|
Thanks this is awesome! No time to try it now but I Will.
On the HMC side there is an option to import the entire keystore so you do
not need to know where it goes, that much is nice. The issue which you have
significantly addressed is to create a java keystore and import the
wildcard into it.
- Larry "DrFranken" Bolhuis
www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.
On 4/21/2017 1:38 PM, Hiebert, Chris wrote:
You should be able to use "keytool" to create the keystore and add theThis is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
certificate to the keystore.
Found an example of using openssl to make the pkcs12 keystore, and then
using that to create the java keystore:
openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks
-srcstoretype pkcs12
If you have Linoma's Goanywhere MFT product you may be able to use their
"SSL Certificate Manager" to create a java keystore and import the certs.
The gui may make it easier than working in pase or the command prompt.
The default location in the JRE for the keystore is "
jre/lib/security/cacerts"
I'm not sure where the JRE would be on the HMC.
Maybe something like:
<WAS_INSTALL_ROOT>/java/jre/
Here is a keystore for jdk60:
/QOpenSys/QIBM/ProdData/JavaVM/jdk60/64bit/jre/lib/security/cacerts
Here is an example of importing a certificate to the keystore:
/QOpenSys/QIBM/ProdData/JavaVM/jdk60/64bit/jre/bin/keytool
-import
-noprompt
-trustcacerts
-alias ALIASOFNEWCERT
-file "/pathtocertfile/certfile.cer"
-keystore "/QOpenSys/QIBM/ProdData/JavaVM/jdk60/64bit/jre/lib/security
/cacerts"
-storepass changeit
From what I've read, "changeit" is the default password for the java
keystore.
Hopefully this helps.
Chris Hiebert
Senior Programmer/Analyst
Disclaimer: Any views or opinions presented are solely those of the
author and do not necessarily represent those of the company.
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
DrFranken
Sent: Friday, April 21, 2017 8:30 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Re: HMC Wildcard Certificate - Java Keystore
Zip - nadda.
- Larry "DrFranken" Bolhuis
www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.
On 4/21/2017 10:14 AM, Jim Oberholtzer wrote:
I don't see any responses. Did you get it figured out?This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
I'm starting to run into the same issue.
--
Jim Oberholtzer
Agile Technology Architects
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
DrFranken
Sent: Wednesday, April 19, 2017 10:54 AM
To: Midrange Systems Technical Discussion
Subject: HMC Wildcard Certificate - Java Keystore
We are getting crap from providers now that having an HMC with a self
signed certificate is no longer acceptable. Such a device may be
banned from their equipment racks and it now violates various
requirements.
It's not just the HMC of course it's IBM i, switches, firewalls,
routers, SANs, tape libraries, and the beat goes on.
Obtaining a separate key for every device in the DC is both expensive
and a management nightmare.
So a wildcard it is. Working in many places but from IBM: "the hmc
does not support adding a wildcard certificate."
There is a POSSIBLE workaround that involves creating a java keystore
in jks or pkcs12 format, importing the wildcard to that and then
importing that keystore into the HMC.
Has anyone experience with creating a Java Keystore that might have
insights into doing that? 'The Google' returns thousands of hits but
they all seem to think I'm a java expert to start with.
Anyone put a wildcard cert into their HMC??
--
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.