Friday, 10 March 2017

CTGSK3046W - IBM HTTP Server - Certificates and Permissions

I saw this: -

CTGSK3046W The key file "/tmp/ad2012.cer" could not be imported.

whilst trying to add a CA Signer certificate to a keystore using IBM HTTP Server: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -add -file /tmp/ad2012.cer -db /opt/ibm/HTTPServer/BPM/ssl/keystore.kdb -stashed

Having checked and double-checked my command, I then tried to use openSSL to validate the certificate: -

openssl x509 -inform der -in /tmp/ad2012.cer -text -noout

Error opening Certificate /tmp/ad2012.cer
140581419276192:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/tmp/ad2012.cer','r')
140581419276192:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate


which was more revealing.

A quick check: -

ls -al /tmp/ad2012.cer 

-rw------- 1 cloudusr cloudusr 915 Mar 10 19:26 /tmp/ad2012.cer

confirmed that it was likely a permissions issue.

Once I fixed the permissions ( as root ): -

chmod -R 777 /tmp

we're back in the game: -

openssl x509 -inform der -in /tmp/ad2012.cer -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1f:92:ac:6d:1a:57:e9:b4:43:d3:81:64:ff:9e:93:d6
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=com, DC=ibm, DC=uk, CN=uk-WINDOWS2012-CA
        Validity
            Not Before: Mar 10 13:15:36 2017 GMT
            Not After : Mar 10 13:25:36 2022 GMT
        Subject: DC=com, DC=ibm, DC=uk, CN=uk-WINDOWS2012-CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

...

with the add operation: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -add -file /tmp/ad2012.cer -db /opt/ibm/HTTPServer/BPM/ssl/keystore.kdb -stashed

working as one would expect: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/BPM/ssl/keystore.kdb -stashed

Certificates found
* default, - personal, ! trusted, # secret key
! CN=uk-WINDOWS2012-CA,DC=uk,DC=ibm,DC=com
- bpm857.novalocal
*- bpm857.uk.ibm.com


allowing me to import my CA-signed certificate: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -receive -file /tmp/bpm857.uk.ibm.com_ihs.cer -db /opt/ibm/HTTPServer/BPM/ssl/keystore.kdb -pw passw0rd -default_cert yes

and validate same: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -details -db /opt/ibm/HTTPServer/BPM/ssl/keystore.kdb -stashed -label bpm857.uk.ibm.com

Label : bpm857.uk.ibm.com
Key Size : 2048
Version : X509 V3
Serial : 5b00000005a6a06a78791e1454000000000005
Issuer : CN=uk-WINDOWS2012-CA,DC=uk,DC=ibm,DC=com
Subject : CN=bpm857,DC=uk,DC=ibm,DC=com
Not Before : March 10, 2017 7:03:41 PM GMT+00:00

Not After : March 10, 2018 7:13:41 PM GMT+00:00

Public Key
    30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01
    01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01
    00 B1 61 3C 39 8C 63 36 4A 05 FD 72 30 20 A1 91
    C7 AE C1 FD A1 CC 08 B1 31 99 A9 E3 4A 32 B5 6A
    65 76 04 63 AF 9E 50 1A 49 76 13 08 0D 6F 0E 2C
    6F 66 1F 39 91 67 2F C2 70 22 0E BD 75 20 19 A2
    74 14 00 01 0B 12 9C 78 48 7C 43 6B A0 6B 92 9D
    F0 98 9E A6 F2 6C 3D 18 5E 5E 37 15 14 88 32 D1
    CE 9A 01 82 69 08 3B D2 75 46 DC F6 E5 DF 2C E1
    6D 48 D8 C1 62 38 28 D4 1F 99 A9 E0 50 C1 F3 F5
    AB BD EA 51 15 96 06 53 35 18 50 F5 4E 01 02 C5
    7A 19 3F B4 D9 C9 30 F5 72 C3 E9 31 8D 2A ED 8A
    67 C0 33 D5 46 87 29 A5 E0 6B 1D F1 02 28 3C 3A
    71 8D 55 5B FB 87 F8 CF 9D D1 F0 4E C0 9F 02 4D
    2C 07 1C 4A 3E 6A 8E 87 8F 0B 41 7D BF 52 B3 CF
    66 EE 99 ED 37 7B C9 08 90 D0 6B 45 92 6A 8D 50
    3D 18 16 57 6A B0 8A CB 59 21 F6 15 1E 82 1D E8
    84 9D 86 53 6F E2 07 54 60 68 40 37 EB 26 81 26
    9B 02 03 01 00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 : 
    83 1F 52 73 69 C9 BB 0D 29 CD D9 E7 D7 67 E0 EE
    15 FC 42 91
Fingerprint : MD5 : 
    BF 92 1F 65 02 07 1E 19 52 AD B1 79 D8 40 76 99
Fingerprint : SHA256 : 
    F0 7D 76 9A C7 C9 2F BD 74 A4 91 75 20 DA 01 00
    07 8C 26 95 A6 8A 1F F2 B0 AB B5 8A 6B 53 2E 3B
Extensions
    subjectAlternativeName
        dNSName: bpm857.uk.ibm.com
    SubjectKeyIdentifier
      keyIdentifier:
    45 DD 67 36 0A 15 45 EA 25 34 A7 EE 66 E4 A7 DA
    C1 7A FF AA
    AuthorityKeyIdentifier
      keyIdentifier:
    7D 5C 74 A0 48 F9 2B 97 01 6F 7D 62 28 E0 21 5A
    6E 85 39 2F
      authorityIdentifier:
      authorityCertSerialNumber:
    CRLDistributionPoints
      fullname:
      uniformResourceID:      keyIdentifier: GSKASNObject: OBJECT(tag=22, class=0)
 value: -----BEGIN HEX-----
16 40 66 69 6C 65 3A 2F 2F 2F 2F 77 69 6E 64 6F     .@file:////windo
77 73 32 30 31 32 2E 75 6B 2E 69 62 6D 2E 63 6F     ws2012.uk.ibm.co
6D 2F 43 65 72 74 45 6E 72 6F 6C 6C 2F 75 6B 2D     m/CertEnroll/uk-
57 49 4E 44 4F 57 53 32 30 31 32 2D 43 41 2E 63     WINDOWS2012-CA.c
72 6C                                               rl
-----END HEX-----


    AuthorityInfoAccess
    PKIX_AD_CA_Issuer (1.3.6.1.5.5.7.48.2)
      accessLocation:uniformResourceID: file:////windows2012.uk.ibm.com/CertEnroll/windows2012.uk.ibm.com_uk-WINDOWS2012-CA.crt
     (1.3.6.1.4.1.311.20.2)
        Value
    1E 12 00 57 00 65 00 62 00 73 00 65 00 72 00 76
    00 65 00 72
    basicConstraints
        ca = false
        pathLen = 7FFF2617ABC0
        critical
Signature Algorithm : SHA256WithRSASignature (1.2.840.113549.1.1.11)
Value
    65 3C 5F 02 BA 62 F8 28 A7 23 44 A9 87 AE 3B 47
    63 0B 32 0E CA F6 E1 88 D3 B0 05 49 00 0E A8 17
    98 75 D9 A3 DE 0A 5C CA 12 B5 CF D3 D2 A3 D5 D2
    BD 8C 0C A3 66 B5 95 6E 1D EE C0 40 32 3E 15 C0


No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...