If you are upgrading
your point product and are currently using Open SSL certificates, you must
export your certificates to PKCS12 format before importing them as IBM® SSL certificates.
These exported private and public certificates are stored in a password-protected
file.
To export and import your existing Open SSL certificates to PKCS12 format:
- Export the certificate to PKCS12 format:
- On the command line, navigate to the appropriate directories:
- On Windows®: drive-letter:\Program
Files\IBM\RationalSDLC\common\IHS\bin
- On UNIX®: /opt/IBM/RationalSDLC/common/IHS/bin
- On Linux®: /opt/ibm/RationalSDLC/common/IHS/bin
- Enter the following command:
openssl pkcs12 -export -in your_server_certificate.crt -out mapped_shared_location\server_cert.p12 -inkey your_server_private_key.key -name ibmhttp
Note: Note
the location of the file server_cert.p12. This is the
PKCS12 formatted file that is imported into the IBM SSL Key Management store.
- Enter the pass phrase used when the private key was originally created.
- Enter an export password.
- Upgrade the IBM SDK
Policy Files to use the unrestricted version to enable recognition of non-IBM
certificate files.
Note: Failure to upgrade the Policy File will result in
an error while importing the PKCS12 certificate.
Follow the procedures
in http://www.ibm.com/support/docview.wss?uid=swg21201170. Download the 1.4.2 version of the unrestricted policy
files and replace the existing two policy files at these locations: - On Windows: drive-letter:\Program
Files\IBM\RationalSDLC\common\IHS\_jvm\jre\lib\security
- On UNIX: /opt/IBM/RationalSDLC/common/IHS/_jvm/jre/lib/security
- On Linux: /opt/ibm/RationalSDLC/common/IHS/_jvm/jre/lib/security
Import the certificate into the IBM SSL Key Management store:
- Start the IBM HTTP
Server Key Management Utility tool (if it is not already running).
- In the tool, click Key Database File > Open > Select Key database
type CMS and click Browse to navigate to
your key store file (common/IHS/key.kdb).
- Enter the keystore password and click OK.
- In the Key database content area, click the drop down menu and select Personal
Certificates.
- Click Import , click Key File type,
and select PKCS12.
- Click Browse, navigate to the .p12 file
to import, and click OK.
- If prompted, enter a password for the key database, and click OK.
- Click OK again to complete the import process.
Note: If the certificate you are attempting to import has an expired
validity date, you will not be able to import it. See "Signing certificates
by certificate authorities."
Signing certificates by certificate authorities
To obtain certificate authority (CA) self signed (SSL) certificates using
the iKeyMan utility:
- Start the IBM HTTP
Server Key Management Utility tool.
- Click . Enter CMS and click Browse to
navigate to your key store file (key.kdb). Enter the
keystore password and click OK. If the keystore (key.kbd)
file is not first created, see Creating HTTP server keys.
- In the Key Database Content area, select the drop-down
menu, and click Personal Certificate Request.
- Enter field values for the fields. Use the full name of your province,
not an abbreviation. When complete, save the file with the .arm file
extension.
- Follow your certificate authority (CA) organization's rules for sending
the .arm file and receiving the signed certificate (.cert file).
For example, some companies direct you to a Web site where you can upload
the .arm file and receive the .cert file by e-mail.
- You must rename the .cert file to the value in the Common Name field
of the resulting certificate. This is usually the full Internet name of the
machine (for example, mymachine.somedomain.ibm.com). You
must use the full machine name when the common name is referenced.
- In the Key Database Content area, on the drop-down
menu, click Signer Certificates. If the CA name (the
company's name) is listed, in the Key Database Content page,
select the drop-down item Personal Certificates. Click Receive.
Browse for Common Name.arm file (see
Step 6). If it is an ASCII file, select ASCII in the Data
Type drop-down box, otherwise select DER binary file. Click OK.
You should receive a message that the certificate was received.
If the
CA name is not listed, add the root certificate for the CA:
- Find the root certificate on your CA's Web site, download it, and name
it CA.arm (where CA is the name of
the certificate authority company).
- In the Key Database Content area, select the drop-down
item Signer Certificates, and click Add.
- Click Browse to navigate to the .arm file (CA.arm)
that you just downloaded. If it is an ASCII file, select ASCII in
the Data Type drop-down box; otherwise, select DER
binary file. After you click OK, the list contains
the name of your CA, and you should receive a message that the certificate
was received. You can then follow Step 7.