A Portal to a Portal: IBM UrbanCode Deploy - Working with Apache Tomcat SSL Key Store

Monday, 22 December 2014

IBM UrbanCode Deploy - Working with Apache Tomcat SSL Key Store

One of my friends asked me how one can add SSL certificates to the Apache Tomcat SSL trust store underlying the IBM UrbanCode Deploy automation solution.

In this scenario, he needed to retrieve a certificate from IBM Rational Asset Manager (IRAM) into the UCD key store, in order that a UCD process can access IRAM.

I've done this for IBM HTTP Server and IBM WebSphere Application Server in the past, using the IBM Global Security Toolkit ( GSK ), but Tomcat uses something slightly different.

This blog post gave me the pointer: -

How to import IBM UrbanCode Deploy self-signed certificate in the client JVM for use with the REST API

and this is what I did: -

List Current Certificates in Key Store

/opt/IBM/Java/jre/bin/keytool -list -keystore /opt/ibm-ucd/server/opt/tomcat/conf/tomcat.keystore -storepass changeit

Keystore type: jks
Keystore provider: IBMJCE

Your keystore contains 2 entries

server, 14-Dec-2014, keyEntry,
Certificate fingerprint (SHA1): 65:22:8A:B7:B8:EA:53:36:0D:75:E9:74:DF:20:90:DB:BB:C1:AC:4A

Get IRAM Certificate

openssl s_client -showcerts -connect ucd61.uk.ibm.com:9443 </dev/null > ~/iram.cer

depth=1 C = US, O = IBM, OU = ucd61Node01, OU = ucd61Node01Cell, OU = Root Certificate, CN = ucd61.uk.ibm.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
DONE

( In my case, I'm using WAS 8.5.5 on port 9443 in lieu of IRAM )

Note, I needed to manually edit the retrieved certificate to reduce superfluous tags, possible because the WAS certificate is self-signed e.g.: -

keytool error: java.lang.Exception: Input not an X.509 certificate
Add IRAM Certificate to Key Store

/opt/IBM/Java/jre/bin/keytool -importcert -alias iram -file ~/iram.cer -keystore /opt/ibm-ucd/server/opt/tomcat/conf/tomcat.keystore -storepass changeit

Owner: CN=ucd61.uk.ibm.com, OU=ucd61Node01Cell, OU=ucd61Node01, O=IBM, C=US
Issuer: CN=ucd61.uk.ibm.com, OU=Root Certificate, OU=ucd61Node01Cell, OU=ucd61Node01, O=IBM, C=US
Serial number: 1fd8dd3c41dd
Valid from: 11/12/14 21:28 until: 11/12/15 21:28
Certificate fingerprints:
MD5:  0F:E7:18:C1:69:1B:ED:FC:47:D7:B7:25:7A:5F:E5:8B
SHA1: 7B:27:67:B7:DC:12:02:15:0C:90:2F:71:7D:F8:CB:59:5F:3D:34:72
SHA256: 4F:F0:ED:7B:BA:E1:74:2A:20:E2:ED:B6:E8:6B:50:DD:6E:37:3B:0D:19:DB:8B:3C:A4:71:A6:69:44:56:FD:2C
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:AppSrv01-BASE-e30363df-5cb5-462a-bc4d-6b87509c4b54]]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4c 8c 13 fd f7 80 8b db     L.......
]
]

Trust this certificate? [no]:  y
Certificate was added to keystore

List Current Certificates in Key Store

/opt/IBM/Java/jre/bin/keytool -list -keystore /opt/ibm-ucd/server/opt/tomcat/conf/tomcat.keystore -storepass changeit

Keystore type: jks
Keystore provider: IBMJCE

Your keystore contains 2 entries

iram, 22-Dec-2014, trustedCertEntry,
Certificate fingerprint (SHA1): 7B:27:67:B7:DC:12:02:15:0C:90:2F:71:7D:F8:CB:59:5F:3D:34:72server, 14-Dec-2014, keyEntry,
Certificate fingerprint (SHA1): 65:22:8A:B7:B8:EA:53:36:0D:75:E9:74:DF:20:90:DB:BB:C1:AC:4A

What's next ?

Yes, time to change the default password for the Tomcat key store .....

A Portal to a Portal

Monday, 22 December 2014

IBM UrbanCode Deploy - Working with Apache Tomcat SSL Key Store

No comments:

Note to self - use kubectl to query images in a pod or deployment

Search This Blog