Monday, 10 September 2018

IBM WebSphere and "The provider for keystore type 'IBMCMSKS' is not available"

So this is a strange "feature" - whilst looking at my IBM WebSphere Plugin SSL keys, I see: -

The provider for keystore type 'IBMCMSKS' is not available.

Ensure that the necessary provider JAR file is on the class path or in the ext directory, and that the provider has been added to the java.security file.

using a command such as: -

/opt/ibm/HTTPServer/java/jre/bin/ikeycmd -cert -list -db /opt/ibm/WebSphere/Plugins/config/IHS/plugin-key.kdb -type cms

or: -

/opt/ibm/WebSphere/Plugins/java/jre/bin/ikeycmd -cert -list -db /opt/ibm/WebSphere/Plugins/config/IHS/plugin-key.kdb -type cms

This ties up with this IBM APAR: -


which says, in part: -

IBM HTTP Server 8.5.5.11 or higher allow optionally selecting an embedded Java 8 for fresh installs. This java version requires minor changes to the existing ikeyman/gskcmd wrapper scripts to support CMS keystores

Similar changes were made for version 9.0, where Java 8 is always used.
...
Using Java 8 with IHS necessitates changes to the ikeyman and gskcmd wrapper scripts in order to maintain support for CMS keystores.
Pass -DADD_CMS_SERVICE_PROVIDER_ENABLED=true to java certificate management tools to ensure CMS keystores are available without manual configuration under Java 8.0.

This fix is targeted for IBM HTTP Server fix packs:

- 8.5.5.11
- 9.0.0.3


However, looking at the so-called wrapper scripts, I can already see that the ADD_CMS_SERVICE_PROVIDER_ENABLED=true JRE switch has been added.

Ordinarily, I'd use gskcapicmd rather than ikeycmd, in part because I don't want to rely upon Java being available on a box.

I can reproduce the problem: -

/opt/ibm/WebSphere/Plugins/java/jre/bin/java com.ibm.gsk.ikeyman.ikeycmd -cert -list -db /opt/ibm/WebSphere/Plugins/config/IHS/plugin-key.kdb -type cms

The provider for keystore type 'IBMCMSKS' is not available.
….

and then mitigate using the switch: -

/opt/ibm/WebSphere/Plugins/java/jre/bin/java -DADD_CMS_SERVICE_PROVIDER_ENABLED=true com.ibm.gsk.ikeyman.ikeycmd -cert -list -db /opt/ibm/WebSphere/Plugins/config/IHS/plugin-key.kdb -type cms

A password is required to access the source key database.
Please enter a password:
  
Certificates in database /opt/ibm/WebSphere/Plugins/config/IHS/plugin-key.kdb:
   bpm.uk.ibm.com


I don't yet know why this is the case, but at least I have a mitigation.

Or, better still, just use gskcapicmd :-)

*UPDATE*

It turns out that I was "holding it wrong" - in essence, I should've been using the gskcmd wrapper script rather than ikeycmd, as per this: -

/opt/ibm/HTTPServer/bin/gskcmd  -cert -list -db /opt/ibm/WebSphere/Plugins/config/IHS/plugin-key.kdb -type cms

A password is required to access the source key database.
Please enter a password:
  
Certificates in database /opt/ibm/WebSphere/Plugins/config/IHS/plugin-key.kdb:
   bpm.uk.ibm.com

Easy when you know how !

*UPDATE*

No comments: