I was following commandline installation of CLM 6.0.5 with liberty profile (distributed environment) and I could complete the installation part of application successfully by following the ibm documents.
Also Ii have installed the IBM HTTP Server in separate server and now I need to do the SSL certificate import and handshake with the loberty profile.
The reference link which I am using here. - https://jazz.net/wiki/bin/view/Deployment/CLMDistributedSetupUsingLibertyProfile
part 1 -Create a key database and self-signed certificate for IHS
I completed these steps by below 2 Using gskcmd, command line and it was success.
On the IHS machine, Open a command terminal and cd to /bin, e.g. /opt/IBM/HTTPServer/bin,
Create the key database
./gskcmd -keydb -create -db ihskeys.kdb -pw xxxxx -expire 3650 -stash -type cms
Create the self-signed certificate for IHS URL
./gskcmd -cert -create -db ihskeys.kdb -label default -expire 3650 -size 2048 -dn "CN=xxxxx" -default_cert yes -pw xxxxx
But in part 2- Setup SSL Handshake between the Liberty profiles and IHS
I couldn't find any proper commandline guidance to do this through commands. From each application servers (JTS, CCM, QM, RM) I copied the default keystore files ([JAZZ_HOME]\server\liberty\servers\clm\resources\security\ibm-team-ssl.keystore)
to IHS server and I need to import these keystore file to IHS kdb file through command line. I tried with various option and its getting failed.
./gskcapicmd -cert -import -db /opt/IBM/HTTPServer/ibm-team-ssl.keystore -pw ibm-team -target /opt/IBM/HTTPServer/key.kdb -target_pw ibm-team
it's giving error as invalid keystore format. Here my aim is to import these copied keystore files to IHS kdb file in personal certificate)
IHS includes two command-line certificate management tools, only the java-based "[IHS Home]/bin/gskcmd" (aka ikeycmd) can read or write *.jks java keystores.
Related
How can I find out where my OpenSSL installation is looking for installed (trusted) certificates?
It is sometimes /etc/ssl/cert, but I have a new system and it is not working with this path.
The default path where certificates are looked up might be different on each platform. You can lookup your system configuration using the following command:
$ openssl version -d
OPENSSLDIR: "/etc/pki/tls"
This C snippet, compiled against OpenSSL, will tell you:
#include <stdlib.h>
#include <stdio.h>
#include <openssl/x509.h>
int main()
{
const char *dir;
dir = getenv(X509_get_default_cert_dir_env());
if (!dir)
dir = X509_get_default_cert_dir();
puts(dir);
return 0;
}
The path you are looking for is the "Directory for OpenSSL files". As #tnbt answered, openssl version -d (or -a) gives you the path to this directory. OpenSSL looks here for a file named cert.pem and a subdirectory certs/. Certificates it finds there are treated as trusted by openssl s_client and openssl verify (source: the article, What certificate authorities does OpenSSL recognize?).
% openssl version -d
OPENSSLDIR: "/opt/local/etc/openssl"
% ls -l /opt/local/etc/openssl/cert*
lrwxr-xr-x 1 root admin 40 29 Nov 02:05 /opt/local/etc/openssl/cert.pem -> /opt/local/share/curl/curl-ca-bundle.crt
% head -10 /opt/local/etc/openssl/cert.pem
##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Fri Nov 24 08:00:26 2017 GMT
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt). This file can be found in the mozilla source tree:
## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
##
...[rest of file omitted]...
It turns out that the installer which installed OpenSSL on my system also installed cert.pem as a symlink to a bundle of Certificate Authority certificates from the tool cUrl . Those in turn came from Mozilla.
You might have nothing installed in this file or directory, or you might have a different set of certificates. This will affect which server certificates OpenSSL verifies.
OpenSSL commands like s_client support, I think since version 1.1, options -no-CAfile and -no-CApath. These let you ignore the certificates in this file and directory respectively, for the duration of one command. (I can't reproduce this because I am still using version 1.0.2, and it lacks those options.)
How can I find out, where my openssl installed is looking for installed certificates (trusted)?
You can't. OpenSSL trusts nothing by default, and it does not go looking for certs. You have to instruct it what to trust. There's even a FAQ topic covering it: Why does <SSL program> fail with a certificate verify error?:
This problem is usually indicated by log messages saying something
like "unable to get local issuer certificate" or "self signed
certificate". When a certificate is verified its root CA must be
"trusted" by OpenSSL this typically means that the CA certificate must
be placed in a directory or file and the relevant program configured
to read it. The OpenSSL program 'verify' behaves in a similar way and
issues similar error messages: check the verify(1) program manual page
for more information.
Caf's answer is kind of correct, but OpenSSL does not use it and there's nothing there...
$ grep -R X509_get_default_cert_dir *
...
crypto/x509/x509_def.c:const char *X509_get_default_cert_dir(void)
...
In the above, notice it does not hit on anything in the apps/ directory. apps/ is where all the OpenSSL samples and utilities are, like openssl req, openssl rsa, openssl dsa, openssl x509, openssl sign, openssl verify, etc.
Then:
$ cat crypto/x509/x509_def.c
...
const char *X509_get_default_cert_dir(void)
{ return(X509_CERT_DIR); }
...
$ grep -R X509_CERT_DIR *
crypto/cryptlib.h:#define X509_CERT_DIR OPENSSLDIR "/certs"
And finally:
$ ls /usr/local/ssl/certs/
$
Like I said, its not used and there's nothing there.
I am trying to call an aricGIS service for GEOCoding from Databricks. The URL needs a certificate which i have copied to Blob storage and referring to that in the
Verify = "Path to mycertificate"
section of the code.
the certificate is stored in the following location
/dbfs/mnt/tmp/myfolder/mycertificate.pem
When accessing the certificate from the above path i am getting a HTTP error as below
SSLError: HTTPSConnectionPool(host='MyDomain.com', port=443): Max retries exceeded with url: "MyURL" (Caused by SSLError(SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:1131)')))
when changing the above certificate path from
/dbfs/...
To
dbfs:/Path/To/Mycertificate
I get the following Error
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: dbfs:/mnt/tmp/path/to/mycertificate.pem
I have also tried the operation with the .pfx file but getting the same error.
Being new to the Certificates in Databricks any help on how to fix the errors and get the service working would be really appreciated.
Also i have googled and referred to many documents to no avail. Nothing is working and it appears i am missing something basic here.
Thanks
To fix this, SSL Certificate needs to be installed on the cluster nodes. For Python this could be two locations:
Linux CA Certificates chain for most of SSL connections
CA Certificates chain that is used by the requests package - provided by certifi package.
You can install the certificates using the following cluster init script that will install your CA certificate in PEM format into all CA certificate chains (Linux/Java/certifi) (you need to put your path /dbfs/.... into the certs variable):
#!/bin/bash
#
# File: install-ssl-certificates.sh
# Author: Alex Ott
# Created: Tuesday, September 28 2021
#
#set -x
declare -a certs=("/dbfs/tmp/myCA.pem" "/dbfs/tmp/myCA2.pem")
mkdir -p /usr/share/ca-certificates/extra
CERTIFI_HOME="$(python -m certifi 2>/dev/null)"
J_HOME="$(dirname $(realpath $(which java)))/.."
for cert in ${certs[#]}; do
BNAME="$(basename $cert)"
echo "cert=$cert BNAME=$BNAME"
cp $cert /usr/share/ca-certificates/extra/$BNAME
echo "extra/$BNAME" >> /etc/ca-certificates.conf
if [ -n "$CERTIFI_HOME" ]; then
cat $cert >> $CERTIFI_HOME
fi
keytool -importcert -keystore ${J_HOME}/lib/security/cacerts -file $cert -alias $(basename $cert .pem) -storepass changeit -noprompt
done
update-ca-certificates
I have found that the firewall was blocking the request. The solution was to just unblock the target IP address on the firewall and providing a certificate location to ".pem" file in the url in the format
session.post(url,data=d,verify=\path to my certificate.pemfile)
that resolved the issue.
