IBM Support

Perparing PEM files from Java keystore file for NCAT SSL connection

Technical Blog Post


Abstract

Perparing PEM files from Java keystore file for NCAT SSL connection

Body

Generating PEM files from Java keystore file

 

This instruction provided here is complementary to the SSL connection setup in the user guide for Socket Java Probe, it is especially useful when you want to use NCAT tool for SSL connection.

 

Ncat SSL connection requires PEM files of key and certificate.

As server, Ncat needs cert.pem and key.pem to open SSL connection.

Server command:

ncat --listen --ssl --ssl-cert <cert.pem> --ssl-key <key.pem> -v <host> <port>

e.g.

ncat --listen --ssl --ssl-cert selfsigned.crt.pem --ssl-key keystore.pem –v your_machine_host_name port_number

 

As client, Ncat needs cert.pem for self-verified SSL connection to the server.

Client command:

ncat --ssl-verify --ssl-trustfile <cert.pem> -v <host> <port>

e.g.

ncat --ssl-verify --ssl-trustfile selfsigned.crt.pem -v MY_MACHINE_NAME 4999

 

Below is the steps to generating PEM file. The resultant JKS file can be used as KeyStore configuration for Socket Java probe.

 

Step 1: Create Java keystore file (.jks) file

Important: When keytool prompts for CN-common name in the question ‘What is your first and last name?’, key in hostname rather than IP address, because if the IP is not always assigned to that machine (for example, your workstation in office network), you will have to generate a new JKS and PEM file again when the IP has been changed, because NCAT, when operating as listener, will abort if target host/IP is not consistent with the host/IP recorded in the given PEM file.

 

Command:

keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Output:

keystore.jks – Keystore File

 

 

Step 2: Export certificate from JSK file

Command:

keytool -export -alias selfsigned -file selfsigned.crt -keystore keystore.jks

Output:

selfsigned.crt – Certificate

 

Note: These two files are in DER format – a binary format not readable using text editor.

When creating JKS file for probe test use, the CN field must be set to the hostname or IP of the target machine that the server will be running, because Ncat client SSL will abort when its self-verification detects discrepancy between the CN value and the host input.

 

 

Step 3: Convert DER certificate to PEM file

Command:

openssl x509 -inform DER -outform PEM -in selfsigned.crt -out selfsigned.crt.pem

Output:

selfsigned.crt.pem

 

 

Step 4: Convert JSK to P12 format

Command:

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcalias selfsigned -srcstoretype jks -deststoretype pkcs12

Note: selfsigned is the alias used in creating the JKS file in step1.

Output:

Keystore.p12

 

 

Step 5: Convert Key in P12 format to PEM format

Command:

openssl pkcs12 -in keystore.p12 -out keystore.pem

Output:

keystore.pem

 

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

UID

ibm11082301