Friday, 3 August 2012

IBM HTTP Server - Setting up SSL using self-signed certificates


You really should avoid using self-signed certificates in a production environment, bearing in mind that they typically expire within a year, and that they have not been signed by a certificate authority.

In addition, bear in mind that, by default, IHS only supports 1024-bit certificates UNLESS you choose to download/apply the unrestricted JCE policy files, as described in this Technote: -


The error "The specified database has been corrupted" is received when importing a pkcs12 file generated by openssl, into a jks file within ikeyman.


If ikeyman throws "The specified database has been corrupted" error during import, chances are the pkcs12 file uses an encryption method that is not available in the default JCE policy files provided by the Java used by ikeyman.

Having accepted that this is for a non-production environment, and that you're happy with self-signed certificates, here's a quick crib sheet: -

Create the SSL keystore

$ mkdir /opt/IBM/HTTPServer/ssl
$ /opt/IBM/HTTPServer/java/jre/bin/java -keydb -create -db /opt/IBM/HTTPServer/ssl/key.kdb -pw Passw0rd -type cms -stash

Create the self-signed certificate ( default expiration is 12 months; I could have extended this had I chosen )

$ /opt/IBM/HTTPServer/java/jre/bin/java -cert -create -db /opt/IBM/HTTPServer/ssl/key.kdb -pw Passw0rd -size 1024 -dn ",O=ibm" -label "" -default_cert yes

List the certificate(s) in the keystore

$ /opt/IBM/HTTPServer/bin/gsk7cmd -cert -list -db /opt/IBM/HTTPServer/ssl/key.kdb -pw Passw0rd

Certificates in database /opt/IBM/HTTPServer/ssl/key.kdb:
List the certificate(s) in the keystore showing more detail, including default/trusted

$ /opt/IBM/HTTPServer/bin/gsk7capicmd -cert -list -db /opt/IBM/HTTPServer/ssl/key.kdb -pw Passw0rd

/opt/IBM/HTTPServer/gsk7/bin/gsk7capicmd: error while loading shared libraries: cannot open shared object file: No such file or directory

Ooops - missing library :-)

$ yum install

Loaded plugins: product-id, refresh-packagekit, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package compat-libstdc++-33.i686 0:3.2.3-69.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package                                               Arch                                   Version                                          Repository                                              Size
 compat-libstdc++-33                                   i686                                   3.2.3-69.el6                                     rhel-x86_64-server-6                                   189 k

Transaction Summary
Install       1 Package(s)

Total download size: 189 k
Installed size: 0 
Is this ok [y/N]: y
Downloading Packages:
compat-libstdc++-33-3.2.3-69.el6.i686.rpm                                                                                                                                            | 189 kB     00:01   
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : compat-libstdc++-33-3.2.3-69.el6.i686                                                                                                                                                    1/1
Installed products updated.
  Verifying  : compat-libstdc++-33-3.2.3-69.el6.i686                                                                                                                                                    1/1

  compat-libstdc++-33.i686 0:3.2.3-69.el6                                                                                                                                                                 

Try again

$ /opt/IBM/HTTPServer/bin/gsk7capicmd -cert -list -db /opt/IBM/HTTPServer/ssl/key.kdb -pw Passw0rd

Certificates found:
* default, - has private key, ! trusted

The job, she is a good 'un !!

*UPDATE 10 January 2013*

Note that the above point re 1024 bit certificates is relevant to IHS 7 and previous versions. IHS 8 natively supports 2048 bit certificates. Additionally, in IHS 8, the GSK command has been renamed to gskcapicmd.

No comments: