Thursday, 26 March 2015

IBM HTTP Server and the Global Security Toolkit - Not quite Harry Potter

I have blogged about this before: -


but I finally have a much clearer idea of the problem, and the pukka solution.

When creating a self-signed  SSL certificate in IHS, via a command such as: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -size 2048 -dn "cn=hostname.domain.co.uk,dc=uk,dc=ibm,c=com" -label "hostname.domain.co.uk" -default_cert yes

I'd end up with an exception: -

CTGSK3024W Invalid value for parameter "-dn" (cn=hostname.domain.co.uk,o=domain,o=co,c=uk).

Initially, I thought that the problem was with the format of the Distinguished Name, so I used an escape character in front of each comma: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -size 2048 -dn "cn=hostname.domain.co.uk\,dc=uk\,dc=ibm\,c=com" -label "hostname.domain.co.uk" -default_cert yes

which worked OK .... or so I thought.

However, when I looked at the certificate in Firefox, I noted that the Issuer contained an invalid Common Name (CN) - it actually held the DN: -


I spent a wee while digging around, and found that, if I instead used ikeycmd : -

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -size 2048 -dn "cn=hostname.domain.co.uk,o=domain,o=co,c=uk" -label "hostname.domain.co.uk" -default_cert yes


the certificate created with the correct Issuer.

Which is unusual.

I've experimented further, including: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -size 2048 -dn "cn=hostname.domain.co.uk,dc=domain,dc=co,dc=uk" -label "hostname.domain.co.uk" -default_cert yes

In other words, I continued to experiment with the format of the DN.

According to this document: -


the crucial thing is to ensure that the DN is formatted to a certain X.500 standard: -

-dn <dist_name>

The X.500 distinguished name that uniquely identifies the certificate. The input must be a quoted string of the following format (only CN is required):

        CN=common name
        O=organization
        OU=organization unit
        L=location

        ST=state, province
        C=country
        DC=domain component
        EMAIL=email address

For Example: "CN=weblinux.Raleigh.ibm.com,O=ibm,OU=IBM HTTP Server,L=RTP,ST=NC,C=US"

Multiple OU values are now supported. Simply add additional OU key\value pairs to the specified distinguished name. If the OU value requires a comma (',') then you must escape it with '\\'

For Example: "CN=weblinux.Raleigh.ibm.com,O=ibm,OU=IBM HTTP Server,OU=GSKit\\, Gold Coast,L=RTP,ST=NC,C=US"

Therefore, via trial and error, I've found a syntax that works for my client, and also works with GSK rather than depending upon ikeycmd, as hosting a JRE on a web server is typically a bad idea.

For evidence, please see the 39 Steps here: -



No comments: