Wednesday, 13 May 2015

IBM Cognos - Working with SSL/TLS Keystore

This is an ongoing voyage of discovery, as I seek to replicate my success: -

( this is a post that I authored for the WebSphere User Group on their Global WebSphere Community site )

with IBM Business Monitor.

Whilst the DB2 and WAS aspects ( configuring the DB2 instance and listener for SSL, updating the WAS JDBC data sources, adding the DB2 signer certificate into he WAS trust store etc. ) are the same, the Cognos BI engine is quite different.

I don't yet have it cracked, but I did discover a few more things about Cognos BI today, specifically in terms of where it keeps its own SSL/TLS key store.

It's here: -

-rw-r--r-- 1 wasadmin wasadmins 19728 May 13 16:07 /opt/IBM/WebSphere/AppServer/profiles/BAMCell1AppSrv01/cognos/SupClusterMember1/configuration/certs/CAMKeystore

Why do I know this ?

Because I wanted to test a hypothesis by adding the DB2 server's signer certificate to it.

This is how I first retrieved the signer certificate: -

openssl s_client -showcerts -connect localhost:60007 </dev/null > ~/db2.cer

and I happily verified the certificate: -

openssl x509 -fingerprint -noout -text -in ~/db2.cer

SHA1 Fingerprint=FC:BB:C1:24:4E:6E:B8:55:5B:33:87:69:C7:E2:10:E4:E6:0F:7A:CC
        Version: 3 (0x2)
        Serial Number: 1681898445175821098 (0x17574db98cfc932a)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=com, DC=ibm, DC=uk,
            Not Before: May 11 10:01:51 2015 GMT
            Not After : May 11 10:01:51 2016 GMT
        Subject: DC=com, DC=ibm, DC=uk,
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
            X509v3 Subject Key Identifier: 
            X509v3 Authority Key Identifier: 

    Signature Algorithm: sha1WithRSAEncryption

However, when I tried to add it to the Cognos key store: -

/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -import -file ~/db2.cer -alias DB2 -keystore CAMKeystore -storepass MONITOR -storetype PKCS12

I saw this: -

keytool error: java.lang.Exception: Input not an X.509 certificate

Happily a quick Google search later, and I found this: -

which says, in part: -

While I agree with Ari's answer (and upvoted it :), I needed to do an extra step to get it to work with Java on Windows (where it needed to be deployed):

openssl s_client -showcerts -connect < /dev/null | openssl x509 -outform DER > derp.der

Before adding the openssl x509 -outform DER conversion, I was getting an error from keytool on Windows complaining about the certificate's format. Importing the .der file worked fine.

I re-retrieved the certificate from DB2: -

openssl s_client -showcerts -connect localhost:60007 </dev/null | openssl x509 -outform DER > ~/db2.cer

( adding in the relevant Hogwarts magic to get the resulting file in x509 DER ) and was then able to import it: -

/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -import -file ~/db2.cer -alias DB2 -keystore CAMKeystore -storepass MONITOR -storetype PKCS12

Owner:, DC=uk, DC=ibm, DC=com
Issuer:, DC=uk, DC=ibm, DC=com
Serial number: 17574db98cfc932a
Valid from: 11/05/15 11:01 until: 11/05/16 11:01
Certificate fingerprints:
 MD5:  81:B0:E7:81:A3:1B:79:64:07:1B:41:9E:7E:0A:F3:08
 SHA1: FC:BB:C1:24:4E:6E:B8:55:5B:33:87:69:C7:E2:10:E4:E6:0F:7A:CC
Trust this certificate? [no]:  y
Certificate was added to keystore

which is nice.

Did that fix my problem ? Alas, no, but it's another step on the journey to ......... ?

No comments: