Get client keystore and public SSL certificate using REST API
In IBM® Db2® Event Store, you can use REST APIs to return the client keystore file, the client keystore password and the public SSL certificate.
About this task
IBM Db2 Event Store uses SSL authentication by default. The SSL authentication in Db2 Event Store requires all external traffic to provide the public SSL certificate, which is recognized by the engine's SSL certificate key database. Db2 Event Store, through the REST server, uses REST APIs to return the client keystore file, the client keystore password and the public SSL certificate. Using the ConfigurationReader in Db2 Event Store, the client can pick up the client keystore and keystore password information, provided by the REST APIs, to establish the SSL connection with the engine.
Note: If you have replaced the default SSL certificate with your own SSL
certificate, the REST API will not return the client keystore password by default. You can allow the
REST API to return the user-provided SSL certificate by issuing the command explicitly. For more
information, refer to User-provided SSL certificate.
Procedure
-
Obtain the client keystore and keystore password
- Download the jq
binary
wget -O jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 chmod +x jq mv jq /usr/local/bin/
- Get the client keystore file and client keystore password with the REST API.
- Download the jq
binary
- For Db2 Event Store in an IBM Cloud Pak for Data deployment, you will have to provide the target
deployment ID: Note: For information on how to find the target deployment ID, refer to Identifying the deployment ID of Db2 Event Store in a IBM Cloud Pak for Data deployment.
- Define the target deployment ID. For example,
DEPLOYMENT_ID=db2eventstore-1557417655
:DEPLOYMENT_ID=<target deployment ID>
- Set the
NAMESPACE
variable that Db2 Event Store was installed in. The default iszen
. If you created a different namespace name (also called OpenShift project) for Db2 Event Store use that installation, and use that name instead ofzen
.NAMESPACE=zen
- Get the
REST_SERVER_ENDPOINT
by running the following command:REST_SERVER_ENDPOINT=`oc get route ${NAMESPACE}-cpd -n ${NAMESPACE} -o jsonpath={.spec.host}`
- Validate that the
REST_SERVER_ENDPOINT
command worked by entering the following command:echo $REST_SERVER_ENDPOINT
The output should look like:zen-cpd-zen.apps.stroud-eventstore-2.cp.fyre.ibm.com
- Get the
bearerToken
but replace theadmin:password
with a valid user ID and password for that user ID, such asevenstoreuser:eventstorepassw0rd
. For example:bearerToken=`curl -k -X GET https://${REST_SERVER_ENDPOINT}/v1/preauth/validateAuth -u admin:password | jq -r '.accessToken'`
- Validate that the
bearerToken
command worked by entering the following command:
The output should look like:echo $bearerToken
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6IkFkbWluIiwicGVybWlzc2lvbnMiOlsiYWRtaW5pc3RyYXRvciIsImNhbl9wcm92aXNpb24iXSwiZ3JvdXBzIjpbMTAwMDBdLCJzdWIiOiJhZG1pbiIsImlzcyI6IktOT1hTU08iLCJhdWQiOiJEU1giLCJ1aWQiOiIxMDAwMzMwOTk5IiwiYXV0aGVudGljYXRvciI6ImRlZmF1bHQiLCJpYXQiOjE2MjI1ODM4MzQsImV4cCI6MTYyMjYyNjk5OH0.Zt097GDn7S7ylimjiAKHuSq_N8VLHLCp9B1HZ0C1nmxBptrPc0We6xq9BZMe9SObfVTxuTetNF1cB2NCvNVzSQxIfAVqEkorJp7By8ijcbQkFWWvnLWwhYv2TzJh3iFpwvCqnyJBZkhnGIIljlVi3KfJz32mBK1JhqLqyzJfsgJAGNHp9idJjZjlRMdwS5JDXF6N9Pt1IlTa3GZ2pweWMO6NyBGyKQTAl239g6Zaxhy7JxrlOUbjZWRJzzogVVggllwD-DZ9EMyi9NUtw4yKjUTsD98wH2vbv3OQW_HHP5laGwUaV68bwxXRaFFIsUuJ57CULBC2PN-FqR-qvIZ2Ew
- Get the
clientkeystore
password by running:echo $(curl -k -i -X GET -H "authorization: Bearer $bearerToken" "https://${REST_SERVER_ENDPOINT}/icp4data-databases/${DEPLOYMENT_ID}/zen/com/ibm/event/api/v1/oltp/keystore_password" | tail -1)
Note: If the default SSL certificate is replaced by a user-supplied SSL certificate, the REST API will not return the client keystore password.The output of theclientkeystore
command should look like:
The% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 12 100 12 0 0 461 0 --:--:-- --:--:-- --:--:-- 461 wcm8nc4xY2QH
clientstore
password is the last line of the output, in this example it iswcm8nc4xY2QH
. - Get the clientkeystore file by
running:
This will create a file called clientkeystore on your local filesystem. This file is not human readable. How to view this file with both the keytool and OpenSSL commands will be shown in step k.curl -k -X GET -H "authorization: Bearer $bearerToken" "https://${REST_SERVER_ENDPOINT}/icp4data-databases/${DEPLOYMENT_ID}/zen/com/ibm/event/api/v1/oltp/keystore" -o clientkeystore
- Get the public SSL certificate file by running the following
command:
This command creates a file on your local filesystem called eventstore.pem.curl -k -X GET -H "authorization: Bearer $bearerToken" "https://${REST_SERVER_ENDPOINT}/icp4data-databases/${DEPLOYMENT_ID}/zen/com/ibm/event/api/v1/oltp/certificate" -o eventstore.pem
- Validate the public SSL certificate by running the following
command:
The output should look like:cat eventstore.pem
-----BEGIN CERTIFICATE----- MIIB/zCCAWigAwIBAgIIKFIFFsTkygcwDQYJKoZIhvcNAQENBQAwIDEMMAoGA1UE ChMDaWJtMRAwDgYDVQQDEwd4eXouY29tMB4XDTIxMDUxOTE5MjExNFoXDTQxMDUx NTE5MjExNFowIDEMMAoGA1UEChMDaWJtMRAwDgYDVQQDEwd4eXouY29tMIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCSD9d0sfsf9KLysS8cYg561Lnzgzy1si0R LbKIPE4QGRudrbDeGCDA72ZPlxePVg8rQPstAhMkoiG7SG90OUG7JsPN08Oypp+z KTWlbpsT5H5I7+4MAMbcx665VXsoC2UidF0Vk4o0UBGs7BfiKIlqNUD9ahMvyl2N dOIi1XHunQIDAQABo0IwQDAdBgNVHQ4EFgQUi57QQ/6PK/Ot+efXncSwuEtWpI4w HwYDVR0jBBgwFoAUi57QQ/6PK/Ot+efXncSwuEtWpI4wDQYJKoZIhvcNAQENBQAD gYEAKWP5c5eexldMWU6uU7RPoEobKD1DZFkvxa/dmrXRCKBFWcW4CRTgDBAzFAHD 7tY6Qy1pnYXQ1R43s6lh06r/lJEKfu2vWIUyJyExkAcrUFPOzmBdTbVNV8RtTTKx uRr/ypRYMnZ5vf71baThWedBl1bNrl1dM0fxQGmzGQ0CqGQ= -----END CERTIFICATE-----
- Validate the clientkeystore keystore file. There are two ways to
accomplish this.
- The first approach uses the keytool command which comes with the Java Runtime Environment (JRE).
If the keytool command is not found, run this command:
This will install Java and its accompanying keytool command.yum install -y java
- Run the keytool
command:
Wherekeytool -list -rfc -keystore clientkeystore -storepass <clientstore_password>
<clientstore_password>
is the value of theclientstore
password obtained previously. A successful output of this command should look like:Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 2 entries Alias name: client Creation date: Sep 13, 2021 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: -----BEGIN CERTIFICATE----- MIIC4TCCAcmgAwIBAgIEQgxB9zANBgkqhkiG9w0BAQsFADAgMQwwCgYDVQQKEwNp Ym0xEDAOBgNVBAMTB3h5ei5jb20wIBcNMjEwOTE0MDAyNDA3WhgPMjEyMTA4MjEw MDI0MDdaMCAxDDAKBgNVBAoTA2libTEQMA4GA1UEAxMHeHl6LmNvbTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+ST8z/35tkdYib3qWXkzj9r1tfs2KS kNd48tqgDnmt6NtiB04V8Y+5KGDM61p2wWg+G+dRju5uPFbGMgfxd2j6N4p5b5QL 5KhLZ44xXUoJSveNxVf4KHJqjLaR/B410usBhmrvaCW0TORLMulyZLKo7ZDQI+RM WIeVugujEI4Usl4dDpjcZdJhcZBde2bpw5l2XCyYMpXfQ9MsujwqSb7mwmC3sBec LXntdyMpSh3om5GpUOkhOmei6IRUBnRqNfqLCSD6bF0x+ulg88D9FbsIkBBqW+zn z4I5tsDW9ZIPPGPg2EUJXJxKw629FpAwm7rI3FLYl7r/5doNpVLVF6cCAwEAAaMh MB8wHQYDVR0OBBYEFEze7D+hYKEW2SbpoJUByezbZ1nxMA0GCSqGSIb3DQEBCwUA A4IBAQBrQKP4KGslT4b7wauEh7KSLig/Plgiv9NoRqC0fhTGr9jg6zYyQ5s13lNe x7JvSmNWL1CcC5g72BigXv/8SvhJdeLQgx7w7wy8Vd3uFyEdRtqDI8KUQotHyM/M YLuZClAYAGaPQF6lmzicWg1AUYu00qrEkgbjbQiOu47omwF7dycAdlzlRbLj2Kzk UPIFy1dIwrdCEyzwwrmamWdHSRHNufOHDEWF7EdoxiUonyD2rvQ9PKiqPvdMZM2Z dmqYVNrAGAOzB4nqe73dtbafQRQUmAu5PjMkDZvuadSFBVSllnoqYCMEJ9EkgDkL sUjdlS0q54d1HFXA23y9nQPn+y3t -----END CERTIFICATE----- ******************************************* ******************************************* Alias name: sslcert Creation date: Sep 24, 2021 Entry type: trustedCertEntry -----BEGIN CERTIFICATE----- MIIB/zCCAWigAwIBAgIIBWpYNRJhFI4wDQYJKoZIhvcNAQENBQAwIDEMMAoGA1UE ChMDaWJtMRAwDgYDVQQDEwd4eXouY29tMB4XDTIxMDkxMzAwMjQwN1oXDTQxMDkw OTAwMjQwN1owIDEMMAoGA1UEChMDaWJtMRAwDgYDVQQDEwd4eXouY29tMIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo6eayFTVflyX6gzrHYcP+e4PxWMqP81hx EWV4+0zcpGyAsiYQzC7wTQGe+eGH3IOfNhzLswMp5cYGN6sw+KIytpBO77Qk3L3g O3X4DIr0RqTMO+m/tfWSJ3NBOJ3YotxcF8n24aUxW4g1SYgtZ0R3O+tyTSkcXuEG t0iBFH2tlQIDAQABo0IwQDAdBgNVHQ4EFgQUQ6mkKuA+LdSR6orne7KplXdBg3Uw HwYDVR0jBBgwFoAUQ6mkKuA+LdSR6orne7KplXdBg3UwDQYJKoZIhvcNAQENBQAD gYEAFAqoOmSfDYR4RCV1tPOI5rQ4V9ZnC5KIZ49mtMrfQiDsm8jzadCpXcxUZXrS KCEa1q5pY+e9mvFsdy43JPuWlz8BRPH+PnAaUgxXeAfytQ0wQ8kGQWVhWBEf92EI ity8cyOSi9Qm3qE+3IQ9kl4rKRH9v/3EZbSyhsMfDXrrkqA= -----END CERTIFICATE----- ******************************************* ******************************************* Warning: <sslcert> uses a 1024-bit RSA key which is considered a security risk and is disabled.
- Run the keytool
command:
- The second approach is using the OpenSSL command on a Linux system.
- Install OpenSSL with this command:
sudo yum install -y openssl
- Run the following
command:
Whereopenssl pkcs12 -nokeys -info -in clientkeystore -passin pass:<clientstore_password>
<clientstore_password>
is the value of theclientstore
password obtained previously. A successful output of this command should look like:MAC: sha1, Iteration 100000 MAC length: 20, salt length: 20 PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000 Certificate bag Bag Attributes friendlyName: client localKeyID: 54 69 6D 65 20 31 36 33 31 35 37 39 30 34 37 39 38 32 subject=O = ibm, CN = xyz.com issuer=O = ibm, CN = xyz.com -----BEGIN CERTIFICATE----- MIIC4TCCAcmgAwIBAgIEQgxB9zANBgkqhkiG9w0BAQsFADAgMQwwCgYDVQQKEwNp Ym0xEDAOBgNVBAMTB3h5ei5jb20wIBcNMjEwOTE0MDAyNDA3WhgPMjEyMTA4MjEw MDI0MDdaMCAxDDAKBgNVBAoTA2libTEQMA4GA1UEAxMHeHl6LmNvbTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+ST8z/35tkdYib3qWXkzj9r1tfs2KS kNd48tqgDnmt6NtiB04V8Y+5KGDM61p2wWg+G+dRju5uPFbGMgfxd2j6N4p5b5QL 5KhLZ44xXUoJSveNxVf4KHJqjLaR/B410usBhmrvaCW0TORLMulyZLKo7ZDQI+RM WIeVugujEI4Usl4dDpjcZdJhcZBde2bpw5l2XCyYMpXfQ9MsujwqSb7mwmC3sBec LXntdyMpSh3om5GpUOkhOmei6IRUBnRqNfqLCSD6bF0x+ulg88D9FbsIkBBqW+zn z4I5tsDW9ZIPPGPg2EUJXJxKw629FpAwm7rI3FLYl7r/5doNpVLVF6cCAwEAAaMh MB8wHQYDVR0OBBYEFEze7D+hYKEW2SbpoJUByezbZ1nxMA0GCSqGSIb3DQEBCwUA A4IBAQBrQKP4KGslT4b7wauEh7KSLig/Plgiv9NoRqC0fhTGr9jg6zYyQ5s13lNe x7JvSmNWL1CcC5g72BigXv/8SvhJdeLQgx7w7wy8Vd3uFyEdRtqDI8KUQotHyM/M YLuZClAYAGaPQF6lmzicWg1AUYu00qrEkgbjbQiOu47omwF7dycAdlzlRbLj2Kzk UPIFy1dIwrdCEyzwwrmamWdHSRHNufOHDEWF7EdoxiUonyD2rvQ9PKiqPvdMZM2Z dmqYVNrAGAOzB4nqe73dtbafQRQUmAu5PjMkDZvuadSFBVSllnoqYCMEJ9EkgDkL sUjdlS0q54d1HFXA23y9nQPn+y3t -----END CERTIFICATE----- Certificate bag Bag Attributes friendlyName: SSLCert 2.16.840.1.113894.746875.1.1: <Unsupported tag 6> subject=O = ibm, CN = xyz.com issuer=O = ibm, CN = xyz.com -----BEGIN CERTIFICATE----- MIIB/zCCAWigAwIBAgIIBWpYNRJhFI4wDQYJKoZIhvcNAQENBQAwIDEMMAoGA1UE ChMDaWJtMRAwDgYDVQQDEwd4eXouY29tMB4XDTIxMDkxMzAwMjQwN1oXDTQxMDkw OTAwMjQwN1owIDEMMAoGA1UEChMDaWJtMRAwDgYDVQQDEwd4eXouY29tMIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo6eayFTVflyX6gzrHYcP+e4PxWMqP81hx EWV4+0zcpGyAsiYQzC7wTQGe+eGH3IOfNhzLswMp5cYGN6sw+KIytpBO77Qk3L3g O3X4DIr0RqTMO+m/tfWSJ3NBOJ3YotxcF8n24aUxW4g1SYgtZ0R3O+tyTSkcXuEG t0iBFH2tlQIDAQABo0IwQDAdBgNVHQ4EFgQUQ6mkKuA+LdSR6orne7KplXdBg3Uw HwYDVR0jBBgwFoAUQ6mkKuA+LdSR6orne7KplXdBg3UwDQYJKoZIhvcNAQENBQAD gYEAFAqoOmSfDYR4RCV1tPOI5rQ4V9ZnC5KIZ49mtMrfQiDsm8jzadCpXcxUZXrS KCEa1q5pY+e9mvFsdy43JPuWlz8BRPH+PnAaUgxXeAfytQ0wQ8kGQWVhWBEf92EI ity8cyOSi9Qm3qE+3IQ9kl4rKRH9v/3EZbSyhsMfDXrrkqA= -----END CERTIFICATE-----
- Install OpenSSL with this command:
- The first approach uses the keytool command which comes with the Java Runtime Environment (JRE).
If the keytool command is not found, run this command:
- Define the target deployment ID. For example,