Securing communication with IBM Security Guardium Key Lifecycle Manager container using a CA-signed certificate
You can enhance secure communication between a client (for example, browser, REST client) and the containerized IBM® Security Guardium® Key Lifecycle Manager server by using a certificate that is signed by a certificate authority (CA) for authentication in WebSphere® Application Server Liberty base. By default, a self-signed certificate is provided in the keystore.
About this task
The IBM Security Guardium Key Lifecycle Manager keystore is of Public Key Cryptography Standards #12 (PKCS12) keystore type. PKCS12 is an industry standard keystore type, which makes it compatible with other products.
The keystore, key.p12 file, is created in the resources/security directory when the IBM Security Guardium Key Lifecycle Manager server starts. The default password for the keystore is Ch@ngemypa55word. You can specify a different password when you initiate the IBM Security Guardium Key Lifecycle Manager application container.
The default keystore location in the sklmAppVolume volume is ${PRODUCTS_DIR}/serverConfig/key.p12.
Procedure
- List the existing entries in the keystore.
keytool -list -v -keystore /path/key.p12 -storepass KEY_STORE_PWD -storetype PKCS12Sample output of the command:Keystore type: PKCS12 Keystore provider: IBMJCE Your keystore contains 1 entry Alias name: default Creation date: Apr 29, 2020 Entry type: keyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=localhost, OU=defaultServer, O=ibm, C=us Issuer: CN=localhost, OU=defaultServer, O=ibm, C=us Serial number: 1a2abd4 Valid from: 4/29/20 6:57 AM until: 4/29/21 6:57 AM Certificate fingerprints: MD5: F1:0C:C7:DF:5B:72:4C:F7:60:34:06:30:F0:C1:08:56 SHA1: F3:12:4F:8B:FC:0E:84:8F:21:90:77:13:20:0E:21:DC:00:80:15:70 SHA256: 68:65:69:BA:E0:D5:BF:9C:D9:2E:DA:CD:DE:6C:52:8F:DF:48:61:FA:E0:34:9B:94:85:9B:4F:38:16:E6:CE:B9 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 59 a7 12 19 9d d6 73 6f ac 06 e3 bf 33 cd c0 d3 Y.....so....3... 0010: b5 5e 0f 90 .... ] ] #2: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ [DNSName: localhost]] - Generate a CA-signed certificate request.
keytool -certreq -file path/liberty.csr -alias default -keyalg RSA -keypass KEY_STORE_PWD -storetype PKCS12 -keystore path/key.p12 -storepass KEY_STORE_PWDNote: If the keystore has entries, use the alias that is used in these existing entries. - After you receive the CA-signed certificate, add the public key of the certificate to the
keystore.
keytool -importcert -storetype PKCS12 -storepass KEY_STORE_PWD -keystore path/key.p12 -file path/ca.crt - Add the CA-signed certificate to the keystore.
keytool -importcert -alias default -storetype PKCS12 -storepass KEY_STORE_PWD -keystore path/key.p12 -file OUTPUT_CA_SIGNED_FILE.crt - List the existing entries in the keystore and verify the newly added certificate.
keytool -list -v -keystore /path/key.p12 -storepass KEY_STORE_PWD -storetype PKCS12Sample output of the command:Keystore type: PKCS12 Keystore provider: IBMJCE Your keystore contains 2 entries Alias name: default Creation date: Apr 29, 2020 Entry type: keyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=localhost, OU=defaultServer, O=ibm, C=us Issuer: EMAILADDRESS=abc@abc.com, CN=SKLM, OU=ILL, O=IBM, L=Pune, ST=Maharashtra, C=IN Serial number: beb07bbc3c4d7ba23fd0d17e9dc4d16215e4d27 Valid from: 4/29/20 7:17 AM until: 5/29/20 7:17 AM Certificate fingerprints: MD5: 0A:C0:C7:7D:70:7E:0E:E2:CD:3A:B6:06:C6:35:8D:00 SHA1: A1:E8:3F:8A:7A:78:AB:0C:5C:58:FA:1D:14:30:08:47:47:36:E5:36 SHA256: 51:08:A7:9A:E6:B7:D8:19:20:14:3C:47:CB:E9:2A:F1:42:A6:C0:5F:2D:AD:5C:65:CF:4F:76:5A:A4:18:3E:BE Signature algorithm name: SHA256withRSA Version: 1 Certificate[2]: Owner: EMAILADDRESS=abc@abc.com, CN=SKLM, OU=ILL, O=IBM, L=Pune, ST=Maharashtra, C=IN