Wednesday, 11 October 2017

IBM HTTP Server - Tinkering with CMS Keystore Passwords

Last week, I was demonstrating to a client how one can change the password on a Certificate Management System (CMS) using the IBM Global Security Toolkit (GSK).

Therefore, I'd changed the password from my default ( passw0rd ) to something else ( f00bar ).

To make it 100% clear, this is a sacrificial TEST VM, hence the weak password.

Alas muscle memory makes me type the old the password each and every time ( yes, I can/do use the stashed password when I remember ).

This is how I check what password I currently have: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -pw f00bar

Certificates found
* default, - personal, ! trusted, # secret key
*- wlpn.uk.ibm.com


 and this is how I change it BACK to my favourite ( albeit weak ) password: -

/opt/IBM/HTTPServer/bin/gskcapicmd -keydb -changepw -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -pw f00bar -new_pw passw0rd -stash

- Note that I'm stashing the new password as I change it

and this is how I verify the new password: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
*- wlpn.uk.ibm.com


and this is how I verify the new stashed password: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -stashed

Certificates found
* default, - personal, ! trusted, # secret key
*- wlpn.uk.ibm.com


Nice.

Note that I'm using gskcapicmd rather than gskcmd, simply because the former uses a C++ API whereas the latter uses Java, as evidenced below: -

/opt/IBM/HTTPServer/bin/gskcmd -version

iKeyman 8.0.414
CMS provider version 2.57
Java version 1.8.0

(C) Copyright IBM Corp. 2007, 2012.
ALL RIGHTS RESERVED


/opt/IBM/HTTPServer/bin/gskcapicmd -version

GSKCAPICMD
==========
@(#)CompanyName:      IBM Corporation
@(#)LegalTrademarks:  IBM
@(#)FileDescription:  IBM Global Security Toolkit
@(#)FileVersion:      8.0.50.69
@(#)InternalName:     gskcapicmd
@(#)LegalCopyright:   Licensed Materials - Property of IBM GSKit 
                      (C) Copyright IBM Corp.1995, 2016 
                      All Rights Reserved. US Government Users 
                      Restricted Rights - Use, duplication or disclosure
                      restricted by GSA ADP Schedule Contract with IBM Corp.
@(#)OriginalFilename: gsk8capicmd_64
@(#)ProductName:      gsk8j (GoldCoast Build) 160809
@(#)ProductVersion:   8.0.50.69
@(#)ProductInfo:      16/08/03.02:49:36.16/08/09.17:05:03
@(#)CMVCInfo:         gsk8j_160808/gsk8j_doc gsk8j_160808/gsk8j_ikm gsk8j_160808/gsk8j_cms gsk8j_160615/gsk8j_support gsk8j_160525/gsk8j_pkg gsk8j_160803/gsk8j_ssl gsk8j_160413/gsk8j_acme

and it's typically bad practice to have Java installed/running on a web server, especially if it's located within a DMZ, as per this: -



No comments: