Sunday, February 23, 2014

Renew SSL Certificates for IBM HTTP Server (IHS)


VIA iKEYMAN
  • We will receive a mail for certificate expiration, keep the below details handy. Which will contain following information:
    • CN (Common Name)
    • OU (Organizational Unit)
    • O (Organization)
    • L (location)
    • S (State)
    • C (Country)
  • Open your httpd conf file for that particular Instance of which cert is expiring.
  • search for below entries and keep them handy too:
    • ServerName (Name of the LB URL)
    • KeyFile
    • SSLStashFile
    • SSLServerCert
  • go to directory where KDB File is and make a new directory with current date for e.g. 20140223
  • copy kdb file, sth file into that new directory (Dont use mv command)
  • export LD_LIBRARY_PATH=/usr/mqm/gskit8/lib
  • cd new directory -- whatever changes we will do will be in new directory which we made
  • follow below steps if you have forgotten the password of sth file:
    • make a temporary file (for e.g. i have made test.sh) and the contents of that temporary file will be:#!/usr/bin/perl -w
      use strict;
      die "Usage: $0 <stash file>" if $#ARGV!=0;
      my $file=$ARGV[0];
      open(F,$file) || die "Can't open $file: $!";
      my $stash;
      read F,$stash,1024;
      my @unstash=map {$_^0xf5} unpack("C*",$stash);
      foreach my $c (@unstash){
      last if $c eq 0;
      printf "%c",$c;
      }
    • Save the file.
    •  ./test.sh <Stash file name> -- this will give you the password. 
  • Remove the current cert by firing below command:
    <IHS_INSTALL_PATH>/    gsk7/bin/gsk7cmd -cert -delete -db <PATH_OF_KDB_FILE_UNDER_NEW_DIRECTORY> -pw <THE_PASSWORD_WHICH_WE_JUST_GOT> -label <VALUE OF SSLServerCert which we copied from http conf file>
  • Generating CSR File:
<IHS_INSTALL_PATH>/gsk7/bin/gsk7cmd -create -db <PATH_OF_KDB_FILE_UNDER_NEW_DIRECTORY> -pw <THE_PASSWORD_WHICH_WE_JUST_GOT> -label <NEW LABEL-dn "CN=<COMMON NAME which we got from cert expiring mail>, OU=<ORGANIZATIONAL  UNIT which we got from cert expiring mail>, O=<ORGANIZATION which we got from cert expiring mail>, L=<LOCATION which we got from cert expiring mail>, ST=<STATE which we got from cert expiring mail>, C=<COUNTRY which we got from cert expiring mail>" -size 2048 -file <GET THE INFO IN ANY FILE UNDER NEW DIRECTORY>
  • upload the CSR file onto your certificate authority.
  • we will get the email from the certificate authority with the cert as an attachment:
  • save that attachment as some name (abc.cert) under new directory. and fire below command:<IHS_INSTALL_PATH>/gsk7/bin/gsk7cmd -cert -receive -db <PATH_OF_KDB_FILE_UNDER_NEW_DIRECTORY> -pw <THE_PASSWORD_WHICH_WE_JUST_GOT -file abc.cert
  • Verification:
    <IHS_INSTALL_PATH>/gsk7/bin/gsk7cmd -cert -list     -db <PATH_OF_KDB_FILE_UNDER_NEW_DIRECTORY> -pw <THE_PASSWORD_WHICH_WE_JUST_GOT>
  • <IHS_INSTALL_PATH>/gsk7/bin/gsk7cmd -cert -details -label <THE ONE WHICH WE PUT WHILE GENERATING CSR> -db <PATH_OF_KDB_FILE_UNDER_NEW_DIRECTORY> -pw <THE_PASSWORD_WHICH_WE_JUST_GOT>


Posted by at No comments:
Subscribe to: Posts (Atom)