Technical Blog Post
Abstract
You may have received a PFX keystore from a third party, or even from your internal security provider, to be used for client authentication between Tririga and a remote service endpoint. The question becomes, how do you get a copy of the key and signed certificate from the PFX keystore into the Java cacerts keystore used by the Tririga application server JRE?
Body
There are different ways this could be accomplished, however in most cases, the private key will be passphrase protected, and this passphrase needs to be removed before importing it into the JKS keystore used by the JRE.
There are several steps, which I have outlined below to perform these steps:
1. request a copy of the existing JKS cacerts keystore file found under the JRE as well as the pfx (pkcs12) file containing the private key and personal certificate. You will need to know the password of each keystore file.
2. Export the private key from pfx to a PEM file using openssl:
e.g. openssl pkcs12 -in keystore.pfx -nocerts -out encryptedkey.pem
3. Remove the private key passphrase:
e.g. openssl rsa -in encryptedkey.pem -out decryptedkey.pem
The file called decryptedkey.pem will contain the key without a passphrase.
4. export the signed personal certificate into a file called cert.pem:
e.g. openssl pkcs12 -in keystore.pfx -clcerts -nokeys -out cert.pem
5. Next, import the private key and signed personal certificate from the key.pem and cert.pem files into a new pkcs12 keystore:
e.g. openssl pkcs12 -export -in cert.pem -inkey decryptedkey.pem -out deryptedkey.p12 -name mycerificatehostname -password pass:test -passin pass:test -passout pass:test
The above sets the password to "test" for the p12 file, and the label associated with the certificate will be "mycertificatehostname". Change this to whatever helps you to idenfity this certificate.
6. Now, using the java keytool command, import the pkcs12 keystore to the jks keystore file called cacerts.
e.g. keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore cacerts -srckeystore decryptedkey.p12 -srcstoretype PKCS12 -srcstorepass test -alias mycertificatehostname
7. Import any signer certificates (roots and intermediates that were used to sign the personal certificate):
e.g. keytool -import -trustcacerts -alias intermediate -file intermiatecert.crt -keystore cacerts
e.g. keytool -import -trustcacerts -alias root -file rootcert.crt -keystore cacerts
8. Copy the resulting cacerts file to the appropriate jre location and restart the JVM to pick up the changes.
Now when a connection from the JRE is initiated to the remote service, the client certificate can be presented as required by the remote service.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFCZ3","label":"IBM TRIRIGA Portfolio Data Manager"},"Component":"Integration","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All versions","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
UID
ibm10875738