Wednesday, 13 May 2015

IBM Cognos - Working with SSL/TLS Keystore

This is an ongoing voyage of discovery, as I seek to replicate my success: -


( this is a post that I authored for the WebSphere User Group on their Global WebSphere Community site )

with IBM Business Monitor.

Whilst the DB2 and WAS aspects ( configuring the DB2 instance and listener for SSL, updating the WAS JDBC data sources, adding the DB2 signer certificate into he WAS trust store etc. ) are the same, the Cognos BI engine is quite different.

I don't yet have it cracked, but I did discover a few more things about Cognos BI today, specifically in terms of where it keeps its own SSL/TLS key store.

It's here: -

-rw-r--r-- 1 wasadmin wasadmins 19728 May 13 16:07 /opt/IBM/WebSphere/AppServer/profiles/BAMCell1AppSrv01/cognos/SupClusterMember1/configuration/certs/CAMKeystore

Why do I know this ?

Because I wanted to test a hypothesis by adding the DB2 server's signer certificate to it.

This is how I first retrieved the signer certificate: -

openssl s_client -showcerts -connect localhost:60007 </dev/null > ~/db2.cer

and I happily verified the certificate: -

openssl x509 -fingerprint -noout -text -in ~/db2.cer

SHA1 Fingerprint=FC:BB:C1:24:4E:6E:B8:55:5B:33:87:69:C7:E2:10:E4:E6:0F:7A:CC
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1681898445175821098 (0x17574db98cfc932a)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=com, DC=ibm, DC=uk, CN=bpm856.uk.ibm.com
        Validity
            Not Before: May 11 10:01:51 2015 GMT
            Not After : May 11 10:01:51 2016 GMT
        Subject: DC=com, DC=ibm, DC=uk, CN=bpm856.uk.ibm.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:cc:de:34:78:ca:b8:48:c1:24:43:3b:39:ca:79:
                    6e:7d:bd:2f:fd:a5:86:cc:fa:d1:0f:9f:6b:d2:04:
                    ac:5f:3e:4f:42:81:89:03:88:fb:95:86:ed:fd:f4:
                    c5:a1:c0:8e:b4:70:b7:2d:36:c8:2e:1a:5c:d7:b5:
                    83:e0:f4:36:f8:0a:8f:32:54:47:1a:b7:a4:b6:42:
                    d8:4c:60:ee:e5:2c:de:a2:77:ee:10:b0:fc:c3:a2:
                    7a:e2:3b:45:c4:2f:8a:11:43:bc:fb:a2:e1:cd:69:
                    0f:aa:bb:e2:7c:de:2b:8b:3c:76:cd:56:a8:5d:3e:
                    5c:e7:fb:ef:b1:15:f9:14:41
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                56:25:C5:62:51:0C:60:55:4D:61:9D:71:EF:D4:A4:E9:AA:07:24:85
            X509v3 Authority Key Identifier: 
                keyid:56:25:C5:62:51:0C:60:55:4D:61:9D:71:EF:D4:A4:E9:AA:07:24:85

    Signature Algorithm: sha1WithRSAEncryption
         99:4c:9c:6e:65:a9:d1:c8:b1:d7:44:30:cd:9a:bc:d5:77:a0:
         9f:69:8b:97:2e:e7:13:95:97:b2:b4:57:d0:74:14:e3:e3:ea:
         ae:22:ef:01:2c:2e:b7:37:1a:85:e7:00:48:41:71:9b:25:a4:
         25:79:76:04:6d:3c:a5:a3:ce:9c:e2:ea:26:33:56:6d:2e:40:
         1f:0e:bf:e8:b7:de:06:1b:d1:8c:65:c4:19:8c:c8:39:92:d8:
         f5:ad:18:56:c3:ef:d6:25:a1:4c:a9:64:40:df:df:75:a0:5e:
         ec:7e:ea:cc:8e:dc:2c:1e:71:4a:8d:74:7f:d6:84:8a:20:05:
         fb:64

However, when I tried to add it to the Cognos key store: -

/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -import -file ~/db2.cer -alias DB2 -keystore CAMKeystore -storepass MONITOR -storetype PKCS12

I saw this: -

keytool error: java.lang.Exception: Input not an X.509 certificate

Happily a quick Google search later, and I found this: -


which says, in part: -

<snip>
While I agree with Ari's answer (and upvoted it :), I needed to do an extra step to get it to work with Java on Windows (where it needed to be deployed):

openssl s_client -showcerts -connect www.example.com:443 < /dev/null | openssl x509 -outform DER > derp.der

Before adding the openssl x509 -outform DER conversion, I was getting an error from keytool on Windows complaining about the certificate's format. Importing the .der file worked fine.
</snip>

I re-retrieved the certificate from DB2: -

openssl s_client -showcerts -connect localhost:60007 </dev/null | openssl x509 -outform DER > ~/db2.cer

( adding in the relevant Hogwarts magic to get the resulting file in x509 DER ) and was then able to import it: -

/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -import -file ~/db2.cer -alias DB2 -keystore CAMKeystore -storepass MONITOR -storetype PKCS12

Owner: CN=bpm856.uk.ibm.com, DC=uk, DC=ibm, DC=com
Issuer: CN=bpm856.uk.ibm.com, DC=uk, DC=ibm, DC=com
Serial number: 17574db98cfc932a
Valid from: 11/05/15 11:01 until: 11/05/16 11:01
Certificate fingerprints:
 MD5:  81:B0:E7:81:A3:1B:79:64:07:1B:41:9E:7E:0A:F3:08
 SHA1: FC:BB:C1:24:4E:6E:B8:55:5B:33:87:69:C7:E2:10:E4:E6:0F:7A:CC
Trust this certificate? [no]:  y
Certificate was added to keystore

which is nice.

Did that fix my problem ? Alas, no, but it's another step on the journey to ......... ?

No comments: