Converting Open SSL certificates to IBM SSL

If you are upgrading your point product and are currently using Open SSL certificates, you must export your certificates to PKCS12 format before importing them as IBM® SSL certificates. These exported private and public certificates are stored in a password-protected file.

To export and import your existing Open SSL certificates to PKCS12 format:
  1. Export the certificate to PKCS12 format:
    1. On the command line, navigate to the appropriate directories:
      • On Windows®: drive-letter:\Program Files\IBM\RationalSDLC\common\IHS\bin
      • On UNIX®: /opt/IBM/RationalSDLC/common/IHS/bin
      • On Linux®: /opt/ibm/RationalSDLC/common/IHS/bin
    2. Enter the following command:

      openssl pkcs12 -export -in your_server_certificate.crt -out mapped_shared_location\server_cert.p12 -inkey your_server_private_key.key -name ibmhttp

      Note: Note the location of the file server_cert.p12. This is the PKCS12 formatted file that is imported into the IBM SSL Key Management store.
    3. Enter the pass phrase used when the private key was originally created.
    4. Enter an export password.
  2. Upgrade the IBM SDK Policy Files to use the unrestricted version to enable recognition of non-IBM certificate files.
    Note: Failure to upgrade the Policy File will result in an error while importing the PKCS12 certificate.
    Follow the procedures in http://www.ibm.com/support/docview.wss?uid=swg21201170. Download the 1.4.2 version of the unrestricted policy files and replace the existing two policy files at these locations:
    • On Windows: drive-letter:\Program Files\IBM\RationalSDLC\common\IHS\_jvm\jre\lib\security
    • On UNIX: /opt/IBM/RationalSDLC/common/IHS/_jvm/jre/lib/security
    • On Linux: /opt/ibm/RationalSDLC/common/IHS/_jvm/jre/lib/security
    Import the certificate into the IBM SSL Key Management store:
    1. Start the IBM HTTP Server Key Management Utility tool (if it is not already running).
    2. In the tool, click Key Database File > Open > Select Key database type CMS and click Browse to navigate to your key store file (common/IHS/key.kdb).
    3. Enter the keystore password and click OK.
    4. In the Key database content area, click the drop down menu and select Personal Certificates.
    5. Click Import , click Key File type, and select PKCS12.
    6. Click Browse, navigate to the .p12 file to import, and click OK.
    7. If prompted, enter a password for the key database, and click OK.
    8. Click OK again to complete the import process.
    Note: If the certificate you are attempting to import has an expired validity date, you will not be able to import it. See "Signing certificates by certificate authorities."

Signing certificates by certificate authorities

To obtain certificate authority (CA) self signed (SSL) certificates using the iKeyMan utility:
  1. Start the IBM HTTP Server Key Management Utility tool.
  2. Click Key Database File > Open > Select Key database. Enter CMS and click Browse to navigate to your key store file (key.kdb). Enter the keystore password and click OK. If the keystore (key.kbd) file is not first created, see Creating HTTP server keys.
  3. In the Key Database Content area, select the drop-down menu, and click Personal Certificate Request.
  4. Enter field values for the fields. Use the full name of your province, not an abbreviation. When complete, save the file with the .arm file extension.
  5. Follow your certificate authority (CA) organization's rules for sending the .arm file and receiving the signed certificate (.cert file). For example, some companies direct you to a Web site where you can upload the .arm file and receive the .cert file by e-mail.
  6. You must rename the .cert file to the value in the Common Name field of the resulting certificate. This is usually the full Internet name of the machine (for example, mymachine.somedomain.ibm.com). You must use the full machine name when the common name is referenced.
  7. In the Key Database Content area, on the drop-down menu, click Signer Certificates. If the CA name (the company's name) is listed, in the Key Database Content page, select the drop-down item Personal Certificates. Click Receive. Browse for Common Name.arm file (see Step 6). If it is an ASCII file, select ASCII in the Data Type drop-down box, otherwise select DER binary file. Click OK. You should receive a message that the certificate was received.
    If the CA name is not listed, add the root certificate for the CA:
    1. Find the root certificate on your CA's Web site, download it, and name it CA.arm (where CA is the name of the certificate authority company).
    2. In the Key Database Content area, select the drop-down item Signer Certificates, and click Add.
    3. Click Browse to navigate to the .arm file (CA.arm) that you just downloaded. If it is an ASCII file, select ASCII in the Data Type drop-down box; otherwise, select DER binary file. After you click OK, the list contains the name of your CA, and you should receive a message that the certificate was received. You can then follow Step 7.

Feedback