IBM Support

Maximo Email: Importing a Simple SSL Certificate the Old Fashioned Way

Technical Blog Post


Abstract

Maximo Email: Importing a Simple SSL Certificate the Old Fashioned Way

Body

In the article Email Listener Communications via GMail - Part I: Importing the SSL Certificate we covered the slick way that WebSphere allows you to import certificates.  This will not always be the case with other applications servers; you need to do it the old fashioned way with OpenSLL and Java's keytool. 

 

As mentioned in the previous article this is provided as guidance only:

 

In general, SSL certificates are acquired from certificate authorities.  The implementation of certificates falls in the province of the email server and application server.  Maximo does not directly (or even indirectly) handle or access SSL certificates.  The request for an SSL enabled connection is via a property issued to the JavaMail API.  Certificate handling occurs between the application server's JavaMail API and trust store and the email server.

 

For more detailed instructions on importing certificates or certificate related authentication issues, please consult your CA or application server support.

 

Fetch the certificate using OpenSSL

If you do not have OpenSSL on your system check here for the latest version supported on your operating system.  Some software installs the openssl executable.  However you want to make sure that you have the latest secure version, especially given recently discovered vulnerabilities in the implementation of the SSL algorithm such as POODLE and logjam attacks.

 

In this example we'll use GMail's SMPT server.  Acquire the certificate by running the following in a command prompt:

openssl s_client -connect smtp.gmail.com:465 > gmail.txt

If the command doesn't return you automatically to the command prompt, hit ctrl-c.  Open gmail.txt in a text editor and trim away everything except for the certificate block.

 

Before:

CONNECTED(000001F4)
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgIIRU1aGVzo3ukwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwMjE4MTAxOTU2WhcNMTUxMjMxMDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOc210
cC5nbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWhzIM
jqZemjDUQZOzyhmeVu6uX+ZFWqnkXp4tliDcbPsrtyZQYxqw8XsArzCBKtp6DY85
rVy8IjFXoXtPHA/LMWDlvryELz2jV1z08x37yZ6FPDR056mysCOfCDFX4uNyunTf
lvR4f8oL0ngmSZdAAVCGc9jfTg9CQYXKCRHv1EIKF+T4vk5xgiNV3N8Wy6dbfVu3
KQlLwGzUh4WaaKqe8AzceiZsFUmz2eAFdhRGknu4/gyKeY5pHgkYKYx/Rzv2sgoG
8EuBQ9OQMOh3PptN8CCXhwwZn4pAS+ajV8ZfbHtMACmaQvNzbI1iI9QJKw42C9aj
a3VAN9QnbIw4MArBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOc210cC5nbWFpbC5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSh6WggOBcK5Zwhr0O7+PFlnafafTAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW
eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCNfO+0mq3Tmps8EANSmNeZGnMlaERs
akjh5pH5KSdL7CJGjzR77uv3M+wPOeP2xp8cXqlKCamuacCWmoB2PjTsdxrDwMs8
y7O8VRYFZ2h5wj3ssPEGTQPsjTezMeen0O9HgtZBYtoSis0HEr7MvFI5i8S/Qflp
84E7yqtwM4DOdcG38DvBilBWf3nRn9N24Utghichuu4y+KZmq16F2T5vI0aGBqDb
00IAmvJ7cmL1Ug+EWx7TGZADqrW1FvFdquWcLSx3WTUjTt1wH+GINGIVx0Z5TcSC
vvFoQe5EOuiZ8GaWT4c3RcNJCzfPVcHluy22RCft5K/YrxTi4LtLksy9
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

<snip>

 

 

After:

-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgIIRU1aGVzo3ukwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwMjE4MTAxOTU2WhcNMTUxMjMxMDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOc210
cC5nbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWhzIM
jqZemjDUQZOzyhmeVu6uX+ZFWqnkXp4tliDcbPsrtyZQYxqw8XsArzCBKtp6DY85
rVy8IjFXoXtPHA/LMWDlvryELz2jV1z08x37yZ6FPDR056mysCOfCDFX4uNyunTf
lvR4f8oL0ngmSZdAAVCGc9jfTg9CQYXKCRHv1EIKF+T4vk5xgiNV3N8Wy6dbfVu3
KQlLwGzUh4WaaKqe8AzceiZsFUmz2eAFdhRGknu4/gyKeY5pHgkYKYx/Rzv2sgoG
8EuBQ9OQMOh3PptN8CCXhwwZn4pAS+ajV8ZfbHtMACmaQvNzbI1iI9QJKw42C9aj
a3VAN9QnbIw4MArBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOc210cC5nbWFpbC5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSh6WggOBcK5Zwhr0O7+PFlnafafTAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW
eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCNfO+0mq3Tmps8EANSmNeZGnMlaERs
akjh5pH5KSdL7CJGjzR77uv3M+wPOeP2xp8cXqlKCamuacCWmoB2PjTsdxrDwMs8
y7O8VRYFZ2h5wj3ssPEGTQPsjTezMeen0O9HgtZBYtoSis0HEr7MvFI5i8S/Qflp
84E7yqtwM4DOdcG38DvBilBWf3nRn9N24Utghichuu4y+KZmq16F2T5vI0aGBqDb
00IAmvJ7cmL1Ug+EWx7TGZADqrW1FvFdquWcLSx3WTUjTt1wH+GINGIVx0Z5TcSC
vvFoQe5EOuiZ8GaWT4c3RcNJCzfPVcHluy22RCft5K/YrxTi4LtLksy9
-----END CERTIFICATE-----

 

 

Import the certification using Java's keytool

First locate your application server's key store.  For example, if you're running Weblogic under C:\weblogic it might be under C:\weblogic\wlserver\server\lib\DemoTrust.jks.

Next using the keytool from the server's JDK, install the certificate.  You'll be prompted for a password.  The default is DemoTrustKeyStorePassPhrase which you should change.

 

path_to_java\bin\keytool.exe -import -alias GMailCert -keystore path_to_truststore\DemoTrust.jks -file path_to_cert\gmail.txt
Enter keystore password:
Owner: CN=smtp.gmail.com, O=Google Inc, L=Mountain View, ST=California, C=US
Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
Serial number: 454d5a195ce8dee9
Valid from: 2/18/15 5:19 AM until: 12/30/15 7:00 PM
Certificate fingerprints:
         MD5:  5A:01:9E:79:12:D4:BF:B1:68:79:ED:FA:9E:CD:C0:F5
         SHA1: D3:7C:82:FC:D0:5F:8F:D7:DA:A2:59:8C:42:D7:B2:9F:C1:9F:7E:60
         SHA256: A8:4E:E7:70:F7:02:C7:E1:52:09:1D:A6:C7:84:57:5A:8C:C0:74:07:66:22:D5:D5:97:77:49:DB:1A:A7:CF:E4
         Signature algorithm name: SHA1withRSA
         Version: 3

.... <snip> ....

 

Trust this certificate? [no]:

 

Enter 'yes' and you're done.

 

Trust this certificate? [no]:  yes
Certificate was added to keystore

 

To verify the presence of the certificate,  list the aliases of the keys in the keystore:

 

path_to_java\bin\keytool.exe -list -keystore path_to_truststore\DemoTrust.jks
Enter keystore password:

Keystore type: jks
Keystore provider: IBMJCE

Your keystore contains 7 entries

<snip>
gmailcert, Jun 16, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): D3:7C:82:FC:D0:5F:8F:D7:DA:A2:59:8C:42:D7:B2:9F:C1:9F:7E:60

<snip>

 

Note that the fingerprint for the for the GMail certificate matches the fingerprint listed on import.

 

 

 

 

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLKT6","label":"IBM Maximo Asset Management"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

UID

ibm11132449