IBM Sterling Connect:Direct : Import C:D certificates on C:D WebService: Difference between revisions
(→Import from C:D keystore to C:D WS Trusted Store - C:D and C:D WebService are in the same machine) |
|||
| (23 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
If you setup Secure+ during the install you need to import certificates from C:D on C:D WebServices | If you setup Secure+ during the install you need to import certificates from C:D on C:D WebServices | ||
Bellow i provide some common error messages that happens when not configured. | |||
= Procedure = | |||
== Import from C:D keystore to C:D WS Trusted Store - C:D and C:D WebService are in the same machine == | |||
I will import from cdkeystore.kdb to trustedkeystore.jks | |||
cd /home/cdadmin02/cdunix/jre/ibm-java-x86_64-80/jre/bin | |||
./ikeycmd -cert -import \ | |||
-db /home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb -pw changeit -label CDInternal \ | |||
-target /opt/MFTWebServices/mftws/BOOT-INF/classes/trustedkeystore.jks -target_pw changeit \ | |||
-new_label CDNODE02-CDInternal | |||
after you can open C:D WebService and check | |||
[[File:New-cert-cdws.png]] | |||
And you need to change | |||
[[File:New-cert2-cdws.png|347]] | |||
= Tips = | |||
== Check your configuration == | |||
You can check using command | You can check using command | ||
| Line 27: | Line 43: | ||
SecurityMode=DefaultToLN | SecurityMode=DefaultToLN | ||
AuthTimeout=120 | AuthTimeout=120 | ||
KeyCertLabel= | KeyCertLabel=<big>CDInternal</big> | ||
ClientAuth=Y | ClientAuth=Y | ||
CipherSuites=(TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,...) | CipherSuites=(TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,...) | ||
Check | |||
cd /home/cdadmin02/cdunix/jre/ibm-java-x86_64-80/jre/bin/ | cd /home/cdadmin02/cdunix/jre/ibm-java-x86_64-80/jre/bin/ | ||
| Line 39: | Line 55: | ||
Certificates in database /home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb: | Certificates in database /home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb: | ||
CDInternal | <big>CDInternal</big> | ||
== Common Error Messages == | |||
The following message erros can confirm this situation when you try to connect to C:D on User Functions | |||
===Error on C:D WebService=== | |||
Connect:Direct server is in stop state or ipAddress/port is invalid | |||
you need to import C:D certificates on C:D WebService | |||
===Error on C:D log=== | |||
STAR=20230425 19:38:58.479|'''CCOD=8'''|RECI=CSPA|RECC=CAEV|OSID=17600|TZDI=-25200|MSGI='''CSPA304E'''|MSGT='''Client connection is not secure.''' Message ID CSPA304E, rc=8, fdbk=0. | |||
STAR=20230425 19:38:58.481|RECI=CXIT|RECC=CAEV|OSID=17318|TZDI=-25200|MSGT=CMGR exited. Pid=17600. Exitcode=0. | |||
you need to import C:D certificates on C:D WebService | |||
===The provider for keystore type 'IBMCMSKS' is not available=== | |||
When i try to run | |||
/opt/MFTWebServices/jre/bin# ./ikeycmd -cert -import .. | |||
The below errors happens | |||
The provider for keystore type 'IBMCMSKS' is not available. | |||
Ensure that the necessary provider JAR file is on the class path or in the ext directory, and that the provider has been added to the java.security file. | |||
you need to have a ikeycmd with IBMCMSKS keystore type. The ikeycmd on C:D has this configured correctly. | |||
=== Error: Logon failed! Either Certificate or Authority is not configured=== | |||
check you /home/cdadmin02/cdunix/ndm/cfg/CDNODE02/userfile.cfg for user access | |||
= Ver também = | = Ver também = | ||
Latest revision as of 21:08, 16 November 2023
If you setup Secure+ during the install you need to import certificates from C:D on C:D WebServices
Bellow i provide some common error messages that happens when not configured.
Procedure
Import from C:D keystore to C:D WS Trusted Store - C:D and C:D WebService are in the same machine
I will import from cdkeystore.kdb to trustedkeystore.jks
cd /home/cdadmin02/cdunix/jre/ibm-java-x86_64-80/jre/bin ./ikeycmd -cert -import \ -db /home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb -pw changeit -label CDInternal \ -target /opt/MFTWebServices/mftws/BOOT-INF/classes/trustedkeystore.jks -target_pw changeit \ -new_label CDNODE02-CDInternal
after you can open C:D WebService and check
And you need to change
Tips
Check your configuration
You can check using command
cd /home/cdadmin02/cdunix/etc ./cdcustrpt
check the following in cd.support.rpt
SPCLI> display all; ... Name=.Client Type=R Protocol=(TLS1.2,TLS1.3) Override=N SecurityMode=DefaultToLN AuthTimeout=120 KeyCertLabel=CDInternal ClientAuth=Y CipherSuites=(TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,...)
Check
cd /home/cdadmin02/cdunix/jre/ibm-java-x86_64-80/jre/bin/ ./ikeycmd -cert -list -db "/home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb" -pw changeit
the output
Certificates in database /home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb: CDInternal
Common Error Messages
The following message erros can confirm this situation when you try to connect to C:D on User Functions
Error on C:D WebService
Connect:Direct server is in stop state or ipAddress/port is invalid
you need to import C:D certificates on C:D WebService
Error on C:D log
STAR=20230425 19:38:58.479|CCOD=8|RECI=CSPA|RECC=CAEV|OSID=17600|TZDI=-25200|MSGI=CSPA304E|MSGT=Client connection is not secure. Message ID CSPA304E, rc=8, fdbk=0. STAR=20230425 19:38:58.481|RECI=CXIT|RECC=CAEV|OSID=17318|TZDI=-25200|MSGT=CMGR exited. Pid=17600. Exitcode=0.
you need to import C:D certificates on C:D WebService
The provider for keystore type 'IBMCMSKS' is not available
When i try to run
/opt/MFTWebServices/jre/bin# ./ikeycmd -cert -import ..
The below errors happens
The provider for keystore type 'IBMCMSKS' is not available. Ensure that the necessary provider JAR file is on the class path or in the ext directory, and that the provider has been added to the java.security file.
you need to have a ikeycmd with IBMCMSKS keystore type. The ikeycmd on C:D has this configured correctly.
Error: Logon failed! Either Certificate or Authority is not configured
check you /home/cdadmin02/cdunix/ndm/cfg/CDNODE02/userfile.cfg for user access