Certificate Management The ikeyman way ..

ikeyman Utility

          The "ikeyman" is a GUI utility for certificate management. You might be already familiar with this utility but this is a gentle effort from my side to provide an insight about this utility for the folks who are not aware of it. normally this utility will be there in the ..../jre/bin directory of Java installed location.
The figures below are self explainable hence i am not giving a detailed explanation.

Note:- Kindly post your comments, Add ons and offcourse the "likes" in this blog 

Creating a new key database
 
Figure 1

Open ikeyman and then select "New" from  "Key Database File" Menu.


Figure 1a
1.) Select the "Key Database File Type" value, This is the format of the key DB file. The available types are JKS, JCEKS and PKCS12.
2.) Enter a filename for new DB
3.) Type the location to store the Key DB file.
4.) Press Ok

Figure 1b
 Enter password for New DB file, Don't miss this password as this is required to operate a Key DB file.



Figure 1c

This shows the filename and location of the DB and the certificate types. Confirm the filename and location of above screen (Figure 1c) with figure1a.


Receiving a personal certificate

     You can receive your personal certificate from CA by using this option, This can be done only if you have raised the certificate request from current key DB file.



Figure 2a
 1.) Select personal certificate
2.) Press receive button from right panel



Figure 2b
  1.) Browse the certificate file from the location


Figure 2c

You can see the personal certificate label here. This label would be the one which you have entered while creating the certificate request and it can be changed by using the option "Rename" at the right pannel.

Importing a certificate

  This option is useful if you want import a certificate from another key DB file. Suppose you have created a certificate request from one of the key DB file and once after receiving the certificate from CA you want to add this to another key DB file, Here you can't use "Receive" option because you created the request from another Key DB file.
     In this scenario you can use "Receive" option from the Key DB where you originally created the certificate request to receive the personal certificate and then import this certificate from any of the Key DB file.


Figure 4a

 Select "New" from "Key Database File" menu option


Figure 4b

1.) Select the "Key Database File Type" value, This is the format of the key DB file. The available types are JKS, JCEKS and PKCS12.

2.) Enter a filename for new DB
3.) Type the location to store the Key DB file.
4.) Press OK
 
Figure 4c

Enter password for new Key DB file.



Figure 4d

1.) Select "Personal Certificate" from the drop down list
2.) Press import button from the right panel


Figure 4e

1.) Select the key DB type of the file from where you want to import the certificate.
2.) Browse/Type the Key DB filename from where you want to import the certificate.
3.) Confirm/Type the location
4.) Press OK


 
Figure 4f

Enter password of the Key DB file from where you want to import the certificate and then press OK





Figure 4g


This will list the labels of available certificates.
1.) Select label of the certificate which you want to import.
2.) Press OK



Figure 4h

Here you can change the label if you want. You can skip this if you done want a label change.
1.) Select the label
2.) Enter New Label
3.) Press Apply (after this the label testca will get changed to personalCert
4.) Press OK



Figure 4i


 This screen shows the label of the certificate which you imported just now. If you want you can select the label and press view/Edit to view the details of the certificate.

Creating a Self Signed Certificate


Figure 5a
Select "Open" from Key Database File Menu.

 
Figure 5b
1.) Enter the type of the Key DB file which you are going to open
2.) Browse/Type the filename.
3.) Confirm/Type the location.
4.) Press OK

Figure 5c

Enter the password of the Key DB file which you selected in Figure 5b



Figure 5d
 1.) Select "Personal Certificate" from drop down list
2.)  Press "New Self Signed Certificate" Button in the right panel
3.) Enter the certificate details, I have marked certain key points here for you attention.
4.) Press OK

Figure 5e
 1.) Select the label "selfsigned"
2.) Press View/Edit to view the newly created self singed certificate.

Figure 5f

This screen shows the details of newly created self signed certificate.

Adding Signers

Open a Key DB file for adding the signers


Figure 6a
  Select "Signer Certificate" from drop down list.



Figure 6b

1.) Enter/Browse the filename of the signer certificate which you want to add.
2.) Confirm the location of the file.
3.) Press OK.


