Saturday, 2 March 2013

Importing SSL certificates into the WebSphere Application Server CACerts certificate store

So I saw this in my WAS logs ( for the IBM Business Monitor instance that hosts Cogos ): -

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/cognos/PCSR011.Support/logs/cogserver.log

  CM-SYS-5157 Content Manager failed to notify the dispatcher "https://rhel6.uk.ibm.com:8443/p2pd/servlet/dispatch" of a running status change. CM-REQ-4128 An input/output error occurred executing an external request to the connector "CM". java.security.cert.CertificateException: CAM-CRP-1072 The certificate with the DN 'CN=rhel6.uk.ibm.com, O=ibm' issued by the Certificate Authority with the DN 'CN=rhel6.uk.ibm.com, O=ibm' is not trusted. Cause: java.security.cert.CertificateException: CAM-CRP-1072 The certificate with the DN 'CN=rhel6.uk.ibm.com, O=ibm' issued by the Certificate Authority with the DN 'CN=rhel6.uk.ibm.com, O=ibm' is not trusted.  Runtime Exception stack trace: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: CAM-CRP-1072 The certificate with the DN 'CN=rhel6.uk.ibm.com, O=ibm' issued by the Certificate Authority with the DN 'CN=rhel6.uk.ibm.com, O=ibm' is not trusted.   at com.ibm.jsse2.o.a(o.java:33)         at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:649)        at com.ibm.jsse2.kb.a(kb.java:56)       at com.ibm.jsse2.kb.a(kb.java:502)      at com.ibm.jsse2.lb.a(lb.java:107)      at com.ibm.jsse2.lb.a(lb.java:570)      at com.ibm.jsse2.kb.s(kb.java:327)      at com.ibm.jsse2.kb.a(kb.java:529)      at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:300)        at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:403)        at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:774)        at com.ibm.jsse2.k.write(k.java:7)      at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:76)       at java.io.BufferedOutputStream.write(BufferedOutputStream.java:115)    at org.apache.commons.httpclient.HttpConnection.write(HttpConnection.java:975)  at org.apache.commons.httpclient.HttpConnection.write(HttpConnection.java:943)  at com.cognos.cm.connectors.BusPostMethod.writeRequestBody(BusPostMethod.java:117)      at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)  at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)       at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)       at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)  at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)  at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)  at com.cognos.cm.connectors.BusConnectionPool$BusConnection.execute(BusConnectionPool.java:85)  at com.cognos.cm.connectors.CMConnector.CMConnector$CMConnectorRunnable.run(CMConnector.java:469)       at java.lang.Thread.run(Thread.java:772) Caused by: java.security.cert.CertificateException: CAM-CRP-1072 The certificate with the DN 'CN=rhel6.uk.ibm.com, O=ibm' issued by the Certificate Authority with the DN 'CN=rhel6.uk.ibm.com, O=ibm' is not trusted.         at com.cognos.accman.jcam.crypto.misc.CAMX509TrustManager14.checkServerTrusted(CAMX509TrustManager14.java:354)  at com.ibm.jsse2.lb.a(lb.java:323)      ... 21 more

This led me to the JVM's CACerts store: -

Dumped out the current list of CAs in CACerts

$ /opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/java/jre/lib/security/cacerts -pw changeit -type jks > /tmp/cacerts.out

Used a simple shell script to remove these 77 CAs

for c in `cat /tmp/cacerts.out`
do
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -delete -db /opt/IBM/WebSphere/AppServer/java/jre/lib/security/cacerts -pw changeit -type jks -label $c
done


none of which are required for MY specific environment.

Used OpenSSL to retrieve the certificate from the IHS box to a file

$ openssl s_client -connect https://rhel6.uk.ibm.com:8443 > ihs.cer

Edited the file down to the certificate itself

$ vi ihs.cer

<snip>
-----BEGIN CERTIFICATE-----
MIICzjCCAbagAwIBAgIEURUitDANBgkqhkiG9w0BAQUFADApMQwwCgYDVQQKEwNp
Ym0xGTAXBgNVBAMTEHJoZWw2LnVrLmlibS5jb20wHhcNMTMwMjA4MTYwNzE2WhcN
MTQwMjA4MTYwNzE2WjApMQwwCgYDVQQKEwNpYm0xGTAXBgNVBAMTEHJoZWw2LnVr
LmlibS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCDsSbw27hU
M+1xIMapH4KJD3maj046A6k2GyUzsvKzH25OA/cmSo4LQByAHXc6O9wlFAbsRf4H
NWZemrGPtk2DqJQkLUMnTckLL5hb3Vt0RocnoBfbPJgNB8jwkUocF22aLEJ0Btqi
ppCbX2Gmkg+vFNMPSkGL89W5QGcnxeAwWASJRcITIEsxJ8JNRqZtrCz2IiUrC7li
ef1eIObt7eW/tr6xLpup8K0DFtI1FK27wMTCSb9B84yWYyIWKm30cgPlUHZqJJfQ
Rt5veMdmVfWN0vA4t6ctux5bD/HmcjMHRvXrM98vU2juq8l4JBd2HXVRZzblCRom
baAz5oqT4D6XAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAEAyzeQPW5Y88qUHg8sb
OpzzDE7pQMAudsBUlZG7hyz2hFXrao2P2h/JkOoOlvjmYm+e2A1GxO2DRVEj6tvw
V5AzjVw2XuVL0nRmaDDVOFgMsV+6LurXFj4TWG7nbFNvFNBHKGDzfbl9j4Zp8fsK
CGU1k8xQVQIykP6PptazjD5nAny4C1bWVDNNPiev7pJSR4Ki5tMuCNK5EHqeZ1PX
gO4kiBLDdS7RNgszxgkCdPF4pPvqis0tcl9zoXenzNOyEvJU9L1/Q7dhTq81uBMU
e0kh5b3OXPT92UD7xB87o8oUTlNrPfX4fKR6zTDEYLhgPTwYBGDpQJj6mD3wbnJV
a3I=
-----END CERTIFICATE-----
</snip>

Imported the certificate into CACerts

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -add -db /opt/IBM/WebSphere/AppServer/java/jre/lib/security/cacerts -pw changeit -type jks -file ihs.cer

Restarted my JVM ….

2 comments:

Dmytro Balym said...

> openssl s_client -connect https://rhel6.uk.ibm.com:8443 > ihs.cer


no need https:// here/ Correct command is

openssl s_client -connect rhel6.uk.ibm.com:8443 > ihs.cer

Dave Hay said...

@Dymytro

Thanks for this - well spotted, it's not necessary to specify the HTTPS protocol.

Cheers, Dave