I don't claim to understand his requirements, but he asked: -
What's the best way to export certs from liberty so I can import them into the IHS keystore?
I'm running Liberty Profile 8.5.5.5 on my Mac and IBM HTTP Server (IHS) 8.5.5.5 on a Red Hat VM.
I started by downloading the Liberty Profile Runtime from here: -
which resulted in: -
-rw-r--r--@ 1 davehay staff 60261097 11 May 18:26 wlp-runtime-8.5.5.5.jar
and installed it: -
java -jar wlp-runtime-8.5.5.5.jar
to here: -
/Users/davehay/Liberty/wlp
I then followed Oliver Rebmann's excellent blog post: -
to setup a SSL key store and certificate, as follows: -
cd /Users/davehay/Liberty/wlp/bin
./securityUtility createSSLCertificate --server=defaultServer --password=passw0rd --validity=365
and added the relevant configuration to my server's configuration: -
vi /Users/davehay/Liberty/wlp/usr/servers/defaultServer/server.xml
adding the lines highlighted below: -
<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>jsp-2.2</feature>
</featureManager>
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
httpPort="9080"
httpsPort="9443" />
<featureManager>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />
</server>
and started Liberty: -
/Users/davehay/Liberty/wlp/bin/server start
Having validated that I could connect to Liberty on port 9443 ( see the httpsPort directive above ): -
I then used the openssl tool to retrieve the certificate from port 9443 to a file: -
openssl s_client -showcerts -connect localhost:9443 </dev/null > ~/liberty.cer
Having shipped the certificate file from the Mac to the Red Hat VM: -
scp ~/liberty.cer wasadmin@bpm856:~
I then imported it into the IHS key store: -
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -add -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -file ~/liberty.cer -label liberty
and validated it thus: -
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd
and: -
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -label liberty
...
Label : liberty
Key Size : 2048
Version : X509 V3
Serial : 5550f616
Issuer : CN=172.16.0.65,OU=defaultServer,O=ibm,C=us
Subject : CN=172.16.0.65,OU=defaultServer,O=ibm,C=us
Not Before : May 11, 2015 7:33:58 PM GMT+01:00
Not After : May 10, 2016 7:33:58 PM GMT+01:00
...
Key Size : 2048
Version : X509 V3
Serial : 5550f616
Issuer : CN=172.16.0.65,OU=defaultServer,O=ibm,C=us
Subject : CN=172.16.0.65,OU=defaultServer,O=ibm,C=us
Not Before : May 11, 2015 7:33:58 PM GMT+01:00
Not After : May 10, 2016 7:33:58 PM GMT+01:00
...
The job, as they say, is a good 'un.
PS Thanks to Oliver for his insights ....
3 comments:
Thanks Dave - The requirement is to allow pass through from an IHS server to an IGC server running in a VM Image hosted on a private subnet :-)
Thanks for that Dave, really useful
De nada, glad to be of use, Dave
Post a Comment