Figure 6c

Enter Label for the Signer certificate.



Figure 6d
  This displays the added signer certificate, Kindly note the label..

Extracting a Certificate

Open the Key DB File

Figure 6e

1.) Select "Signer Certificate" from drop down list.
2.) Select the label of the certificate which you want to extract
3.) Press "Extract" from the right panel.
4a.) Select the Data type.
4b.) Enter a filename to store the extracted certificate.
4c.) Type the location of the file.
4d.) Press OK

 This will create a file with the name testSignerExtract in the specified location and stores the signer certificate with the label "testSigner" in it.

Synchronization Simplified

Synchronization Simplified

Synchronization is a process of updating the nodes with master configuration repository changes.The network deployment scenario of WebSphere application server contains multiple nodes managed by a Dmgr and Dmgr holds the master repository of configurations. Any updates or changes through Dmr will be saved in the master configuration and the nodes will be aware of these changes only after the synchronization.

The synchronization is always from Dmgr to Nodes and it never happens vise versa. If you made any changes from the node side it will be cleared during next synchronization process.


A Simple example

Consider below scenario.

OS -----  Linux
HostA ----- Dmgr
HostB ------Node1 --- AppSrv01

Suggest to stop the Nodeagent process in Node1
Autosync should be disabled (figure1)


Figure 1
       As part of the tuning process you wants to set the JVM heap size of Node1/AppSrv01 to Min 256/ Max 512. Let us look at the Dmgr (Figure 2) and Node1 (Figure 3) configurations before setting the values. 
Both these configuration files does not have an entry for jvm heap size (Linux OS) as there is no value set for it currently
 
Figure 2

Figure 3

Now let us set the heap size min value to 256 and max to 512 as below (Figure 4)


Figure 4
 Make sure that you are not selecting  "synchronize changes with nodes" option (Figure 5) and then save the changes to master repository
 
Figure 5
Now let us examine the master configuration repository (Dmgr) for the chnages we made. There you can see the newly created heap size entries (Figure 6) 

Figure 6
 As we disabled synchronization the jvm configuration file of Node1 will not be having that entry (Figure 7)

Figure 7
 Now synchronize the master configuration repository changes with nodes by either a syncNode.sh/bat or by starting the nodes and then synching it from console, This updates the JVM configuration file of Node1 with the latest updates of master configuration (Figure 8).

Figure 8

Another simple and practical test for better understanding of synchronization

Test #1
Go under the config directory of dmgr (master repository) and create a file
Perform a full synchronization

Navigate to the config directory of node, It will be having the file which you created in master configuration.
  
The reason for this is during the full sync process it found a file in the master repository and which is not there in the nodes so full sync process transfer this file to nodes

Test #2
Go under the node config directory, create a file.
Perform a full synchrinization from dmgr 
Navigate to the config directory of the node and check for the file which you created, the file will not be there.

The reason for this is, During the full synchronization process it found a file in the node repository (which you created) and which is not there in the master repository so full sync process removes the file from node to make the configuration in sync with master repository.

Types of Synchronization

There are two types of Synchronization

1.) Partial Synchronization : Here only the configuraion file(s) which has changed at the Dmgr level will be Synchronized with nodes.
2.) Full Synchronization: This will Synchronize the entire master repository with the nodes.

Possible ways of Synchronization

1. syncNode.sh /syncNode.bat command from the nodes.
2. from the admin console or wsadmin
3. When node agent starts
4. During federationn process.(addNode.sh)
5. Auto/scheduled sync.

syncNode.sh /syncNode.bat command from the nodes.

Usage: syncNode dmgr_host [dmgr_port] [-conntype ] [-stopservers]
[-restart] [-quiet] [-nowait] [-logfile ] [-replacelog]
[-trace] [-username ] [-password ]
[-localusername ] [-localpassword ]
[-profileName ] [-help]

Normally use it as: syncNode.sh -username -password

Note:- The node agent should be down to execute syncNode and this is always a full synchronization.

From the admin console or wsadmin

This can be either a partial synchronization or full synchronization, It depends on the option selected.

