Using GSKit Tool and Certificate Process

for IHS-WebSphere
21/07/2009

Introduction
Key Terminologies
Prerequisites
WebSphere Certificate Creation
KeyStores for HIS
WebSphere Plugin
WebSphere Application Server
Exchange Signer Certificates
Maintenance
Gsk7cmd Options

Command To check if the certificates are expired

Conclusion

Linux/Unix
Hari Patnaik
[email protected]
Using GSKit Tool and Certificate Process for IHS-WebSphere

Introduction

The WebSphere infrastructure uses keystores to sign and encrypt the traffic flowing
between the components. The document describes the process to create the
certificates required, along with sections for creating each keystore type using
GSKit commands and some useful command related to certificates and key store.
GSKit stands for Global Security Kit. GSKit provides SSL (Secure Socket Layer)
functions for IBM Products and IKeyman (IBM Key Management Utility) GSKit
packagesWAS, IHS, Edge, MQ, Tivoli, etc.

Key Terminologies

• SSL (Secure Sockets Layer) is an encryption system used on servers to

ensure privacy when transmitting data across internet.
• Server needs a public-private key pair and a certificate. The server uses its
private key to sign messages to clients.
• To send its public key to clients, the server needs a certificate issued by a
certification authority (CA).
• A certification authority (CA) is a trusted third party that issues certificates.
• CMS- conversational monitor system (CMS)
• JKS Format: Java Key Store
• IHS: IBM Http Server a Webserver.

Prerequisites

IBM HttpServer, WebSphere 6.1 installed on Linux environment. Installing GSKit

should be a separate task, using the root user ID if SSL configuration is required
and no version of GSKit is installed, or if the installed version is down-level. Launch
the GSKit installation from the WebSphere Application Server CDROM as follows: –

On Linux and UNIX platforms: GSKit/gskit.sh

On Windows operating systems: GSKit\setup.exe IHS6.1

WebSphere Certificate Creation

A standard WebSphere set up consists of 3 products: IBM HTTP Server (IHS) for
receiving web traffic, WebSphere Application Server (WAS) to run the web
applications, and WebSphere Plugin to route the traffic from IHS to WAS. Each
component requires a keystore to be generated with specific requirements.

TCS Public
Using GSKit Tool and Certificate Process for IHS-WebSphere

Note:
I have used a common default install of GSKit on a linux environment located in
/usr/local/IBM/gsk7/. This should be replaced as appropriate if the path is different
on the server.

KeyStores for IHS

IHS requires a CMS-type keystore be created. By default, all IHS certificates must be
signed by an external Certificate Authority (CA).

Execute the following commands to create a CA-signed certificate in a CMS

keystore. The following section assumes the request is being sent to the CA-
Certificate Authority.

1. Execute the following commands to create a keystore and a certificate

request. Replace italicized values as appropriate:

export PATH=/opt/IBM/WebSphere/AppServer61/java/bin:
/usr/local/IBM/gsk7/bin: $PATH
this adds the correct path to be used by GSKit commands.
gsk7cmd -keydb -create -db <keystore>.kdb -pw <password> -stash
This generates set of files needed for the public and private Key generation.

gsk7cmd -certreq -create -db <keystore>.kdb -pw <password> -size 1024 -

dn "CN=dnslongname,O=Company,L=City,ST=State,C=Country" -label
dnsshortname -file dnsshortname.csr
This generates the raw certificate file which needs to be stamped by a
Certificate Authority(CA)

2. Complete a certificate request using the csr file and get it signed by CA.

3. The certificate authority can send more than one certificate. In addition to
the certificate for your server, the CA can also send additional signing
certificates or intermediate CA certificates. For example, Verisign includes
an intermediate CA certificate when sending a Global Server ID certificate.
Before receiving the server certificate, receive any additional intermediate
CA certificates. Follow the instructions in the Storing a CA certificate topic to
receive intermediate CA certificates.Obtain the Root CA and Intermediate
CA certificates, copy the files to the server in a temp directory, and execute
the following commands:

gsk7cmd -cert -add -db <keystore>.kdb -pw <password> -label RootCA -

format binary -file RootCA.cer

TCS Public
Using GSKit Tool and Certificate Process for IHS-WebSphere

gsk7cmd -cert -add -db <keystore>.kdb -pw <password> -label

IntermediateCA -format binary -file IntermediateCA.cer

4. Once the certificate request has been completed, copy the generated .cer
file (referred to as cert.cer below) as a binary DER to the server in a temp
directory and execute the following command:

gsk7cmd -cert -receive -file cert.cer -db <keystore>.kdb -pw <password> -

format binary -default_cert yes
5. Restart IHS web server for make the change effective.

WebSphere Plugin

WebSphere Plugin requires a CMS-type keystore be created. By default, all

WebSphere Plugin certificates are self-signed. Execute the following commands to
create a self-signed certificate in a CMS keystore. Replace values as appropriate:

export
PATH=/opt/IBM/WebSphere/AppServer61/java/bin:/usr/local/ibm/gsk7/bin:$PATH

gsk7cmd -keydb -create -db <keystore>.kdb -pw <password> -stash

gsk7cmd -cert -create -db <keystore>.kdb -pw <password> -size 1024 -dn
"CN=dnslongname,O=Company,L=City,ST=State,C=Country" -label dnsshortname
-expire 365 -default_cert yes

Please note, the name of the keystore must be plugin-key.kdb. You must also take
note of the name of the personal certificate created, as it will be used when
exchanging signer certificates with the WAS keystore.

