IBM Sterling Connect:Direct : Import C:D certificates on C:D WebService
If you setup Secure+ during the install you need to import certificates from C:D on C:D WebServices
Bellow i provide some common error messages that happens when not configured.
Procedure
Import from C:D keystore to C:D WS Trusted Store - in same machine
I will import from cdkeystore.kdb to trustedkeystore.jks
cd /home/cdadmin02/cdunix/jre/ibm-java-x86_64-80/jre/bin ./ikeycmd -cert -import \ -db /home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb -pw changeit -label CDInternal \ -target /opt/MFTWebServices/mftws/BOOT-INF/classes/trustedkeystore.jks -target_pw changeit \ -new_label CDNODE02-CDInternal
after you can open C:D WebService and check
Tips
Common Error Messages
The following message erros can confirm this situation when you try to connect to C:D on User Functions
- Error on C:D WebService
Connect:Direct server is in stop state or ipAddress/port is invalid
- Error on C:D log
STAR=20230425 19:38:58.479|CCOD=8|RECI=CSPA|RECC=CAEV|OSID=17600|TZDI=-25200|MSGI=CSPA304E|MSGT=Client connection is not secure. Message ID CSPA304E, rc=8, fdbk=0. STAR=20230425 19:38:58.481|RECI=CXIT|RECC=CAEV|OSID=17318|TZDI=-25200|MSGT=CMGR exited. Pid=17600. Exitcode=0.
- The provider for keystore type 'IBMCMSKS' is not available.
- When i try to run
/opt/MFTWebServices/jre/bin# ./ikeycmd -cert -import ..
- The below errors happens
The provider for keystore type 'IBMCMSKS' is not available. Ensure that the necessary provider JAR file is on the class path or in the ext directory, and that the provider has been added to the java.security file.
you need to have a ikeycmd with IBMCMSKS keystore type. The ikeycmd on C:D has this configured correctly.
Check your configuration
You can check using command
cd /home/cdadmin02/cdunix/etc ./cdcustrpt
check the following in cd.support.rpt
SPCLI> display all; ... Name=.Client Type=R Protocol=(TLS1.2,TLS1.3) Override=N SecurityMode=DefaultToLN AuthTimeout=120 KeyCertLabel=CDInternal ClientAuth=Y CipherSuites=(TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,...)
Check
cd /home/cdadmin02/cdunix/jre/ibm-java-x86_64-80/jre/bin/ ./ikeycmd -cert -list -db "/home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb" -pw changeit
the output
Certificates in database /home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb: CDInternal