When node agent starts

If this option is enabled node agent will synchronize with master repository during the startup process. The very first synchronization after startup will be a Full Synchronization and the consicutive synchronization will be Partial Synchronization.

During federationn process

This is always a full synchronization

Auto/scheduled sync

This is normally a partial synchronization but the very first synchronization after the node agent start will be a full synchronization.


Certificate Management by using gsk7cmd command

Command: gsk7cmd

Purpose: gsk7cmd is a command line tool for certificate management.
Prerequisite: set JAVA_HOME varriable.
Example: export JAVA_HOME=/usr/IBM/WebSphere/AppServer/java (this depends on your environment)

Parameters for below examples:

keystore Name: testcacerts.jks / test.kdb
password: changeit / testit

NOTE:- If you are practicing below examples kindly practice it in the sequence because there might be a dependancy.

Command usage

# gsk7cmd -help

Object Action Description
------ ------ -----------
-keydb
            -changepw Change the password for a key database
            -convert Convert the format of a key database
            -create Create a key database
            -delete Delete a key database
            -expiry Display password expiry
            -list Currently supported types of key database.
            -stashpw Stash the password of a key database into a file

-cert
             -add Add a CA Certificate
             -create Create a self-signed certificate
             -delete Delete a certificate
             -details Show the details of a specific certificate
             -export Export a personal certificate and associated private key into a PKCS12 file or a key
                                                                                                                                              database
             -extract Extract a certificate from a key database
             -getdefault Show the default personal certificate
             -import Import a certificate from a key database or a PKCS12 file
             -list List certificates in a key database
             -listsigners List signer certificates delivered with ikeyman
            -modify Modify a certificate (NOTE: the only field that may be modified is the trust field)
            -populate Populate with included CA Certificates
            -receive Receive a certificate
            -rename Rename a certificate
            -setdefault Set the default personal certificate
            -sign Sign a certificate

-certreq

              -create Create a certificate request
              -delete Delete a certificate request from a certificate request database
              -details Show the details of a specific certificate request
              -extract Extract a certificate from a certificate request database
              -list List all certificate requests in a certificate request database
              -recreate Recreate a certificate request

-seckey

             -create Create a secret key
             -delete Delete a secret key
             -details Show the details of a specific secret key
             -export Export secret keys to a file
             -import Import secret keys from a file
             -list List all secret keys in a key database
             -rename Rename a secret key

-version   Display iKeyman version information

-help        Display this help text


Keystore Management  (-keydb)

Creating keystore by specifying password expiry

Example 1

#gsk7cmd -keydb -create -db test.kdb -pw changeit -type kdb -expire 7300

The above command creates a keystore file (test.kdb) of kdb type and keep the password expiry to 7300 days

Example 2

# gsk7cmd -keydb -expiry -db test.kdb -pw changeit

This will list the password expiry of keystore test.kdb

Output:

Password expiry time: Aug 9, 2032 2:05:51 AM

Deleting the keystore

Example 3

#gsk7cmd -keydb -delete -db test.kdb -pw changeit

This deletes the keystore file test.kdb

Creating a default keystore


Example 4
#gsk7cmd -keydb -create -db testcacerts.jks -pw testit

The above command creates a keystore file with the name testcacerts.jks and the password testit in the current directory

Changing the keystore password

Example 5

#gsk7cmd -keydb -changepw -db testcacerts.jks -pw testit -new_pw changeit

This changes the password from testit to changeit

Certificate Management (-cert)

Adding certificate to a keystore with out specifying label

Example 6

#gsk7cmd -cert -add -file test.cer -db testcacerts.jks -pw changeit

This adds the certificate file test.cer in testcacerts.jks keystore, If label is not specified it will generate a label (kindly note the label details in example 7).

Example 7

#gsk7cmd -cert -details -label "cn=TESTCERT, o=IBM, c=us" -db testcacerts.jks -pw changeit

This command will list the details of certificate with label "cn=TESTCERT, o=IBM, c=us" (The certificate which was added in example 6)

Output

Label: cn=TESTCERT, o=IBM, c=us
Key Size: 1024
Version: X509 V3
Serial Number: 12 57 4F 87 1B F8 69 DD
Issued by: CN=TESTCERT, O=IBM, C=US
Subject: CN=TESTCERT, O=IBM, C=US
Valid: From: Wednesday, May 12, 2010 2:01:04 AM IST To: Wednesday, May 8, 2030 2:01:04 AM IST
Fingerprint: BE:87:67:14:AD:FD:64:B9:CC:08:CF:3E:76:05:2A:DC:BB:EB:DF:69
Signature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
Trust Status: enabled

Deleting a certificate from the keystore

Example 8

#gsk7cmd -cert -delete -label "cn=TESTCERT, o=IBM, c=us" -db testcacerts.jks -pw changeit

This command deletes the certificate with the label "cn=TESTCERT, o=IBM, c=us" (the certificate which was added in example 6)

Example 9

#gsk7cmd -cert -details -label "cn=TESTCERT, o=IBM, c=us" -db testcacerts.jks -pw changeit

This commands confirms the delete operation in example 8, The below output says the certificate with the label 'cn=TESTCERT, o=IBM, c=us' does not exists

Output

The database doesn't contain an entry with label 'cn=TESTCERT, o=IBM, c=us'.
Check the label and try again.

Adding certificate to a keystore with the label

Example 10

#gsk7cmd -cert -add -file test.cer -label "This is a cert" -db testcacerts.jks -pw changeit

This adds the certificate 'test.cer' with the label "This is a cert". (in example 6 we have added the certificate without specifying the label)

Example 11

#gsk7cmd -cert -details -label "This is a cert" -db testcacerts.jks -pw changeit

This confirms that the certificate test.cer has been added with the label "This is a cert", check the output below/

Output

Label: this is a cert
Key Size: 1024
Version: X509 V3
Serial Number: 12 57 4F 87 1B F8 69 DD
Issued by: CN=TESTCERT, O=IBM, C=US
Subject: CN=TESTCERT, O=IBM, C=US
Valid: From: Wednesday, May 12, 2010 2:01:04 AM IST To: Wednesday, May 8, 2030 2:01:04 AM IST
Fingerprint: BE:87:67:14:AD:FD:64:B9:CC:08:CF:3E:76:05:2A:DC:BB:EB:DF:69
Signature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
Trust Status: enabled

Renaming the label of a certificate

Example 12

#gsk7cmd -cert -rename -label "This is a cert" -new_label "The_new_label" -db testcacerts.jks -pw changeit

This renames the lable "This is a cert" with new name "The_new_label".

Example 13

#gsk7cmd -cert -details -label "The_new_label" -db testcacerts.jks -pw changeit

Example 13 and Example 14 confirms example 12,Check the output below.

Output

Label: the_new_label
Key Size: 1024
Version: X509 V3
Serial Number: 12 57 4F 87 1B F8 69 DD
Issued by: CN=TESTCERT, O=IBM, C=US
Subject: CN=TESTCERT, O=IBM, C=US
Valid: From: Wednesday, May 12, 2010 2:01:04 AM IST To: Wednesday, May 8, 2030 2:01:04 AM IST
Fingerprint: BE:87:67:14:AD:FD:64:B9:CC:08:CF:3E:76:05:2A:DC:BB:EB:DF:69
Signature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
Trust Status: enabled

Example 14

#gsk7cmd -cert -details -label "This is a cert" -db testcacerts.jks -pw changeit

Example 14 and Example 13 confirms example 12, because in the output of example 13 testcacerts.jks keystore contains a certificate with the label "The_new_label" and the output of example 14 says the testcacerts.jks keystore does not have an with the label "This is a cert" (label name before rename).

Output

The database doesn't contain an entry with label 'This is a cert'.
Check the label and try again.

