IBM Support

IC89642: UNABLE TO EDIT THE SSL CERTIFICATES IMPORTED VIA MANAGEKEYCERTS.SH

Direct links to fixes

3.4.1.8-SterlingSecureProxy-Windows-if0009
3.4.1.8-SterlingSecureProxy-SolarisSPARC-if0009
3.4.1.8-SterlingSecureProxy-Linux-if0009
3.4.1.8-SterlingSecureProxy-Linux_S390-if0009
3.4.1.8-SterlingSecureProxy-HP-if0009
3.4.1.8-SterlingSecureProxy-HP-IA-if0009
3.4.1.8-SterlingSecureProxy-AIX-if0009

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • cannot download SSL certificates private key to
the desktop/laptop from SSPCM server, so we use CLI on SSPCM to
import
the certificates
Used the following and certificate import was successful
Usage:
  ./manageKeyCerts.sh -import [parms]
Parms:
  certStore=<certificate store name>
     Name of SSP system certificate store. Optional.
Default=dfltKeyStore
  certName=<certificate name>
     Name for certificate. Required.
  desc=<description>
     Description for certificate. Optional.
     If the description has embedded spaces, enclose the whole
parameter
     in double quotes (ex: "desc=My certificate")
  engine=<engine name>
     Name of engine with access to HSM. Optional.
  alias=<alias>
     Alias for key on HSM. Optional.
     If omitted, defaults to the certificate name.
  file=<import file name>
     Fully-qualified path of key-certificate file to import.
Required.
     File must be in PEM (*.txt, *.pem) or PKCS12 (*.pfx, *.p12)
formats.
  replace=<y|n>
     Whether to replace certificate if a certificate with the
same name
     already exists on the system certificate store. Also,
whether to
     replace key in HSM if a key with the same alias already
exists on
     the HSM. Optional. Default=n.
  systemPass=<passphrase>
     System passphrase. Optional. Prompts if omitted.
  adminID=<administrator ID>
     Administrator ID. Optional. Prompts if omitted.
  adminPass=<password>
     Administrator password. Optional. Prompts if omitted.
  keyStorePass=<password>
     HSM keystore password. Optional. Prompts if omitted.
  keyPass=<passphrase>
     Passphrase for key in HSM. Optional. Prompts if omitted.
  pkcs12StorePass=<password>
     Password for import PKCS12 file. Optional. Prompts if
omitted.
  pkcs12KeyPass=<password>
     Password for key in PKCS12 file. Optional. Prompts if
omitted.
  pemKeyPass=<password>
     Password for private key in import PEM file. Optional.
Prompts if
omitted.
Key-certificate imported to [NWcertStore]:
  Name       : citadel.nationwide.com
  Description: Verisign Certificate for Adapters NW_FTPS_ and
NW_HTTPS_Pswd_
  Key in HSM : false
  Alias      : citadel.nationwide.com
  Type       : JKS
  Provider   :
  Issuer     : CN=VeriSign Class 3 International Server CA - G3,
OU=Terms of use at https://www.verisign.com/rpa (c)10,
OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
  Subject    : CN=citadel.nationwide.com, OU=Terms of use at
www.
verisign.com/rpa (c)05, OU=Infrastructure Security Operations,
O=Nationwide Mutual Insurance Company, L=Columbus, ST=Ohio, C=US
  Serial     : -729917781
  Version    : 3
  Valid from : Mon Oct 29 20:00:00 EDT 2012
  Valid to   : Thu Oct 30 19:59:59 EDT 2014
After that SSP CM GUI we are unable to edit. See the attached
word doc for error

Local fix

  • they can point to the keycert file in the netmap and it works
fine. There's no problem with the keycert. Just when you go to
save after the edit that's when the error occurs. He wanted to
change the description and that's how he discovered the
problem. He was able to use the manageKeyCerts.sh and use the
replace option with the correct description. That's the work
around.

Problem summary

  • Unable to edit the SSL certificates imported via manageKeyCerts.
sh
When a new KeyCert is added into a new KeyStore using the
manageKeyCerts.sh script, it cannot be edited by the CM GUI.  It
can be assigned to an adapter and used successfully, but the
description cannot be updated in the GUI, for example.
The manageKeyCert tool was not setting the Format Version and
Version Stamp fields when it created the new KeyStore, which
caused it to be unusable when edited by the CM.

Problem conclusion

  • Updated the manageKeyCerts tool to correctly set the Format
Version and Version Stamp fields when creating a new key store.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IC89642
    • 

  • Reported component name
    STR SECURE PROX
    • 

  • Reported component ID
    5725D0300
    • 

  • Reported release
    341
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2013-01-18
    • 

  • Closed date
    2013-03-01
    • 

  • Last modified date
    2013-03-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    STR SECURE PROX
    • 

  • Fixed component ID
    5725D0300
    • 



Applicable component levels


    

  • R341  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6PNW","label":"IBM Sterling Secure Proxy"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"341","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            01 March 2013
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback