Monday, 22 December 2014

IBM UrbanCode Deploy - Working with Apache Tomcat SSL Key Store

One of my friends asked me how one can add SSL certificates to the Apache Tomcat SSL trust store underlying the IBM UrbanCode Deploy automation solution.

In this scenario, he needed to retrieve a certificate from IBM Rational Asset Manager (IRAM) into the UCD key store, in order that a UCD process can access IRAM.

I've done this for IBM HTTP Server and IBM WebSphere Application Server in the past, using the IBM Global Security Toolkit ( GSK ), but Tomcat uses something slightly different.


and this is what I did: -

List Current Certificates in Key Store

/opt/IBM/Java/jre/bin/keytool -list -keystore /opt/ibm-ucd/server/opt/tomcat/conf/tomcat.keystore -storepass changeit 

Keystore type: jks
Keystore provider: IBMJCE

Your keystore contains 2 entries

server, 14-Dec-2014, keyEntry,
Certificate fingerprint (SHA1): 65:22:8A:B7:B8:EA:53:36:0D:75:E9:74:DF:20:90:DB:BB:C1:AC:4A


Get IRAM Certificate

openssl s_client -showcerts -connect ucd61.uk.ibm.com:9443 </dev/null  > ~/iram.cer

depth=1 C = US, O = IBM, OU = ucd61Node01, OU = ucd61Node01Cell, OU = Root Certificate, CN = ucd61.uk.ibm.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
DONE


( In my case, I'm using WAS 8.5.5 on port 9443 in lieu of IRAM )

Note, I needed to manually edit the retrieved certificate to reduce superfluous tags, possible because the WAS certificate is self-signed e.g.: -

-----BEGIN CERTIFICATE-----
MIIDyDCCArCgAwIBAgIGH9jdPEHdMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYDVQQG
EwJVUzEMMAoGA1UEChMDSUJNMRQwEgYDVQQLEwt1Y2Q2MU5vZGUwMTEYMBYGA1UE
CxMPdWNkNjFOb2RlMDFDZWxsMRkwFwYDVQQLExBSb290IENlcnRpZmljYXRlMRkw
FwYDVQQDExB1Y2Q2MS51ay5pYm0uY29tMB4XDTE0MTIxMTIxMjgyMloXDTE1MTIx
MTIxMjgyMlowZjELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEUMBIGA1UECxML
dWNkNjFOb2RlMDExGDAWBgNVBAsTD3VjZDYxTm9kZTAxQ2VsbDEZMBcGA1UEAxMQ
dWNkNjEudWsuaWJtLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKlFEK54+pN68kp2V1//jU7hiYDjoOvRzECnn6D4CNWAuQ0VOtzaRbOmUmxmPyIb
44kPmxRz34yQj5mjA/0cNGS176EDeGikBlFvMZapJyf2wgEissuliDuaHrBRWrRe
0SWu3rk0vEPZjBAbl7V26vUOMDpFHoHbh3/Um7Qx7Ur9PdV3Qd/9ANhOeyw1G59D
acIhDKuLt3cHWTqLWbozOp0y3Z90sK8dwcOj+z0CH7e4/PHvO1mwlE5I8z9k378e
1FYwtuo/FD+NQMVEpZImTJMrFZVNPGIVp1EOTBC/XMp/cuvVAqcZMoG59bjpjyRd
mWH42L05CH/X1sNw3CI5bWMCAwEAAaNgMF4wSQYDVR0RBEIwQIE+UHJvZmlsZVVV
SUQ6QXBwU3J2MDEtQkFTRS1lMzAzNjNkZi01Y2I1LTQ2MmEtYmM0ZC02Yjg3NTA5
YzRiNTQwEQYDVR0OBAoECEyME/33gIvbMA0GCSqGSIb3DQEBBQUAA4IBAQBeWvNX
g1gOmJLkqIR9agSOxiTvWKAv+nzRIb9sQ9cQX/B0ucFx+Xh58tSO+bfJFDI42QKU
aiUXwtq8pAf+RWvf3kHagpN4GZFKByhp19lBwoceG/3gk/5IGALT+9useJU3N2+T
hNcqJERyAuCH5oBR+goml28yGjWOUAf/6fWf08heGEnfbLMl2S5IiVAoyaRY+byg
KITMlxj9x3YHxME8g7/hL0RyYfRe/Etb0AV4YL2YkAvaPcjFwjOVR35Bv1C1S3zP
q3FJaizXK2M8Albz8UJxnHj+Li3Qnps4wxLci/n40olEbLH6+Lfd1KOc1Nq6817M
6R4QGcCNIClZdIg8
-----END CERTIFICATE-----


otherwise, I end up with: -

keytool error: java.lang.Exception: Input not an X.509 certificate
Add IRAM Certificate to Key Store

/opt/IBM/Java/jre/bin/keytool -importcert -alias iram -file ~/iram.cer -keystore /opt/ibm-ucd/server/opt/tomcat/conf/tomcat.keystore -storepass changeit

Owner: CN=ucd61.uk.ibm.com, OU=ucd61Node01Cell, OU=ucd61Node01, O=IBM, C=US
Issuer: CN=ucd61.uk.ibm.com, OU=Root Certificate, OU=ucd61Node01Cell, OU=ucd61Node01, O=IBM, C=US
Serial number: 1fd8dd3c41dd
Valid from: 11/12/14 21:28 until: 11/12/15 21:28
Certificate fingerprints:
 MD5:  0F:E7:18:C1:69:1B:ED:FC:47:D7:B7:25:7A:5F:E5:8B
 SHA1: 7B:27:67:B7:DC:12:02:15:0C:90:2F:71:7D:F8:CB:59:5F:3D:34:72
 SHA256: 4F:F0:ED:7B:BA:E1:74:2A:20:E2:ED:B6:E8:6B:50:DD:6E:37:3B:0D:19:DB:8B:3C:A4:71:A6:69:44:56:FD:2C
 Signature algorithm name: SHA1withRSA
 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:AppSrv01-BASE-e30363df-5cb5-462a-bc4d-6b87509c4b54]]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4c 8c 13 fd f7 80 8b db                           L.......
]
]

Trust this certificate? [no]:  
y
Certificate was added to keystore


List Current Certificates in Key Store

/opt/IBM/Java/jre/bin/keytool -list -keystore /opt/ibm-ucd/server/opt/tomcat/conf/tomcat.keystore -storepass changeit 

Keystore type: jks
Keystore provider: IBMJCE

Your keystore contains 2 entries

iram, 22-Dec-2014, trustedCertEntry,
Certificate fingerprint (SHA1): 7B:27:67:B7:DC:12:02:15:0C:90:2F:71:7D:F8:CB:59:5F:3D:34:72
server, 14-Dec-2014, keyEntry,
Certificate fingerprint (SHA1): 65:22:8A:B7:B8:EA:53:36:0D:75:E9:74:DF:20:90:DB:BB:C1:AC:4A


What's next ?

Yes, time to change the default password for the Tomcat key store .....


No comments: