IBM Sterling Connect:Direct : Import C:D certificates on C:D WebService

If you setup Secure+ during the install you need to import certificates from C:D on C:D WebServices

Bellow i provide some common error messages that happens when not configured.

= Procedure =

Import from C:D keystore to C:D WS Trusted Store - C:D and C:D WebService are in the same machine
I will import from cdkeystore.kdb to trustedkeystore.jks

cd /home/cdadmin02/cdunix/jre/ibm-java-x86_64-80/jre/bin ./ikeycmd -cert -import \ -db /home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb -pw changeit -label CDInternal \ -target /opt/MFTWebServices/mftws/BOOT-INF/classes/trustedkeystore.jks -target_pw changeit \ -new_label CDNODE02-CDInternal

after you can open C:D WebService and check

Ficheiro:New-cert-cdws.png

And you need to change

347

= Tips =

Check your configuration
You can check using command

cd /home/cdadmin02/cdunix/etc ./cdcustrpt

check the following in cd.support.rpt

SPCLI> display all; ... Name=.Client Type=R Protocol=(TLS1.2,TLS1.3) Override=N SecurityMode=DefaultToLN AuthTimeout=120 KeyCertLabel= CDInternal ClientAuth=Y CipherSuites=(TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,...)

Check

cd /home/cdadmin02/cdunix/jre/ibm-java-x86_64-80/jre/bin/ ./ikeycmd -cert -list -db "/home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb" -pw changeit

the output

Certificates in database /home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb: CDInternal

Common Error Messages
The following message erros can confirm this situation when you try to connect to C:D on User Functions

Error on C:D WebService
Connect:Direct server is in stop state or ipAddress/port is invalid

you need to import C:D certificates on C:D WebService

Error on C:D log
STAR=20230425 19:38:58.479|CCOD=8|RECI=CSPA|RECC=CAEV|OSID=17600|TZDI=-25200|MSGI=CSPA304E|MSGT=Client connection is not secure. Message ID CSPA304E, rc=8, fdbk=0. STAR=20230425 19:38:58.481|RECI=CXIT|RECC=CAEV|OSID=17318|TZDI=-25200|MSGT=CMGR exited. Pid=17600. Exitcode=0.

you need to import C:D certificates on C:D WebService

The provider for keystore type 'IBMCMSKS' is not available
When i try to run

/opt/MFTWebServices/jre/bin# ./ikeycmd -cert -import ..

The below errors happens

The provider for keystore type 'IBMCMSKS' is not available. Ensure that the necessary provider JAR file is on the class path or in the ext directory, and that the provider has been added to the java.security file.

you need to have a ikeycmd with IBMCMSKS keystore type. The ikeycmd on C:D has this configured correctly.

Error: Logon failed! Either Certificate or Authority is not configured
check you /home/cdadmin02/cdunix/ndm/cfg/CDNODE02/userfile.cfg for user access

= Ver também =


 * IBM Sterling
 * IBM Sterling Connect:Direct
 * Artigos sobre Cloud
 * Mais Artigos sobre Cloud / WebDev / Tecnologias