Monday, 11 May 2015

WebSphere Liberty Profile and IBM HTTP Server - Exchanging SSL Certificates

This one is for a friend of mine, TonyH, who asked this question earlier.

I don't claim to understand his requirements, but he asked: -

What's the best way to export certs from liberty so I can import them into the IHS keystore?

I'm running Liberty Profile 8.5.5.5 on my Mac and IBM HTTP Server (IHS) 8.5.5.5 on a Red Hat VM.

I started by downloading the Liberty Profile Runtime from here: -


which resulted in: -

-rw-r--r--@  1 davehay  staff  60261097 11 May 18:26 wlp-runtime-8.5.5.5.jar

and installed it: -

java -jar wlp-runtime-8.5.5.5.jar

to here: -

/Users/davehay/Liberty/wlp

I then followed Oliver Rebmann's excellent blog post: -


to setup a SSL key store and certificate, as follows: -

cd /Users/davehay/Liberty/wlp/bin
./securityUtility createSSLCertificate --server=defaultServer --password=passw0rd --validity=365

and added the relevant configuration to my server's configuration: -

vi /Users/davehay/Liberty/wlp/usr/servers/defaultServer/server.xml

adding the lines highlighted below: -

<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">

    <!-- Enable features -->
    <featureManager>
        <feature>jsp-2.2</feature>
    </featureManager>

    <!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
    <httpEndpoint id="defaultHttpEndpoint"
                  httpPort="9080"
                  httpsPort="9443" />

    <featureManager>
        <feature>ssl-1.0</feature>
    </featureManager>
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />


</server>


and started Liberty: -

/Users/davehay/Liberty/wlp/bin/server start

Having validated that I could connect to Liberty on port 9443 ( see the httpsPort directive above ): -


I then used the openssl tool to retrieve the certificate from port 9443 to a file: -

openssl s_client -showcerts -connect localhost:9443 </dev/null > ~/liberty.cer

Having shipped the certificate file from the Mac to the Red Hat VM: -

scp ~/liberty.cer wasadmin@bpm856:~

I then imported it into the IHS key store: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -add -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -file ~/liberty.cer -label liberty

and validated it thus: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
! liberty
*- bpm856.uk.ibm.com


and: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -label liberty

...
Label : liberty
Key Size : 2048
Version : X509 V3
Serial : 5550f616
Issuer : CN=172.16.0.65,OU=defaultServer,O=ibm,C=us
Subject : CN=172.16.0.65,OU=defaultServer,O=ibm,C=us
Not Before : May 11, 2015 7:33:58 PM GMT+01:00
Not After : May 10, 2016 7:33:58 PM GMT+01:00

...

The job, as they say, is a good 'un.

PS Thanks to Oliver for his insights ....

3 comments:

Unknown said...

Thanks Dave - The requirement is to allow pass through from an IHS server to an IGC server running in a VM Image hosted on a private subnet :-)

tsg07ica said...

Thanks for that Dave, really useful

Dave Hay said...

De nada, glad to be of use, Dave