passwd> </pre> <br /> Display a list of certificates in a key database <pre> ./gskcmd -cert -list -db <filename>.kdb -pw <passwd> </pre> <br /> <img src="%ATTACHURLPATH%/linux5.1.PNG" alt="linux5.1.PNG" width="557" height="146" /> <br /> <br /> If the existing certificate in keystore is expired and new certificate request needs to be created, you can use below command to recreate the request which will use details from previously created certificate request <pre> ./gskcmd -certreq -recreate -type cms -db <filename>.kdb -pw <passwd> -label <label> -target <csrfilenmae>.arm </pre> <br /> Note: The label needs to be same as original certificate request which can be found using list command Example: <br /> ./gskcmd -certreq -recreate -type cms -db ihskeys.kdb -pw secret -label caelm -target newreq.arm <br /> Reference https://www.ibm.com/support/knowledgecenter/SSEQTJ_9.0.5/com.ibm.websphere.ihs.doc/ihs/rihs_ikeycmdsyn.html *For Chrome* In case of using Internal CA when accessing the application in Chrome it still displays the certificate warning because of stringent security feature added by chrome, to fix that follow the steps from below link https://www.techrepublic.com/article/how-to-resolve-ssl-certificate-warnings-produced-by-the-latest-chrome-update/ ---+++++!! Related topics: [[DeploymentWebHome][Deployment web home]], [[DeploymentWebHome][Deployment web home]] ---+++++!! External links: * [[https://www.ibm.com][IBM]] ---+++++!! Additional contributors: Main.ShradhaSrivastav, Main.BharathRao <sticky></div></sticky>
Edit
|
Attach
|
P
rintable
|
V
iew topic
|
Backlinks:
We
b
,
A
l
l Webs
|
H
istory
:
r10
|
r4
<
r3
<
r2
<
r1
|
More topic actions...
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our
Terms of Use.
Please read the following
disclaimer
.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more
here
.