How to add SAN(subject alternative name) value to the SSL certificate while creating a CSR in IHS7

In IHS7, we don't get the option to add a SAN (subject alternative name) value while creating the csr from ikeyman gui tool. However, If you are using a old version and you still want to add this value, use the following command.

/home/IHS7/bin/gsk7cmd -certreq -create -db key.kdb -pw pass -label lable_name -dn "cn=commonname,OU=organization_unit_name,O=Organisation_name,C=Country_name" -san_dnsname sandnsname -size 2048 -sig_alg SHA2WithRSA -file test.csr


NOTE: In general we use the common name same as the san_dnsname.

Read More

Configure custom keystores and truststores in websphere application server at cluster level

This post will guide you on how to create and configure custom keystores and truststores instead of using the default keystores and truststores that are created during the profile creation.

Imagine if you have two or more applications running on the same application server profile, Then we can use this feature if any application needs specific certificates. The keystores and truststores can be configured at server/cluster level.

-> Default Keystores and Truststores are created and configured by default at cell level during the profile creation.

-> Custom Keystores and Truststores can be created and configured for at server/application/cluster/node level. This will ensure the keystores are independent of other applications.

Incase of the following error:

Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 

The following steps can be used to fix this error.

Creation of Keystore and Truststores from console:

Step 1:  Navigate to Security >SSL certificate and key management > Manage endpoint security configurations > Inbound > NodeName > ServerName >  Key stores and certificates > New

Step 2: Fill the relevant fields.

Name : CustomKeystore
Description : Keystore specific to an application
Management scope: This is grayed out, This shows the scope it is currently in, (Cell)(Node)(Server) -> It belongs to server scope.
Path : The Path Where you want the keystore.p12 to be created.
Password : Defualt will be WebAS
Type : I have choosen p12, You can choose what ever you want to use.
Remotely Managed : In case if the path of the key file is present in a remote server, You have to check this option and provide the alias name of that server which is present in serverindex.xml or else error will be displayed.

Step 3: Once you click on apply, a file with the name that you have given in the path will be created.

Step 4: The same process can be followed to create a trust store.

With the above steps, The keystore and truststores are created.

Now to configure the websphere application server to identify these keystores and truststores and override the default keystore and truststore properties, The following steps are required to be followed.

Step 1: Login to the websphere application server console,

Step 2: Navigate to Servers > Server Types > WebSphere application Servers > Server (Select the server that you want these customized keystores to be used) > Java and Process Management > Process Definition > Java Virtual Machine

Step 3:  Add these following properties to the Generic arguments.

-server -Djavax.net.ssl.trustStore=Path to truststore/trust.p12 -Djavax.net.ssl.trustStorePassword=WebAS -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.keyStore=Path to Keystore/key.p12 -Djavax.net.ssl.keyStorePassword=WebAS -Djavax.net.ssl.keyStoreType=PKCS12

Step 4:  Apply the settings and restart the JVM and check the process information

ps -eaf | grep java | grep <servername>

This should reflect the parameters added in the Generic arguments.

That's it. You are now using the customized keystores and certificates. 

Read More

SSL0223E: SSL Handshake Failed, No certificate.

Error: 

[Date and Time stamp] [error] [client ip] [ds0] [789] SSL0223E: SSL Handshake Failed, No certificate. 

The above error is seen when the imported server certificate is not made default or if the server certificate is missing. 

Solution: 

-> If the certificate is missing you have to create the certificate and import the certificate using the step6 instruction in the following url.

http://serversideposts.blogspot.in/2015/01/install-ssl-certificates-on-ihs-using.html

-> Then use the following command to display the chain of certificates imported in the kdb. You can see the certificate that you have imported in the kdb. This should display the new certificate imported to the kdb.

./gskcmd -cert -list -db /opt/IHS/SSL/key.kdb

-> Even after this you see the error, Make the certificate as default using the following command.

