Engineering Lifecycle Management Wiki - Deployment
Deployment Web
Planning and design
Installing and upgrading
Migrating and evolving
Integrating
Administering
Monitoring
Troubleshooting
Community information and contribution guidelines
Create new topic
Topic list
Search
Advanced search
Notify
RSS
Atom
Changes
Statistics
Web preferences
Edit
Attach
P
rintable
TWiki
>
Deployment Web
>
DeploymentAdminstering
>
ConfigureCACertificates
>
ConfigureCACertificateIn703
Revision 6 - 2023-12-11 - 12:10:35 - Main.rschoon
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%"> ---+!! Configure CA and Self-Signed Certificates in Liberty or IHS for ELM Applications 7.0.3 <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/uc.png" alt="uc.png" width="50" height="50" align="right"> %DKGRAY% Authors: Main.ShradhaSrivastav <br> Build basis: ELM 7.0.3 %ENDCOLOR%</div></sticky> <!-- Page contents top of page on right hand side in box --> <sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;"> %TOC{title="Page contents"}% </div></sticky> <sticky><div style="margin:15px;"></sticky> ELM 703 is shipped with *Java 11 which no longer ship Ikeyman utility* to manage certificate and keystore using GUI. This article will share sample commands that can be used in place of ikeyman to create or generate new keystore and manage CA certificates. ---++ *Understanding SSL Certificates* All applications which run on HTTPS via the web require a Security Certificate, or Public Key Certificate. This is used to validate that the data is coming from a trusted source. The security certificate bundled with the Jazz Team Server and ELM applications is signed to localhost. As soon as the application is accessed with a URL other than localhost (for example, hostname or IP address), the browser will present the following errors: <br /> * The security certificate presented by this website was not issued by a trusted certificate authority. * The security certificate presented by this website was issued for a different website's address. <br /> These errors occur because: * The security certificate was self-signed, meaning that the server being accessed created the certificate, and * The security certificate was created for localhost, and you are accessing the server using a different hostname, IP address or the appropriate Public URI. <br /> In order to resolve these errors, you can: * Purchase a certificate from a well-known trusted Certificate Authority and install it. * If you do not need encryption, configure the server for HTTP rather than HTTPS access. * Configure the browser to ignore or accept this invalid certificate In this article we will provide a guide on how to configure CA Certificate purchased from well-known Authority or internal CA certificate. ---++ *Configure Liberty Profile* The Application server needs to be configured to pick up a valid certificate. Für Liberty Profile, the certificate needs to be configured in the file <verbatim>[ServerInstallDir]\JazzTeamServer\server\liberty\servers\clm\server.xml</verbatim>. The entry [[https://openliberty.io/docs/latest/reference/config/keyStore.html][keystore]] is, where the certificate is configured. By default, the entry looks like <verbatim><keyStore id="defaultKeyStore" location="ibm-team-ssl.p12" type="PKCS12" password="{xor}Nj0ycis6PjI="/></verbatim> The location defines the path and name of the keystore. The keystore shipped with the product <verbatim>[ServerInstallDir]\JazzTeamServer\server\liberty\servers\clm\resources\security\ibm-team-ssl.p12</verbatim>. Please see the [[https://openliberty.io/docs/latest/reference/config/keyStore.html][documentation for the keystore entry]] for more options. You can change the path to a different keystore file. You can place your keystore file into the same folder and just rename the location. The password is encrypted. The type of the keystore can be different based on choice e.g. PKCS12 or JKCS. See the documentation. It is best practice to always provide the keystore type when operation on the keystore. After changing the server.xml settings restart the server. ---+++ Encrypt the password for a new key store If you use a new keystore, the keystore is created with a password. The password has to be provided in the keystore entry. You can encrypt the password to be able to put it input the server.xml. See the description [[https://www.ibm.com/support/pages/how-encrypt-passwords-elm-configuration-files][how to encrypt the password]]. See the image below. <img src="%ATTACHURLPATH%/2.png" alt="2.png" width="960" height="95" /> ---++ *Server name for the certificate* The certificate needs to contain the information about the server name. The server name is usually a unique name containing the fully qualified domain name. Examples would be * elmserv1.fyre.ibm.com * elm.example.com To provide the server name as command line parameter *-dname* the above examples are provided this way: * elmserv1.fyre.ibm.com equals to <verbatim>-dname CN=elmserv1,DC=fyre,DC=ibm,DC=com</verbatim> * elm.example.com equals to <verbatim>-dname CN=elm,DC=example,DC=com</verbatim> ---++ *keytool command* The new tool for working with certificates is *keytool*. The keytool can be found in a Java JRE folder. As an example it is shipped with ELM server in the folder <verbatim>[ServerInstallDir]\JazzTeamServer\server\jre\bin\</verbatim>. Tip: To work with the keytool copy the path to the keytool and keep it in an editor. Open a console in a folder you want to use to store your work. You can now use <verbatim>[ServerInstallDir]\JazzTeamServer\server\jre\bin\keytool [Parameters]</verbatim>to run the keytool. The files involved in the work can all be kept in the dedicated folder. See the next paragraphs for examples how to use *keytool* ---+++ Create a new keystore with self-signed Certificate It is possible to create a self signed certificate. Todays browser will not trust a self signed certificate, but accept it if asked to. A self signed certificate is interesting, because it can be locally created without depending on a Certificate Authority (CA). The command requires several parameters such as the keystore name and type to use. As an example the command below creates a new self signed certificate in the file keystore.p12. <verbatim>[ServerInstallDir]\JazzTeamServer\server\jre\bin\keytool -genkey -alias default -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore keystore.p12 -validity 3650</verbatim> You will be prompted for some information such as a password and additional data. See an example below. The parameters needed are the password and the name. All other entries can be left blank. The password will be requested twice, if the keystore does not exist. <pre> Password: ********* What is your first and last name? elmserv1.fyre.ibm.com What is the name of your organizational unit? SW What is the name of your organization? IBM What is the name of your City or Locality? Rochester What is the name of your State or Province? Massachusetts </pre> To avoid having to deal with the prompt, it is possible to provide the parameters required in the command. The example below will perform the creation without prompt. <verbatim>[ServerInstallDir]\JazzTeamServer\server\jre\bin\keytool -genkey -dname CN=elmserv1,DC=fyre,DC=ibm,DC=com -alias default -keyalg RSA -keysize 2048 -validity 3650 -storetype PKCS12 -keystore keystore.p12 -storepass ********* </verbatim> <br /> <img src="%ATTACHURLPATH%/SelfSigned1.png" alt="SelfSigned1.png" width="1136" height="147" /> After creating (or updating) the keystore, configure the application server to use it. ---+++ To Configure A CA Certificate For a real certificate that is also trysted by servers and browsers, it is necessary to request a certificate from a CA. Then this request is sent to a CA and the CA provides the valid certificate to you. In addition to your certificate ---++++ Generate certificate Request<br> To get a CA Certificate you have to generate a certificate request from your keystore. <pre> keytool keystore keystore.p12 certreq alias default keyalg RSA file certreq.csr -storepass 123456 </pre> <img src="%ATTACHURLPATH%/4.png" alt="4.png" width="1000" height="100" /> <br /><br/> <img src="%ATTACHURLPATH%/5.png" alt="5.png" width="1000" height="90" /> ---++++ Send the certificate request generated to CA authority ---++++ Import/Receive Certificate and Add it to Keystore a. After the certificate is received from the authority we need to import these certificates into the keystore a. Import the *Intermediate certificate first* --> then the *root certificate* --> and then the *signed or CA certificate* <pre> keytool -import -alias inter -file intermediate.cer -keystore keystore.p12 -storepass 123456 keytool -import -alias root -file root.cer -keystore ikeystore.p12 -storepass 123456 keytool -import -alias default -file signedcert.cer -keystore keystore.p12 -storepass 123456 </pre> <br /><br /><img src="%ATTACHURLPATH%/6.png" alt="6.png" width="900" height="100" /> <br /><br /><img src="%ATTACHURLPATH%/7.png" alt="7.png" width="800" height="100" /> <br /><br /> *Note*:- The intermediate and root certificate should have different alias name, but the signed certificate should be imported with the same alias that was used while creating a certificate pair. After importing all three certificates you should see : *"Certificate reply was installed in keystore"* message. ---+++ Backup Open a command prompt in the same directory as Java keytool; alternatively, you may specify the full path of keytool in your command. Pay close attention to the alias you specify in this command as it will be needed later on. <pre> keytool -genkey -alias default -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore keystore.p12 -validity 3650 -dname CN=elm7031,DC=fyre,DC=ibm,DC=com </pre> <img src="%ATTACHURLPATH%/1.png" alt="1.png" width="800" height="95" /> ---+++ Encrypt the password for the new key store (Optional, only if new keystore is created) https://www.ibm.com/support/pages/how-encrypt-passwords-elm-configuration-files <img src="%ATTACHURLPATH%/2.png" alt="2.png" width="960" height="95" /> ---+++ Update server.xml (Only for Liberty) to point to new key store (Optional, only if new keystore is created) a. Update server.xml located at !JazzTeamServer\server\liberty\servers\clm to point to new database file, type and password a. If type Selected while creating keystore is pk12 Type will be PKCS12, for jks Type will be JKCS a. Restart the server for changes to take effect <img src="%ATTACHURLPATH%/3.png" alt="3.png" width="705" height="59" /> ---++ *Using IKEYCMD CLI* As IBM HTTP Server (IHS) still bundles Java 8, you can use ikeyman(GUI) or gskcmd (also known as iKeycmd) to manage certificate and keystores. For more please refer to [[https://jazz.net/wiki/bin/view/Deployment/ConfigureCACertificates][ConfigureCACertificates]] ---+++++!! Related topics: [[DeploymentWebHome][Deployment web home]], [[https://www.ibm.com/docs/en/sdk-java-technology/8?topic=guide-keytool][Keytool Guide]] ---+++++!! External links: * [[https://www.ibm.com][IBM]] ---+++++!! Additional contributors: Main.ShradhaSrivastav <sticky></div></sticky>
Edit
|
Attach
|
P
rintable
|
V
iew topic
|
Backlinks:
We
b
,
A
l
l Webs
|
H
istory
:
r10
|
r8
<
r7
<
r6
<
r5
|
More topic actions...
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our
Terms of Use.
Please read the following
disclaimer
.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more
here
.