One of my friends asked me how one can add SSL certificates to the Apache Tomcat SSL trust store underlying the IBM UrbanCode Deploy automation solution.
In this scenario, he needed to retrieve a certificate from IBM Rational Asset Manager (IRAM) into the UCD key store, in order that a UCD process can access IRAM.
-----BEGIN CERTIFICATE-----
MIIDyDCCArCgAwIBAgIGH9jdPEHdMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYDVQQG
EwJVUzEMMAoGA1UEChMDSUJNMRQwEgYDVQQLEwt1Y2Q2MU5vZGUwMTEYMBYGA1UE
CxMPdWNkNjFOb2RlMDFDZWxsMRkwFwYDVQQLExBSb290IENlcnRpZmljYXRlMRkw
FwYDVQQDExB1Y2Q2MS51ay5pYm0uY29tMB4XDTE0MTIxMTIxMjgyMloXDTE1MTIx
MTIxMjgyMlowZjELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEUMBIGA1UECxML
dWNkNjFOb2RlMDExGDAWBgNVBAsTD3VjZDYxTm9kZTAxQ2VsbDEZMBcGA1UEAxMQ
dWNkNjEudWsuaWJtLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKlFEK54+pN68kp2V1//jU7hiYDjoOvRzECnn6D4CNWAuQ0VOtzaRbOmUmxmPyIb
44kPmxRz34yQj5mjA/0cNGS176EDeGikBlFvMZapJyf2wgEissuliDuaHrBRWrRe
0SWu3rk0vEPZjBAbl7V26vUOMDpFHoHbh3/Um7Qx7Ur9PdV3Qd/9ANhOeyw1G59D
acIhDKuLt3cHWTqLWbozOp0y3Z90sK8dwcOj+z0CH7e4/PHvO1mwlE5I8z9k378e
1FYwtuo/FD+NQMVEpZImTJMrFZVNPGIVp1EOTBC/XMp/cuvVAqcZMoG59bjpjyRd
mWH42L05CH/X1sNw3CI5bWMCAwEAAaNgMF4wSQYDVR0RBEIwQIE+UHJvZmlsZVVV
SUQ6QXBwU3J2MDEtQkFTRS1lMzAzNjNkZi01Y2I1LTQ2MmEtYmM0ZC02Yjg3NTA5
YzRiNTQwEQYDVR0OBAoECEyME/33gIvbMA0GCSqGSIb3DQEBBQUAA4IBAQBeWvNX
g1gOmJLkqIR9agSOxiTvWKAv+nzRIb9sQ9cQX/B0ucFx+Xh58tSO+bfJFDI42QKU
aiUXwtq8pAf+RWvf3kHagpN4GZFKByhp19lBwoceG/3gk/5IGALT+9useJU3N2+T
hNcqJERyAuCH5oBR+goml28yGjWOUAf/6fWf08heGEnfbLMl2S5IiVAoyaRY+byg
KITMlxj9x3YHxME8g7/hL0RyYfRe/Etb0AV4YL2YkAvaPcjFwjOVR35Bv1C1S3zP
q3FJaizXK2M8Albz8UJxnHj+Li3Qnps4wxLci/n40olEbLH6+Lfd1KOc1Nq6817M
6R4QGcCNIClZdIg8
-----END CERTIFICATE-----
otherwise, I end up with: -
Owner: CN=ucd61.uk.ibm.com, OU=ucd61Node01Cell, OU=ucd61Node01, O=IBM, C=US
Issuer: CN=ucd61.uk.ibm.com, OU=Root Certificate, OU=ucd61Node01Cell, OU=ucd61Node01, O=IBM, C=US
Serial number: 1fd8dd3c41dd
Valid from: 11/12/14 21:28 until: 11/12/15 21:28
Certificate fingerprints:
MD5: 0F:E7:18:C1:69:1B:ED:FC:47:D7:B7:25:7A:5F:E5:8B
SHA1: 7B:27:67:B7:DC:12:02:15:0C:90:2F:71:7D:F8:CB:59:5F:3D:34:72
SHA256: 4F:F0:ED:7B:BA:E1:74:2A:20:E2:ED:B6:E8:6B:50:DD:6E:37:3B:0D:19:DB:8B:3C:A4:71:A6:69:44:56:FD:2C
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:AppSrv01-BASE-e30363df-5cb5-462a-bc4d-6b87509c4b54]]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4c 8c 13 fd f7 80 8b db L.......
