IBM Sterling Connect:Direct : Import C:D certificates on C:D WebService

From Wiki

If you setup Secure+ during the install you need to import certificates from C:D on C:D WebServices


Bellow i provide some common error messages that happens when not configured.

Procedure

Import from C:D keystore to C:D WS Trusted Store - C:D and C:D WebService are in the same machine

I will import from cdkeystore.kdb to trustedkeystore.jks 

cd /home/cdadmin02/cdunix/jre/ibm-java-x86_64-80/jre/bin

./ikeycmd -cert -import \
 -db /home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb -pw changeit -label CDInternal \
 -target /opt/MFTWebServices/mftws/BOOT-INF/classes/trustedkeystore.jks -target_pw changeit \
 -new_label CDNODE02-CDInternal

after you can open C:D WebService and check

And you need to change

347

Tips

Check your configuration

You can check using command 

cd /home/cdadmin02/cdunix/etc
./cdcustrpt

check the following in cd.support.rpt 

SPCLI> display all;
...
 Name=.Client
 Type=R
 Protocol=(TLS1.2,TLS1.3)
 Override=N
 SecurityMode=DefaultToLN
 AuthTimeout=120
 KeyCertLabel=CDInternal
 ClientAuth=Y
 CipherSuites=(TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,...)

Check 

cd /home/cdadmin02/cdunix/jre/ibm-java-x86_64-80/jre/bin/
./ikeycmd -cert -list -db "/home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb" -pw changeit

the output 

Certificates in database /home/cdadmin02/cdunix/ndm/secure+/certificates/cdkeystore.kdb:
  CDInternal


Common Error Messages

The following message erros can confirm this situation when you try to connect to C:D on User Functions

Error on C:D WebService

Connect:Direct server is in stop state or ipAddress/port is invalid

you need to import C:D certificates on C:D WebService

Error on C:D log

STAR=20230425 19:38:58.479|CCOD=8|RECI=CSPA|RECC=CAEV|OSID=17600|TZDI=-25200|MSGI=CSPA304E|MSGT=Client connection is not secure.  Message ID CSPA304E, rc=8, fdbk=0.
STAR=20230425 19:38:58.481|RECI=CXIT|RECC=CAEV|OSID=17318|TZDI=-25200|MSGT=CMGR exited.  Pid=17600.  Exitcode=0.

you need to import C:D certificates on C:D WebService

The provider for keystore type 'IBMCMSKS' is not available

When i try to run 

/opt/MFTWebServices/jre/bin# ./ikeycmd -cert -import ..

The below errors happens 

The provider for keystore type 'IBMCMSKS' is not available.

Ensure that the necessary provider JAR file is on the class path or in the ext directory, and that the provider has been added to the java.security file.

you need to have a ikeycmd with IBMCMSKS keystore type. The ikeycmd on C:D has this configured correctly.

Error: Logon failed! Either Certificate or Authority is not configured

check you /home/cdadmin02/cdunix/ndm/cfg/CDNODE02/userfile.cfg for user access

Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=IBM_Sterling_Connect:Direct_:_Import_C:D_certificates_on_C:D_WebService&oldid=8586"