Thursday, February 23, 2012

Create Certificate Signer Request(CSR) using IBM Global Security Kit (GSKIT)


Scope: Referring this document you could create a certificate signer request for having it signed by any of the certificate authorities(CA) this document provides a practical approach with details steps, IBM GSkit has both graphical and text based tools to manage the Certificates and Key Database, this document includes both options. I will update this document to include any special instructions for other versions.

Product and Versions:
* IBM GSKit 7.x
* AIX Platform.
* Windows Platform.

Acronyms:
* GSKit - IBM GSKit
* SSL - Secure Socket Layer
* KDB - Key Database.
* CA - Certificate Authority. 

Assumptions:

* IBM GSKit has been installed on AIX or Windows.

Option One: Using Command line tools / Utilities.

Step 1: Login to AIX or Windows machin where GSKit is installed.

Step 2: Open command prompt for windows or a Login to a shell for AIX.

Step 3: Create a KDB of type CMS, by running the below command.

gsk7cmd -keydb -create -db [Key Database file Name] -pw [password] -type cms -stash

Example:
gsk7cmd -keydb -create -db example.com.kdb -pw somepassword -type cms -stash

Note: Make sure the commands gsk7ikm and  java are part of the PATH location and JAVA_HOME variable is set to point to the java installation location.


Step 4: Create a certificate signer request (CSR).

gsk7cmd -certreq -create -db [KDB file name and path] -pw [password] -type cms -label [unique label within the kdb file] -dn "CN=[domainname],O=[Organization Name],L=[location],S=[state],C=[country]" -size 2048 -default_cert no

Example:
gsk7cmd -certreq -create -db example.com.kdb -pw password -type cms -label example.com -dn "CN=example.com,O=Example Inc,L=Mountain View,S=California,C=US" -size 2048 -default_cert no


Step 4: Extract the certificate signer request from the KDB so you could send it to CA to have the cert signed.


gsk7cmd -certreq -extract -db [KDB file name and path] -pw [password] -type cms -label [CRS label name in KDB] -target [path and file name of the file where the extracted CSR to be stored]


Example:
gsk7cmd -certreq -extract -db example.com.kdb -pw password -type cms -label example.com  -target /home/iuser/example.com.arm

Step5: Send the extracted CSR (example.com.arm) to your preffered Certificate Authority (CA) and request for signing the CSR, once the CSR is signed you would receive a signed certificate.

Please refer to "how to Update/Receive a CA signed cert into the Key Database(link coming soon)"  for steps on how to receive the signed cert in to the Key Database and associate it with the KEY pair generated during the CSR creation.
Option Two: Using Graphical user interface.

Step 1: Login to AIX or Windows machin where GSKit is installed.

Step 2: Open command prompt for windows or a Login to a shell for AIX.
Note: For AIX you should have X server running locally(desktop) where you export the display from AIX to your machine.

Step 3: Launch the IBM GSKit Key Management Tool.

On AIX'gsk7ikm' command on AIX

On WindowsStart the IBM Key Management tool from windows START -> Programs -> IBM GSKIT -> IBM Key Management

Note: Make sure the commands gsk7ikm and  java are part of the PATH location and JAVA_HOME variable is set to point to the java installation location.
Step 4: Create a KDB of type CMS.
  a) Click on "Key Database File" menu and select "new" as shown in the below screen shot.


  b) Select the Key Database Type as "CMS" and enter the KDB file name and path where the file to be created and click "OK"


  c) Enter the "password" and "confirm password", enable the "stash the password to file option" and click "OK"


Step 5: Create a Certificate Signer Request.


   a) Select "Personal Certificate Requests" from the list and click on "New" button.


   b) Enter the Certificate details  as shown below and click "OK".


    c) You will see a message stating the certificate request has been created and CSR extract has been saved under e:\mykeys\example.com.arm

    d) Exit from the gsk7ikm utility.



Step 6: Send the extracted CSR (example.com.arm) to your preffered Certificate Authority (CA) and request for signing the CSR, once the CSR is signed you would receive a signed certificate.

Please refer to "how to Update/Receive a CA signed cert into the Key Database(link coming soon)"  for steps on how to receive the signed cert in to the Key Database and associate it with the KEY pair generated during the CSR creation.



Summary: In this how-to, you created a KEY database file of type "CMS" and created a Certificate Signer request by name example.com, when you create a Certificate Signer Request  a key is generated and the CSR will be used by the CA to sign the cert/key which is then associated with KEY created during the CSR creation.. you could use this CA signed cert to enable SSL on IHS and many other IBM products.


Comments welcome!!

at No comments:
Labels: , , ,

Monday, February 20, 2012

Create Self Signed Cert using IBM Global Security Kit (GSKIT)

Scope: Referring this document you could create a self signed certificate which could used to setup SSL on IBM HTTP SERVER(IHS) and many other IBM products. the document provides a practical approach with details steps, IBM GSkit has both graphical and text based tools to manage the Certificates and Key Database, this document includes both options. I will update this document to include any special instructions for other versions.

Product and Versions:
* IBM GSKit 7.x
* AIX Platform.
* Windows Platform.

Acronyms:
* GSKit - IBM GSKit
* SSL - Secure Socket Layer
* KDB - Key Database.

Assumptions:

* IBM GSKit has been installed on AIX or Windows.

Option One: Using Command line tools / Utilities.

Step 1: Login to AIX or Windows machin where GSKit is installed.

Step 2: Open command prompt for windows or a Login to a shell for AIX.

