IBM Support

Unable to import a PKCS12 file that is created by IIS or other non-IBM Web server keystores into a CMS or JKS database

Troubleshooting


Problem

You are attempting to import a PKCS12 certificate into a GSKit 7 keystore that uses IBM® v1.4.2 SDK or later. However, attempting the import causes the CMS database to produce the following error message:

Symptom

GSKit 7: "The specified database has been corrupted"

Cause

The IBM v1.4.2, v1.5 (5.0), and v1.6 SDK ships with a set of restricted security policy files that might not be able to handle PKCS12 files created with strong encryption.

Resolving The Problem

To resolve the problem, you will need to replace the default restricted SDK policy files with the
Unrestricted JCE Policy files using the following steps:

  1. Go to IBM HTTP Server Java directory (default is <IHS_ROOT>/java/jre/bin), run java -fullversion to determine which Java version IBM HTTP Server is using.

  2. Click on the IBM SDK Policy files link to download the unrestricted policy files from the IBM developerworks url. If you are using SDK versions older than SDK 1.5 (Java 5.0), then click the radio button option for Unrestricted SDK JCE Policy files for older versions of the SDK.
  3. For newer versions of SDK, click on the IBM SDK Policy files link to download the unrestricted policy files and click the radio button option for Unrestricted SDK JCE Policy files for Java 5.0 SR16, Java 6 SR13, Java 7 SR4 and later versions.

  4. You will be asked for your IBM software registration userid and password.

  5. Ensure the IKeyman application is closed.

  6. Back up the local_policy.jar and US_export_policy.jar files located in the following directory:
    <IHS_ROOT>/java/jre/lib/security/

  7. Place the new files, previously downloaded, into the following directory:<IHS_ROOT>/java/jre/lib/security/

    Note: Java_home location of GSKit v7 are set in ikeyman.bat (or ikeyman.sh) file located in IBM_HTTP_Server/bin directory.

  8. Restart IKeyman.

  9. Re-try the import of the .p12 file into the key database.


IBM's SDKs ship with strong but limited jurisdiction policy files. Unlimited jurisdiction policy files can be obtained from the link above. The ZIP file should be unpacked and the two JAR files placed in the JRE's jre/lib/security/ directory. These policy files are for use with IBM developed SDKs. The same files are used for the Version 1.4, Version 5 and Version 1.6 SDKs. Details of downloads of unlimited jurisdiction policy files for the Solaris and HP platforms can be found in the IBM Security Guide for those platforms. It is recommended to always use the latest policy files from IBM.

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"SSL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
15 June 2018

UID

swg21201170