www.bonsaiframework.com
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Refer to Apache and SSL Certificates for conceptual references.

The tool for working with SSL Certificates on IHS is called IKEYMAN.

Verify GSKit Version

Most current installs should be fine. However, you should still ensure that the GSKit packaged with IHS can start and is the minimal version for 2048 certificates.

To start GSKit regardless of the environment you must specify a JAVAHOME which points to a version of Java with JCE. IBM should have packaged the right version of java for you. On Windows, use the icon from the start menu.

I actually don't remember why I have these instructions actually.

... not sure if needed START ...

Go the command line and issue the following commands,

E:\
cd opt\IBMIHS\gsk7\bin
set JAVA_HOME=E:\opt\IBMIHS\java\jre
gsk7ikm.exe

... not sure if needed END ...

Which should launch GSKit (IBM Key Management program). Click Help and then About iKeyman and confirm the version to be higher than 7.0.3.18.

Load Key Database File

IBM uses the concept of a Key Database File to protect the certificate private key. The first step is to create an empty key database file using the Key Management Utility,

  1. Key Database File
  2. New
  3. Key database type = CMS (can explain more about the format... later but CMS if standard)
  4. File Name = krypton.kdb
  5. Browser... = C:\opt\IBMIHS\keys\

You will the Password Prompt window appears check Stash password to a file. Enter in a password which will from now on be used to protect the key database file and click OK.

Stashing the password will keep the password with IHS. This means that IHS will be able to be stopped and started without requiring you to enter in the password to the key database file every time.

 

Generate CSR

Confirm your key database file is loaded. IBM Key Management screen should now show,

DB-Type: CMS
File Name: C:\opt\IBMIHS\keys\krypton.kdb

Next generate the CSR as follows,

  1. Create
  2. New Certificate Request...

At the Create New Key and Certificate Request window,

Key Label =
Key Size = 2048
Signature Algorithm = SHA1WithRSA
Common Name =

Warning About the IBM Key Management Utility

At this stage you have generated a CRS which in turn generated a Private Key stored in your key database file krypton.kdb.

Before using the Key Management Utility on yours or any database file, you should be aware that it has quite a few quirks. The most dangerous of them being that the Key Management Utility saves to the Key Database File arbitrary depending on your action and saves things across multiple files.

It is strongly recommended to backup the complete set together. In this example that would be all files krypton.* and not just krypton.kdb.

I have personally have had to recreate certificates from scratch due to improper backups.

Import Private Key

...

References

 

  • No labels