]
]
Trust this certificate? [no]: y
Certificate was added to keystore
List Current Certificates in Key Store
/opt/IBM/Java/jre/bin/keytool -list -keystore /opt/ibm-ucd/server/opt/tomcat/conf/tomcat.keystore -storepass changeit
I've done this for IBM HTTP Server and IBM WebSphere Application Server in the past, using the IBM Global Security Toolkit ( GSK ), but Tomcat uses something slightly different.
This blog post gave me the pointer: -
How to import IBM UrbanCode Deploy self-signed certificate in the client JVM for use with the REST API
How to import IBM UrbanCode Deploy self-signed certificate in the client JVM for use with the REST API
and this is what I did: -
List Current Certificates in Key Store
/opt/IBM/Java/jre/bin/keytool -list -keystore /opt/ibm-ucd/server/opt/tomcat/conf/tomcat.keystore -storepass changeit
Keystore type: jks
Keystore provider: IBMJCE
Your keystore contains 2 entries
server, 14-Dec-2014, keyEntry,
Certificate fingerprint (SHA1): 65:22:8A:B7:B8:EA:53:36:0D:75:E9:74:DF:20:90:DB:BB:C1:AC:4A
Get IRAM Certificate
openssl s_client -showcerts -connect ucd61.uk.ibm.com:9443 </dev/null > ~/iram.cer
depth=1 C = US, O = IBM, OU = ucd61Node01, OU = ucd61Node01Cell, OU = Root Certificate, CN = ucd61.uk.ibm.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
DONE
( In my case, I'm using WAS 8.5.5 on port 9443 in lieu of IRAM )
Note, I needed to manually edit the retrieved certificate to reduce superfluous tags, possible because the WAS certificate is self-signed e.g.: -
/opt/IBM/Java/jre/bin/keytool -list -keystore /opt/ibm-ucd/server/opt/tomcat/conf/tomcat.keystore -storepass changeit
Keystore type: jks
Keystore provider: IBMJCE
Your keystore contains 2 entries
server, 14-Dec-2014, keyEntry,
Certificate fingerprint (SHA1): 65:22:8A:B7:B8:EA:53:36:0D:75:E9:74:DF:20:90:DB:BB:C1:AC:4A
Get IRAM Certificate
openssl s_client -showcerts -connect ucd61.uk.ibm.com:9443 </dev/null > ~/iram.cer
depth=1 C = US, O = IBM, OU = ucd61Node01, OU = ucd61Node01Cell, OU = Root Certificate, CN = ucd61.uk.ibm.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
DONE
( In my case, I'm using WAS 8.5.5 on port 9443 in lieu of IRAM )
Note, I needed to manually edit the retrieved certificate to reduce superfluous tags, possible because the WAS certificate is self-signed e.g.: -
-----BEGIN CERTIFICATE-----
MIIDyDCCArCgAwIBAgIGH9jdPEHdMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYDVQQG
EwJVUzEMMAoGA1UEChMDSUJNMRQwEgYDVQQLEwt1Y2Q2MU5vZGUwMTEYMBYGA1UE
CxMPdWNkNjFOb2RlMDFDZWxsMRkwFwYDVQQLExBSb290IENlcnRpZmljYXRlMRkw
FwYDVQQDExB1Y2Q2MS51ay5pYm0uY29tMB4XDTE0MTIxMTIxMjgyMloXDTE1MTIx
MTIxMjgyMlowZjELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEUMBIGA1UECxML
dWNkNjFOb2RlMDExGDAWBgNVBAsTD3VjZDYxTm9kZTAxQ2VsbDEZMBcGA1UEAxMQ
dWNkNjEudWsuaWJtLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKlFEK54+pN68kp2V1//jU7hiYDjoOvRzECnn6D4CNWAuQ0VOtzaRbOmUmxmPyIb