Issuer: EMAILADDRESS=abc@abc.com, CN=SKLM, OU=ILL, O=IBM, L=Pune, ST=Maharashtra, C=IN Serial number: 1678019d645872109c3a78118050a6b23b2efe6a Valid from: 4/29/20 7:16 AM until: 5/29/20 7:16 AM Certificate fingerprints: MD5: B6:1B:07:2E:AD:9B:0C:95:04:AE:E8:BA:4A:E5:ED:D9 SHA1: F9:D0:D2:8C:44:01:EA:B7:81:4A:3F:10:7F:60:AF:4B:64:71:BC:08 SHA256: 50:8C:DF:5E:7B:B7:09:C9:2A:C2:81:3E:A4:0F:14:4E:07:1F:58:DC:E4:E0:70:19:C4:84:28:42:A5:E2:9C:2E Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 12 71 bd c8 66 ac dd b4 9d 2d a1 86 ac ed 06 88 .q..f........... 0010: c9 4b bf bf .K.. ] ] #2: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 12 71 bd c8 66 ac dd b4 9d 2d a1 86 ac ed 06 88 .q..f........... 0010: c9 4b bf bf .K.. ] ] #3: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] ******************************************* ******************************************* Alias name: mykey Creation date: Apr 29, 2020 Entry type: trustedCertEntry Owner: EMAILADDRESS=abc@abc.com, CN=SKLM, OU=ILL, O=IBM, L=Pune, ST=Maharashtra, C=IN Issuer: EMAILADDRESS=abc@abc.com, CN=SKLM, OU=ILL, O=IBM, L=Pune, ST=Maharashtra, C=IN Serial number: 1678019d645872109c3a78118050a6b23b2efe6a Valid from: 4/29/20 7:16 AM until: 5/29/20 7:16 AM Certificate fingerprints: MD5: B6:1B:07:2E:AD:9B:0C:95:04:AE:E8:BA:4A:E5:ED:D9 SHA1: F9:D0:D2:8C:44:01:EA:B7:81:4A:3F:10:7F:60:AF:4B:64:71:BC:08 SHA256: 50:8C:DF:5E:7B:B7:09:C9:2A:C2:81:3E:A4:0F:14:4E:07:1F:58:DC:E4:E0:70:19:C4:84:28:42:A5:E2:9C:2E Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 12 71 bd c8 66 ac dd b4 9d 2d a1 86 ac ed 06 88 .q..f........... 0010: c9 4b bf bf .K.. ] ] #2: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 12 71 bd c8 66 ac dd b4 9d 2d a1 86 ac ed 06 88 .q..f........... 0010: c9 4b bf bf .K.. ] ] #3: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] - Enable TLS communication in Liberty and configure httpEndpoint to use a TLS configuration
other than the default keystore.
- In the server.xml file, add the
serverKeyAlias attribute. The serverKeyAlias attribute specifies the alias of the certificate in the keystore used as the server's key. This attribute is only needed if the keystore has more then one key entry.
For example:
<ssl id="defaultTLSConfig" keyStoreRef="defaultKeyStore" serverKeyAlias="default" sslProtocol="TLSv1.2"/> - Configure the keystore element in the
server.xml file by adding the attributes pollingRate and
updateTrigger.
- pollingRate
- Rate at which the server checks for updates to a keystore file. Specify a positive integer
followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms).
For example, specify 100 milliseconds as 100ms; specify 1.5 seconds as 1s500ms.
- updateTrigger
- Method that is used to trigger the server to reload a keystore file. Possible values:
- disabled: Disables all update monitoring. Changes to the keystore file will not be applied while the server is running.
- mbean: Server will only update the keystore when prompted by the FileNotificationMbean. The FileNotificationMbean is typically called by an external program such as an integrated development environment or a management application.
- polled: Server will scan for keystore file changes at the polling interval and update if the keystore file has detectable changes.
Specify polled to enable the server for checking the keystore file for changes.
<keyStore id="defaultKeyStore" location="${PRODUCTS_DIR}/serverConfig/key.p12" password="{xor}DBQTEgg6PR4M" pollingRate="5s" updateTrigger="polled"></keyStore>
For more information, see Configuration attributes. - In the server.xml file, add the
serverKeyAlias attribute.
- Launch the IBM Security Guardium Key Lifecycle Manager graphical user interface to confirm that no certificate error is displayed and verify that the CA-signed certificate is shown in the browser.