Thanks
I am trying to configure Jenkins on Windows with a SLL certificate following these instructions. Instead of using a Digicert certificate, our IT administrator would like to generate a certificate using the Windows AD CS using the certificate snap-in of mmc.
However we cannot figure out how to import the keytool generated csr certificate request into the certificate snap-in.
If I use a certificate with a recreated certificate request in the mmc certificate store, the certificate is rejected with the following message:
keytool -importcert -alias jenkins -file "D:\Temp\jenkins\jenkins.pem" -keystore "D:\Temp\jenkins\jenkins.jks"
Enter keystore password:
keytool error: java.lang.Exception: Certificate reply does not contain public key for <jenkins>
Does anyone know how to create an SSL certificate from the Windows certificate store based on a java keytool created csr certificate request?
I was able to get Jenkins running with SSL and this is what I did.
On the Jenkins Master
In the Certificate Snap-in of mmc, navigate to Certificates (Local
Computer) / Personal.
Right click Personal Folder and select All Tasks / Request New
Certificate...
Confirm the next two Enrollment pages by clicking on Next.
Check a Webserver Active Directory Enrollment Policy.
A Warning Message shows below the Enrollment Policy
More information is required to enroll for this certificate. Click here
to configure settings.
Click on it.
Fill out the Certificate Properties: Subject name: Common name:
[the name of your jenkins server] Alternative name: DNS: [the
name of your jenkins server] Alternative name: DNS: [the full
name of your jenkins server including your domain]Confirm the
page with OK and the following two pages.
Export the Certificate as PFX format Right click on
certificate All Tasks / Export...
Check: Yes, export the private key Check Include all
certificates in the certification path if possible Check:
Export all extended properties Since we are exporting the
private key, we must provide a password Check: Password and
enter your password and password confirmation
Pick a path for your PFX certificate and finish the export.
Export the certificate one more time without a password in the
Base-64 encoded X.509 (.CER) format.
Rename the resulting .CER file into .PEM.
Create a java key store on the Jenkins server with
keytool -genkeypair -keysize 2048 -keyalg RSA -alias jenkins -keystore jenkins.jks
Answer the questions appropriate for your company and organisation.
Import the PFX certificate into the java keystore with
keytool -importkeystore -srckeystore jenkins.pfx -srcstoretype pkcs12 -destkeystore jenkins.jks -deststoretype JKS
Copy the jenkins.jks to secrets directory where Jenkins is
installed (in my case C:\Program Files (x86)\Jenkins\secrets).
Add the certificate to the Jenkins startup parameters:
-Djavax.net.ssl.trustStore=%JENKINS_HOME%\secrets\jenkins.jks
-Djavax.net.ssl.trustStorePassword=[your password for the java key store]
Restart the jenkins service
On the Jenkins Agent
Import the PEM certificate from above into the java keystore from the command line with administrator priviliges:
keytool -import -alias jenkins -keystore "C:\Program Files (x86)\Java\jre1.8.0_161\lib\security\cacerts" -file [your pem file]
Enter the password of the keystore (by
default changeit) Trust this certificate? [no]: yes
Make sure your jenkins-slave.xml in %JENKINS_HOME% does not contain
-noCheckCertificate in the arguments.
Restart the service jenkinsslave-D__Jenkins.
I am reading the tutorial you have mentioned in your post. And I see this sentence:
"if making your own certificate skip steps 3, 4, and 5". Your code seems to be the specified in step 5.
You could try to copy the keystore file to your Jenkins secrets directory as mentioned in step 6.
This link can also be helpful.
