Thanks this is awesome! No time to try it now but I Will.

On the HMC side there is an option to import the entire keystore so you do not need to know where it goes, that much is nice. The issue which you have significantly addressed is to create a java keystore and import the wildcard into it.

- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 4/21/2017 1:38 PM, Hiebert, Chris wrote:
You should be able to use "keytool" to create the keystore and add the certificate to the keystore.


Found an example of using openssl to make the pkcs12 keystore, and then using that to create the java keystore:

openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12

keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12



If you have Linoma's Goanywhere MFT product you may be able to use their "SSL Certificate Manager" to create a java keystore and import the certs.
The gui may make it easier than working in pase or the command prompt.

The default location in the JRE for the keystore is " jre/lib/security/cacerts"


I'm not sure where the JRE would be on the HMC.
Maybe something like:
<WAS_INSTALL_ROOT>/java/jre/


Here is a keystore for jdk60:
/QOpenSys/QIBM/ProdData/JavaVM/jdk60/64bit/jre/lib/security/cacerts

Here is an example of importing a certificate to the keystore:

/QOpenSys/QIBM/ProdData/JavaVM/jdk60/64bit/jre/bin/keytool
-import
-noprompt
-trustcacerts
-alias ALIASOFNEWCERT
-file "/pathtocertfile/certfile.cer"
-keystore "/QOpenSys/QIBM/ProdData/JavaVM/jdk60/64bit/jre/lib/security/cacerts"
-storepass changeit

From what I've read, "changeit" is the default password for the java keystore.


Hopefully this helps.


Chris Hiebert
Senior Programmer/Analyst
Disclaimer: Any views or opinions presented are solely those of the author and do not necessarily represent those of the company.
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of DrFranken
Sent: Friday, April 21, 2017 8:30 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Re: HMC Wildcard Certificate - Java Keystore

Zip - nadda.


- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 4/21/2017 10:14 AM, Jim Oberholtzer wrote:
I don't see any responses. Did you get it figured out?

I'm starting to run into the same issue.


--
Jim Oberholtzer
Agile Technology Architects


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
DrFranken
Sent: Wednesday, April 19, 2017 10:54 AM
To: Midrange Systems Technical Discussion
Subject: HMC Wildcard Certificate - Java Keystore

We are getting crap from providers now that having an HMC with a self
signed certificate is no longer acceptable. Such a device may be
banned from their equipment racks and it now violates various requirements.
It's not just the HMC of course it's IBM i, switches, firewalls,
routers, SANs, tape libraries, and the beat goes on.

Obtaining a separate key for every device in the DC is both expensive
and a management nightmare.

So a wildcard it is. Working in many places but from IBM: "the hmc
does not support adding a wildcard certificate."

There is a POSSIBLE workaround that involves creating a java keystore
in jks or pkcs12 format, importing the wildcard to that and then
importing that keystore into the HMC.

Has anyone experience with creating a Java Keystore that might have
insights into doing that? 'The Google' returns thousands of hits but
they all seem to think I'm a java expert to start with.

Anyone put a wildcard cert into their HMC??

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: http://amzn.to/2dEadiD


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.