Extracting a certificate from the keyfile

Example 15

#gsk7cmd -cert -extract -label "The_new_label" -target "this_is_extracted_cert.cer" -db testcacerts.jks -pw changeit

This will extracrt the certificate with label "The_new_label" into a file this_is_extracted_cert.cer, check the below output for file confirmation

#ls this_is_extracted_cert.cer
this_is_extracted_cert.cer

Creating a self signed certificate

Example 16

gsk7cmd -cert -create -db testcacerts.jks -pw changeit -label 'New_Self_Signed' -dn CN=testSELFSIGN,O=ibm,C=in -expire 7300 -size 1024 -x509version 3

This creates a self signed certificate with the label 'New_Self_Signed'

Example 17

# gsk7cmd -cert -details -label 'New_Self_Signed' -db testcacerts.jks -pw changeit

This confirms the self signed certificate creation ,Verify the certificate in the below output

Output

Label: new_self_signed
Key Size: 1024
Version: X509 V3
Serial Number: 50 29 68 22
Issued by: CN=testSELFSIGN, O=ibm, C=in
Subject: CN=testSELFSIGN, O=ibm, C=in
Valid: From: Tuesday, August 14, 2012 2:18:34 AM IST To: Monday, August 9, 2032 2:18:34 AM IST
Fingerprint: 0C:D5:A0:6A:54:76:6B:3E:D0:3E:2E:42:1C:D0:32:43:66:82:FE:70
Signature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5)
Trust Status: enabled



Useful keytool commands for certificate management

keytool command


keytool command location: "java_install_location"/jre/bin/keytool
cacerts location: "java_install_location"/jre/lib/security/cacerts

(Generally this is the location of keytool command or cacerts, It may varry based on your environment)

Parameters for below examples


Alias Name/Label: "This is a cert"
Certifcate Filename: testcert.cer
Keystore Name: cacerts

Importing Certificate

keytool -import -trustcacerts -alias "Alias_Name" -file "Filename" -keystore "keystore_Name"

Example:

keytool -import -trustcacerts -alias "This is a cert" -file testcert.cer -keystore cacerts

This above command will import testcert.cer into the keystore cacerts with the label "This is a cert"

Listing Certificate

keytool -list -keystore "keystore_name"


Examples:

keytool -list -keystore cacerts

Lists all the certificates in the keystore cacerts

keytool -list -v -keystore cacerts

Lists all the details of all certificates in the keystore cacerts

keytool -list -alias "This is a cert" -keystore cacerts

Lists the certificate withe the Alias "This is a cert" in the kestore cacerts

keytool -list -v -alias "This is a cert" -keystore cacerts

Lists the certificate with the label "This is a cert" in the keystre cacerts


keytool -list -v -keystore cacerts |grep Alias

Lists the Alias of all the certificates in the keystre cacerts.

Deleting the certificate

keytool -delete -alias "Alias_Name" -keystore "Keystore_Name"


Example:
keytool -delete -alias "This is a cert" -keystore cacerts

This will delete the certificate with the alias "This is a cert" from the keystore cacerts.

Enabling Global Security from wasadmin

Enabling Global Security through CUI(wsadmin) you can follow below steps

isuue wsadmin command from /bin

issue below command in the wsadmin prompt

wsadmin>set security [$AdminConfig list Security]
wsadmin>$AdminConfig modify $security [list [list enabled true]]
wsadmin>$AdminConfig save

Steps in SSL communication...

Steps for SSL communication when a server authentication is requested

Step 1.The client request for a secure page by using HTTPS.
Step 2.The server sends its public key and certificate to the client
Step 3.The client checks that the certificate was issued by a trusted party (trusted Certificate Authority) the certificate expiry and that the certificate is related to the contacted site.
Step 4.The client uses the public key to encrypt a random symmetric encryption key and sends it to the server, along with the encrypted URL required and other encrypted HTTP data.
Step 5.The server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and HTTP data.
Step 6.The server sends back the requested HTML document and HTTP data that are encrypted with the symmetric key.
Step 7.The client decrypts the HTTP data and HTML document using the symmetric key and displays the information.

WebSphere Tips & Tricks...

Disabling Global Security through command

Locate your profile_root/bin directory and run the wsadmin -conntype NONE command. At the wsadmin prompt, type 'securityoff' and then type 'exit' to return to a command prompt. Restart the server with security disabled to check any incorrect settings through the administrative console.