WebSphere Application Server

WebSphere supports keystores in a number of formats, but I have used commonly

used JKS format. By default, all WebSphere Application Server certificates are self-
signed. Execute the following commands to create a self-signed certificate in a JKS
keystore. Replace italicized values as appropriate:

export
PATH=/opt/IBM/WebSphere/AppServer61/java/bin:/usr/local/ibm/gsk7/bin:$PATH

gsk7cmd -keydb -create -db <keystore>.jks -pw <password> -type jks

TCS Public
Using GSKit Tool and Certificate Process for IHS-WebSphere

gsk7cmd -cert -create -db <keystore>.jks -pw <password> -size 1024 -dn
"CN=dnsfullname,O=Company,L=City,ST=State,C=Country" -label servername -
expire 1825 -type jks

gsk7cmd -cert -extract -db <keystore>.jks -pw <password> -label servername -

target servername.cer -format binary –type jks

gsk7cmd -cert -add -db <keystore>.jks -pw <password> -label servernameKey -

format binary -file servername.cer –type jks

You must take note of the name of the personal certificate created, as it will be
used when exchanging signer certificates with the WAS keystore.

Exchange Signer Certificates

As both the Plugin and WAS certificates are self-signed, we must configure each
keystore to trust the other one. Execute the following commands to complete this.

1. Export the path in order to run GSKit commands:

export
PATH=/opt/IBM/WebSphere/AppServer61/java/bin:/usr/local/ibm/gsk7/bin:
$PATH

2. Export the personal certificate from the WAS JKS keystore:

gsk7cmd -cert -extract -db <keystore>.jks -pw <password> -label

servername -target servername.cer -format binary –type jks

3. Export the personal certificate from the Plugin CMS keystore:

gsk7cmd -cert -extract -db plugin-key.kdb -pw <password> -label

servername -target plugin.cer -format binary

4. Import the WAS personal certificate into the Plugin keystore:

gsk7cmd -cert -add -db plugin-key.kdb -pw <password> -label waskey -

format binary -file servername.cer

5. Import the Plugin personal certificate into the WAS keystore:

gsk7cmd -cert -add -db <keystore>.jks -pw <password> -label pluginkey -

format binary -file plugin.cer –type jks

TCS Public
Using GSKit Tool and Certificate Process for IHS-WebSphere

Your keystores are now ready to be distributed to the appropriate servers. Restart
all the components and you are all set.

Maintenance
Gsk7cmd Options:

The folloing options can be used for the gsk7cmd command

Object Action Description
---- ------ ---------------------------------------------------------
-keydb -changepw Change the password for a key database
-convert Convert the format of a key database
-create Create a key database
-delete Delete a key database
-stashpw Stash the password of a key database into a file
-list Currently supported types of key database.
-cert -add Add a CA Certificate
-create Create a self-signed certificate
-delete Delete a certificate
-details Show the details of a specific certificate
-export Export a personal certificate and associated private key
into a PKCS12 file or a key database
-extract Extract a certificate from a key database
-getdefault Show the default personal certificate
-import Import a certificate from a key database or a PKCS12 file
-list List certificates in a key database
-modify Modify a certificate (NOTE: the only field that my be
modified is the trust field)
-receive Receive a certificate
-setdefault Set the default personal certificate
-sign Sign a certificate
-certreq -create Create a certificate request
-delete Delete a certificate request from a certificate request
database
-details Show the details of a specific certificate request
-extract Extract a certificate from a certificate request database
-list List all certificate requests in a certificate request
database
-recreate Recreate a certificate request
-version Display ikeycmd version information
-help Display this help text

TCS Public
Using GSKit Tool and Certificate Process for IHS-WebSphere

Command To Check if the certificates are expired

1.$export
PATH=/opt/IBM/WebSphere/AppServer6/java/bin:/usr/local/ibm/gsk7/bin:$PATH
2.Command to check which java is getting used:
$which java
Out put:/opt/IBM/WebSphere/AppServer6/java/bin/java
3. $ gsk7cmd -cert -list -db ProdIHSkeys.kdb -pw passw0rd$
Out put:
Certificates in database: ProdIHSkeys.kdb
RootCA
Entrust.net Global Secure Server Certification Authority
*********************************
VeriSign Class 3 Public Primary Certification Authority
*******************************
Thawte Personal Premium CA
*******************************
RSA Secure Server Certification Authority
ALIASNAME
*******************************
4. $gsk7cmd -cert -details -label ALIASNAME -db ProdIHSkeys.kdb -pw passw0rd$

Out Put:
Label: ALIASNAME
Key Size: 1024
Version: *****
Serial Number:******************************
Issued By: *******************
Address
Subject: DNSLONGNAME OF THE SITE
Company
Address
Valid From: <Date and Time> To: <Date and Time>
Fingerprint: ****************************************
Signature Algorithm: *****************
Trust Status: enabled

Interested areas are DNSLONGNAME OF THE SITE which is customerfacing Url

and the expiry date of the certificate. If the certificate is expired you need to follow
the above steps.

TCS Public
Using GSKit Tool and Certificate Process for IHS-WebSphere

Conclusion

In e business world most of the transactions where customer data needs to be secured
are achieved though SSL encryption system used on servers ensuring privacy
transmitting data across internet. They use public-private key pair and a certificate to
execute. The server uses its private key to sign messages to clients.To send its public
key to clients, the server needs a certificate issued by a certification authority (CA)
ex: veriSign etc. Then the customer reads the certificate through ViewCertificate and
may/may not wish to transmit their data by clicking yes/no on the Certificate which
gets popped up to the customer.IHS/Websphere pays key roles on enterprise
applications and Gskit like tools helps facilitate the process.

TCS Public