Step 3: Create a KDB of type CMS, by running the below command.

gsk7cmd -keydb -create -db [Key Database file Name] -pw [password] -type cms -stash

Example:
gsk7cmd -keydb -create -db example.com.kdb -pw somepassword -type cms -stash

Note: Make sure the commands gsk7ikm and  java are part of the PATH location and JAVA_HOME variable is set to point to the java installation location.


Step 4: Create a self signed certificate.

gsk7cmd -cert -create -db [KDB file name and path] -pw [password] -type cms -label [unique label within the kdb file] -dn "cn=[domain name]" -size 2048 -default_cert no

Example:
gsk7cmd -cert -create -db example.com.kdb -pw password -type cms -label example.com -dn "cn=example.com" -size 2048 -default_cert no

Option Two: Using Graphical user interface.

Step 1: Login to AIX or Windows machin where GSKit is installed.

Step 2: Open command prompt for windows or a Login to a shell for AIX.
Note: For AIX you should have X server running locally(desktop) where you export the display from AIX to your machine.

Step 3: Launch the IBM GSKit Key Management Tool.

On AIX'gsk7ikm' command on AIX

On Windows: Start the IBM Key Management tool from windows START -> Programs -> IBM GSKIT -> IBM Key Management

Note: Make sure the commands gsk7ikm and  java are part of the PATH location and JAVA_HOME variable is set to point to the java installation location.
Step 4: Create a KDB of type CMS.
  a) Click on "Key Database File" menu and select "new" as shown in the below screen shot.


  b) Select the Key Database Type as "CMS" and enter the KDB file name and path where the file to be created and click "OK"


  c) Enter the "password" and "confirm password", enable the "stash the password to file option" and click "OK"


Step 5: Create a Self Signed certificate.


   a) Select "personal certificates" from the list and click on "New Self Signed" button.


   b) Enter the unique "Key Label" and "Common name" as shown below and click "OK"


   c) Below you see a new self signed certificate with label 'example.com' has been created.


    e) Exit from the gsk7ikm utility.


Summary: In this how-to, you created a KEY database file of type "CMS" and created a self signed certificate by name example.com, when you create a self signed cert an key is generated and a the cert is signed by the same key. you could use this selfsigned cert to enable SSL on IHS and many other IBM products.


Comments welcome!!

at No comments:
Labels: , , ,

Friday, February 17, 2012

Configure LTPA on WebSphere Application Server(WAS) using Tivoli Access Manager e-business (TAMeb)

Scope: Using this document you could configure Single Sign-on(SSO) between WebSphere Application Server(6.x) and Tivoli Access Manager e-Business (6.0) using LTPA(Lightweight Third Party Authentication) tokens, the document provides a practical approach with details steps on how to configure, I will update this document to include any special instructions for other versions.

Product and Versions:
* WebSphere Application Server(6.x)
* Tivoli Access Manager e-Business (6.0)
* AIX Platform.

Acronyms:
* WAS - WebSphere Application Server.
* TAMeb - Tivoli Access Manager e-Business.
* LDAP - Lightweight Directory Access Protocol.

Assumptions:

* TAMeb is installed and configured.
* TAMeb WebSeal is configured and running on AIX.
* WAS installed and configured on AIX.
* Security on WAS is enabled using TAMeb LDAP, Click here to learn more.

Step 1: Export the LTPA key from WAS Admin Console.

a) Access the WAS Admin Console -> Click Security -> Click Authentication Mechanisms and expiration

Note: Below screenshot shows the "Administrative Security" and "Application Security" is enabled.




b) Enter the LTPA password in the "Password" field ->; re-enter the password on "Confirm password" field ->; Enter the LTPA key file name in out example its "example.com.ltpa.key" -> Click on "Export Keys" button.

Note: The Password and Fully qualified key file name could be anything('somepassword' for our example), this password is used to read the LTPA key while enabling LTPA on the TAMeb junction, the exported LTPA key will be under the Deployment Manager profiles root.

EX: /opt/WebSphere/AppServer/profiles/Dmgr01/example.com.ltpa.key



Step 2: Copy the ltpa key file WAS Server to TAMeb WebSEAL server.

ex: /app/pdweb/ltpa/example.com.ltpa.key


Step 3: Create or Modify the TAMeb Virtualhost junction to enable LTPA authentication.

a) Connect to TAMeb Policy server.

$ pdadmin -a sec_master
Enter Password:
pdadmin sec_master>

b) Create a VirtualHost junction

server task [WebSEAL_Name] virtualhost create -t ssl -h [ServerName-IP] -p [PORT] -v [DomainName] -A -F [path_to_ltpa_key_file] -Z [password] -c iv-user [virtual_Host_Junction_Name]

Ex:
server task Webseal-Exampe virtualhost create -t ssl -h example-ihs-server.com -p 443 -v example.com -A -F /app/pdweb/ltpa/example.com.ltpa.key -Z somepassword -c iv-user example.com

Use the below command if you want to modify an existing virtualhost junction, notice the -f switch.

server task Webseal-Exampe virtualhost create -t ssl -h example-ihs-server.com -p 443 -v example.com -A -F /app/pdweb/ltpa/example.com.ltpa.key -Z somepassword -c iv-user -f example.com

Step 4: Exit from TAMeb Policy server and Test by accessing the TAMeb URL.

The WAS Application would get the username used to login into TAMeb as a iv-user header.







at No comments:
Labels: ,
Subscribe to: Posts (Atom)