I am unable to correctly configure Jenkins to use a StartSSL certificate.
I'm running it with command line arguments that specify paths to the private key and my certificate as shown on the Jenkins Wiki (at the bottom: https://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins).
I've obtained a private key and a certificate from StartSSL
I've placed them in a particular folder
I'm running Jenkins as follows: java -jar jenkins.war --httpPort=-1 --httpsPort=8080 --httpsCertificate=<mydomain.crt file> --httpsPrivateKey=<my private key file>
Jenkins starts successfully. Opening https://mydomain:8080/ in Firefox says that the connection is untrusted:
mydomain:8080 uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
I've tried verifying mydomain:8080 on various SSL checker websites:
OK mydomain resolves to xxx.xxx.xxx.xxx
OK The certificate was issued by StartCom.
OK The certificate will expire in XXX days.
OK The hostname (mydomain) is correctly listed in the certificate.
Not OK The certificate is not trusted in all web browsers.
You may need to install an Intermediate/chain certificate
to link it to a trusted root certificate.
StartSSL does not have explicit instructions for setting up Jenkins. I've tried following up on similar tutorials for other kinds of servers, and copied the intermediate authority files from StartCom into a unified certificate (ca.pem and sub.class1.server.ca.pem as noted here: http://www.startssl.com/?app=42).
However, this did not change anything.
SSL checkers like www.sslshopper.com/ssl-checker.html‎ still report that the website is untrusted.
Also, the GitHub image caching service is not rendering the build status icon from Jenkins for the same reason.
How do I add the issuer chain correctly to my certificate?
I had a similar problem and after some research what got everything to be trusted was :
Merged the intermediate authority certificate and <mydomain.crt file> into 1 unified certificate called merged.cer using the link you mentioned
(From: https://serverfault.com/questions/569866/jenkins-wont-serve-with-ca-signed-certificate)
openssl pkcs12 -inkey /location/to/key.pem -in /location/to/merged.cer -export -out keys.pkcs12
keytool -importkeystore -srckeystore keys.pkcs12 -srcstoretype pkcs12 -destkeystore jenkins.jks
NOTE: the key to use for the merged.cer should be the same as <my private key file>
Then follow the Jenkins Wiki to use the KeyStore instead of the certificate
java -jar jenkins.war --httpPort=-1 --httpsPort=8080 --httpsKeyStore=/path/to/jenkins.jks --httpsPrivateKey=<my private key file>
Background: I need to test an https endpoint for a WebRole on Windows Azure. For that I need to upload a self-signed certificate, add the certificate's thumbprint to the WebRole's configuration and finally associate the endpoint with that configured certificate.
I created a self-signed certificate using makecert.exe, which is available through the Visual Studio Command Prompt. I used the following command:
makecert.exe -r -pe -n "CN=test.cloudapp.net" -sky exchange -ss my -len 2048 test.pfx
The command succeeds and I can upload the certificate file to the Windows Azure hosted service. But deployment of the WebRole fails with the following error:
Certificate with thumbprint 6AB... associated with HTTPS input
endpoint Endpoint2 does not contain private key.
I have to export the certificate from the my store, and choose to include the private key and provide a password. If I upload this exported certificate file and use its thumbprint, then deployment succeeds.
I want to create a certificate file that includes the private key, without first saving the certificate to any store and exporting it from the store. Is that possible using makecert.exe?
To create a certificate without saving it to any store you'll need to use pvk2pfx.exe (available through the Visual Studio Command Prompt).
It works like this:
makecert.exe -sv CertKey.pvk -n "CN=My Azure Certificate" CertKey.cer
pvk2pfx.exe -pvk CertKey.pvk -spc CertKey.cer -pfx MyPFX.pfx -po yourPasswordHere
Running makecert.exe will aks you for a password for the private key. You'll need to enter that password for the -po argument of the pvk2pfx.exe command.
Finally you'll have a pfx file (containing private key) named MyPFX.pfx