( this is a post that I authored for the WebSphere User Group on their Global WebSphere Community site )
with IBM Business Monitor.
Whilst the DB2 and WAS aspects ( configuring the DB2 instance and listener for SSL, updating the WAS JDBC data sources, adding the DB2 signer certificate into he WAS trust store etc. ) are the same, the Cognos BI engine is quite different.
I don't yet have it cracked, but I did discover a few more things about Cognos BI today, specifically in terms of where it keeps its own SSL/TLS key store.
It's here: -
-rw-r--r-- 1 wasadmin wasadmins 19728 May 13 16:07 /opt/IBM/WebSphere/AppServer/profiles/BAMCell1AppSrv01/cognos/SupClusterMember1/configuration/certs/CAMKeystore
Why do I know this ?
Because I wanted to test a hypothesis by adding the DB2 server's signer certificate to it.
This is how I first retrieved the signer certificate: -
openssl s_client -showcerts -connect localhost:60007 </dev/null > ~/db2.cer
and I happily verified the certificate: -
openssl x509 -fingerprint -noout -text -in ~/db2.cer
SHA1 Fingerprint=FC:BB:C1:24:4E:6E:B8:55:5B:33:87:69:C7:E2:10:E4:E6:0F:7A:CC
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1681898445175821098 (0x17574db98cfc932a)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=com, DC=ibm, DC=uk, CN=bpm856.uk.ibm.com
Validity
Not Before: May 11 10:01:51 2015 GMT
Not After : May 11 10:01:51 2016 GMT
Subject: DC=com, DC=ibm, DC=uk, CN=bpm856.uk.ibm.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:cc:de:34:78:ca:b8:48:c1:24:43:3b:39:ca:79:
6e:7d:bd:2f:fd:a5:86:cc:fa:d1:0f:9f:6b:d2:04:
ac:5f:3e:4f:42:81:89:03:88:fb:95:86:ed:fd:f4:
c5:a1:c0:8e:b4:70:b7:2d:36:c8:2e:1a:5c:d7:b5:
83:e0:f4:36:f8:0a:8f:32:54:47:1a:b7:a4:b6:42:
d8:4c:60:ee:e5:2c:de:a2:77:ee:10:b0:fc:c3:a2:
7a:e2:3b:45:c4:2f:8a:11:43:bc:fb:a2:e1:cd:69:
0f:aa:bb:e2:7c:de:2b:8b:3c:76:cd:56:a8:5d:3e:
5c:e7:fb:ef:b1:15:f9:14:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
56:25:C5:62:51:0C:60:55:4D:61:9D:71:EF:D4:A4:E9:AA:07:24:85
X509v3 Authority Key Identifier:
keyid:56:25:C5:62:51:0C:60:55:4D:61:9D:71:EF:D4:A4:E9:AA:07:24:85
Signature Algorithm: sha1WithRSAEncryption
99:4c:9c:6e:65:a9:d1:c8:b1:d7:44:30:cd:9a:bc:d5:77:a0:
9f:69:8b:97:2e:e7:13:95:97:b2:b4:57:d0:74:14:e3:e3:ea:
ae:22:ef:01:2c:2e:b7:37:1a:85:e7:00:48:41:71:9b:25:a4:
25:79:76:04:6d:3c:a5:a3:ce:9c:e2:ea:26:33:56:6d:2e:40:
1f:0e:bf:e8:b7:de:06:1b:d1:8c:65:c4:19:8c:c8:39:92:d8:
f5:ad:18:56:c3:ef:d6:25:a1:4c:a9:64:40:df:df:75:a0:5e:
ec:7e:ea:cc:8e:dc:2c:1e:71:4a:8d:74:7f:d6:84:8a:20:05:
fb:64
However, when I tried to add it to the Cognos key store: -
/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -import -file ~/db2.cer -alias DB2 -keystore CAMKeystore -storepass MONITOR -storetype PKCS12
I saw this: -
keytool error: java.lang.Exception: Input not an X.509 certificate
Happily a quick Google search later, and I found this: -
which says, in part: -
<snip>
While I agree with Ari's answer (and upvoted it :), I needed to do an extra step to get it to work with Java on Windows (where it needed to be deployed):
Before adding the openssl x509 -outform DER conversion, I was getting an error from keytool on Windows complaining about the certificate's format. Importing the .der file worked fine.
openssl s_client -showcerts -connect www.example.com:443 < /dev/null | openssl x509 -outform DER > derp.der
Before adding the openssl x509 -outform DER conversion, I was getting an error from keytool on Windows complaining about the certificate's format. Importing the .der file worked fine.
</snip>
I re-retrieved the certificate from DB2: -
openssl s_client -showcerts -connect localhost:60007 </dev/null | openssl x509 -outform DER > ~/db2.cer
( adding in the relevant Hogwarts magic to get the resulting file in x509 DER ) and was then able to import it: -
/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -import -file ~/db2.cer -alias DB2 -keystore CAMKeystore -storepass MONITOR -storetype PKCS12
Owner: CN=bpm856.uk.ibm.com, DC=uk, DC=ibm, DC=com
Issuer: CN=bpm856.uk.ibm.com, DC=uk, DC=ibm, DC=com
Serial number: 17574db98cfc932a
Valid from: 11/05/15 11:01 until: 11/05/16 11:01
Certificate fingerprints:
MD5: 81:B0:E7:81:A3:1B:79:64:07:1B:41:9E:7E:0A:F3:08
SHA1: FC:BB:C1:24:4E:6E:B8:55:5B:33:87:69:C7:E2:10:E4:E6:0F:7A:CC
Trust this certificate? [no]: y
Certificate was added to keystore
Issuer: CN=bpm856.uk.ibm.com, DC=uk, DC=ibm, DC=com
Serial number: 17574db98cfc932a
Valid from: 11/05/15 11:01 until: 11/05/16 11:01
Certificate fingerprints:
MD5: 81:B0:E7:81:A3:1B:79:64:07:1B:41:9E:7E:0A:F3:08
SHA1: FC:BB:C1:24:4E:6E:B8:55:5B:33:87:69:C7:E2:10:E4:E6:0F:7A:CC
Trust this certificate? [no]: y
Certificate was added to keystore
which is nice.
Did that fix my problem ? Alas, no, but it's another step on the journey to ......... ?
No comments:
Post a Comment