 

gskcmd -cert -setdefault -label servercertificate -db /opt/IBM/HTTPServer/SSL/key.kdb

Now a quick restart of the apache server should resolve the issue.

Read More

Install SSL Certificates on IHS using gskcmd command line utility in solaris, unix and linux

The following instructions will guide you to create csr and import the signed crt in the default kdb of IHS.

Step 1: Finding the Kdb

The default Kdb will be present in the IHS installation path. Find the key.kdb and take a back up before executing the commands.

Step 2: Creation of Csr

Use the following command to create the csr.

gskcmd will be present in the bin folder of IHS. gsk7cmd can be used based on the version of IHS.

./gskcmd -certreq -create -db /opt/IHS/SSL/key.kdb -pw WebAS -label lablename -dn "CN=hostname, OU=ou name, O=organization, L=Location, ST=state, C=country code" -size 2048 -file filename.csr

-db is the key.kdb path

-pw is the kdb password, The defualt password is WebAS

-label is any name that you choose the certificated to be labled.

-dn is the domain information

CN = Common name (dns name of the name with which you are trying to use https://hotname protocol)

OU = Organization unit name (ex: IT services)

O = Organization that you are working in, or to whom you are configuring the certificate.

L = Location (ex: Germany)

C = 2 digit country code (ex: GE)

This command will create a filename.csr with the information that you have provided.

Step 3: Certificate request

The csr has to be sent to the certificate signing authorities like verisign, Thwate or Geotrust. They will create a crt file and send the server certificate along with the root and intermediate certificates.

Step 4: Importing the server certificate

Following command will import the server certificate to the kdb file.

Save the certificate file received from the signing authority as server.crt and execute the following command.

gskcmd -cert -receive -file server.crt -db /opt/IHS/SSL/key.kdb -pw WebAS -label servercertificate -format ascii

This command will import the server certificate.

Step 5: Set the server certificate to default

 Following command will make the server certificate as default. When you access the https protocol of the website, The default certificate will be choosen.

gskcmd -cert -setdefault -label servercertificate -db /opt/IBM/HTTPServer/SSL/key.kdb

Step  6: Importing the CA/Intermediate certificate

Along with the server certificate, The signing authority will send the intermediate certificate, This certificate has to be imported to prevent the ssl handshake errors.

Save the Intermediate certificate as rootCAcertificate.crt and execute the following command.

gskcmd -cert -add -file rootCAcertificate.crt -db /opt/IHS/SSL/key.kdb -label primaryCA -pw WebAS -format ascii

Step 7: Populate the certificates

gskcmd -cert -populate -db /opt/IHS/SSL/key.kdb -pw WebAS

 

Now add the kdb path in the httpd.conf in ssl module tags and restart the apache server with -DSSL option.

Basic commands of gskcmd to check the certificates:

List the certificates : ./gskcmd -cert -list -db /opt/IHS/SSL/key.kdb 

Check the details of the certificates:  

./gskcmd -certreq -details -label labelname -db /opt/IHS/SSL/key.kdb
./gskcmd -cert -details -label labelname -db /opt/IHS/SSL/key.kdb

Delete a certificate : ./gskcmd -cert -delete -label labelname -db /opt/IHS/SSL/key.kdb

Extract a certificate : ./gskcmd -cert -extract -db certificate.jks -label labelname -target test_myne.cer -type jks

Read More

SSL0227E: SSL Handshake Failed, Specified label could not be found in the key file

The following error is seen in the IHS logs due to the missing label from the key.kdb file.

SSL0227E: SSL Handshake Failed

 This error is seen due the SSLServerCert variable defined in httpd.conf file of IHS defined under the SSL Virtual host.

Check the hostname or the common name that is mentioned next to SSLServerCert variable.

Solution: Install the self signed or signed certificate with the common name and import it to the key.kdb.

Read More

SSL0166E: Failure attempting to load GSK library (libgsk7ssl.so) Configuration Failed

The following error will be displayed in the error_log while starting the Apache webserver after enabling the SSL module.

Error: [Tue Dec 09 00:00:18 2014] [notice] (2019)DSO load failed: SSL0166E: Failure attempting to load GSK library (libgsk7ssl.so) Configuration Failed

OS - Linux

SSL0166E: Failure attempting to load GSK library (libgsk7ssl.so) Configuration Failed

 To check if the GSK library or the Key kdb file is corrupted, Use the following commands.

/opt/HTTPServer/bin/gsk7capicmd -cert -list -db key.kdb

If the following error is seen, Then it is due to the bit conflict issue between the server and the OS.

error while loading shared libraries: libstdc++.so.5: cannot open shared object file: No such file or directory

ie, If you have a 32-bit IHS installed and you don't have the supportive libraries installed in the os 32 bit libraries, (/usr/lib). The above error is seen.

To check the bit of IHS, Use the following command:

/opt/HTTPServer/bin/httpd -V

Solution: To resolve this issue, You have to find out the missing library using the following command.

yum whatprovides libstdc++.so.5

Command's output:

Loaded plugins: product-id, refresh-packagekit, rhnplugin, security, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
compat-libstdc++-33-3.2.3-69.el6.i686 : Compatibility standard C++ libraries

Now install the library that is required for libstdc++.so.5.

yum install compat-libstdc++-33-3.2.3-69.el6.i686

check the /usr/lib folder, The libstdc++.so.5 is listed.

Restart the IHS server, The ssl issue will be resolved.

Read More

How to Install Openssl and configure/generate SSL certificate on windows

Download and Install OpenSSL:

The software can be downloaded from a source like Shining Light (https://slproweb.com/products/Win32OpenSSL.html).

-> The installation is pretty straight forward, Just remember the path of the installation as this path will be used while creating the key and csr.

For ex: I have installed the OpenSSL in C:\OpenSSL-win

-> Create a folder in any directory ( like C:\Openssl)

-> Run the command prompt with admin privileges and execute the following given command.

       set OPENSSL_CONF=c:\OpenSSL-win\bin\openssl.cfg

This will set a variable in windows configuration.

-> Generate the Key and Certificate request (CSR) by executing the below command.
     This command has to be run from the Openssl bin folder (C:\OpenSSL-win\bin)

       openssl req -nodes -sha256 -newkey rsa:2048 -keyout C:\Openssl\keyfile.key -out C:\Openssl\Certificaterequest.csr

-> You will be prompted for certificate fields like fqdn,location and state, enter those fields as they come up.

     This will generate two files
       a) keyfile.key
       b) Certificaterequest.csr -> This has to be sent to the valid signer to get the certificate.
      

Read More

What is SSL (Secure Sockets Layer)?

SSL is an industry standard that is being used by millions of websites to protect the online transactions with their customers.  

Why SSL ?? 

As a Server Admin, I have come across many people asking "Why do we need SSL? How does it play an important role in security?"  This is a very valid question for any person accessing Internet to understand. Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet.

Let us take a simple example of net banking, If the data is sent across the network unencrypted, Any hacker sitting in between you and the bank server can easily see your user names, passwords, credit card numbers and other sensitive information. However, When a SSL certificate is installed, All the data between you and server will be encrypted. As a result the information will become unreadable to everyone, Except the server to which the information is being sent.

"How SSL works" will be seen in the next blog. 

How to check if a site is secure ??  

Each and every site that can be accessed using a https protocol will consist of either signed or self signed certificates.

In Mozilla :  If the site is secured by HTTPS protocol, Then the bar prior to the address tab will contain the certificate information. 

Screen shot from Fire Fox 5.0 Version

In IE : Pad lock next to the address bar contains the certificates information as shown below. Certificate can be seen by double clicking the padlock.

Screen shot taken from IE 7

Read More