44kPmxRz34yQj5mjA/0cNGS176EDeGikBlFvMZapJyf2wgEissuliDuaHrBRWrRe
0SWu3rk0vEPZjBAbl7V26vUOMDpFHoHbh3/Um7Qx7Ur9PdV3Qd/9ANhOeyw1G59D
acIhDKuLt3cHWTqLWbozOp0y3Z90sK8dwcOj+z0CH7e4/PHvO1mwlE5I8z9k378e
1FYwtuo/FD+NQMVEpZImTJMrFZVNPGIVp1EOTBC/XMp/cuvVAqcZMoG59bjpjyRd
mWH42L05CH/X1sNw3CI5bWMCAwEAAaNgMF4wSQYDVR0RBEIwQIE+UHJvZmlsZVVV
SUQ6QXBwU3J2MDEtQkFTRS1lMzAzNjNkZi01Y2I1LTQ2MmEtYmM0ZC02Yjg3NTA5
YzRiNTQwEQYDVR0OBAoECEyME/33gIvbMA0GCSqGSIb3DQEBBQUAA4IBAQBeWvNX
g1gOmJLkqIR9agSOxiTvWKAv+nzRIb9sQ9cQX/B0ucFx+Xh58tSO+bfJFDI42QKU
aiUXwtq8pAf+RWvf3kHagpN4GZFKByhp19lBwoceG/3gk/5IGALT+9useJU3N2+T
hNcqJERyAuCH5oBR+goml28yGjWOUAf/6fWf08heGEnfbLMl2S5IiVAoyaRY+byg
KITMlxj9x3YHxME8g7/hL0RyYfRe/Etb0AV4YL2YkAvaPcjFwjOVR35Bv1C1S3zP
q3FJaizXK2M8Albz8UJxnHj+Li3Qnps4wxLci/n40olEbLH6+Lfd1KOc1Nq6817M
6R4QGcCNIClZdIg8
-----END CERTIFICATE-----
otherwise, I end up with: -
keytool error: java.lang.Exception: Input not an X.509 certificate
Add IRAM Certificate to Key Store
/opt/IBM/Java/jre/bin/keytool -importcert -alias iram -file ~/iram.cer -keystore /opt/ibm-ucd/server/opt/tomcat/conf/tomcat.keystore -storepass changeit
Add IRAM Certificate to Key Store
/opt/IBM/Java/jre/bin/keytool -importcert -alias iram -file ~/iram.cer -keystore /opt/ibm-ucd/server/opt/tomcat/conf/tomcat.keystore -storepass changeit
Owner: CN=ucd61.uk.ibm.com, OU=ucd61Node01Cell, OU=ucd61Node01, O=IBM, C=US
Issuer: CN=ucd61.uk.ibm.com, OU=Root Certificate, OU=ucd61Node01Cell, OU=ucd61Node01, O=IBM, C=US
Serial number: 1fd8dd3c41dd
Valid from: 11/12/14 21:28 until: 11/12/15 21:28
Certificate fingerprints:
MD5: 0F:E7:18:C1:69:1B:ED:FC:47:D7:B7:25:7A:5F:E5:8B
SHA1: 7B:27:67:B7:DC:12:02:15:0C:90:2F:71:7D:F8:CB:59:5F:3D:34:72
SHA256: 4F:F0:ED:7B:BA:E1:74:2A:20:E2:ED:B6:E8:6B:50:DD:6E:37:3B:0D:19:DB:8B:3C:A4:71:A6:69:44:56:FD:2C
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:AppSrv01-BASE-e30363df-5cb5-462a-bc4d-6b87509c4b54]]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4c 8c 13 fd f7 80 8b db L.......
]
]
Trust this certificate? [no]: y
Certificate was added to keystore
List Current Certificates in Key Store
/opt/IBM/Java/jre/bin/keytool -list -keystore /opt/ibm-ucd/server/opt/tomcat/conf/tomcat.keystore -storepass changeit
Keystore type: jks
Keystore provider: IBMJCE
Your keystore contains 2 entries
iram, 22-Dec-2014, trustedCertEntry,
Certificate fingerprint (SHA1): 7B:27:67:B7:DC:12:02:15:0C:90:2F:71:7D:F8:CB:59:5F:3D:34:72server, 14-Dec-2014, keyEntry,
Certificate fingerprint (SHA1): 65:22:8A:B7:B8:EA:53:36:0D:75:E9:74:DF:20:90:DB:BB:C1:AC:4A
Keystore provider: IBMJCE
Your keystore contains 2 entries
iram, 22-Dec-2014, trustedCertEntry,
Certificate fingerprint (SHA1): 7B:27:67:B7:DC:12:02:15:0C:90:2F:71:7D:F8:CB:59:5F:3D:34:72server, 14-Dec-2014, keyEntry,
Certificate fingerprint (SHA1): 65:22:8A:B7:B8:EA:53:36:0D:75:E9:74:DF:20:90:DB:BB:C1:AC:4A
What's next ?
Yes, time to change the default password for the Tomcat key store .....