× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Found this as well:
Import Repository
 The existing Certificate infrastructure in HMC allow the user to import a
CA signed public certificate in to HMC key-store. However there isn't an
existing mechanism to import an external key-store containing
private/public key pair or certificate chain to HMC. The new 'Import
Repository' feature allow the user to import an external key-store
containing certificates (private, public and certificate chain) to HMC.

On Fri, Apr 21, 2017 at 1:43 PM, DrFranken <midrange@xxxxxxxxxxxx> wrote:

Thanks this is awesome! No time to try it now but I Will.

On the HMC side there is an option to import the entire keystore so you do
not need to know where it goes, that much is nice. The issue which you have
significantly addressed is to create a java keystore and import the
wildcard into it.

- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 4/21/2017 1:38 PM, Hiebert, Chris wrote:

You should be able to use "keytool" to create the keystore and add the
certificate to the keystore.


Found an example of using openssl to make the pkcs12 keystore, and then
using that to create the java keystore:

openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12

keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks
-srcstoretype pkcs12



If you have Linoma's Goanywhere MFT product you may be able to use their
"SSL Certificate Manager" to create a java keystore and import the certs.
The gui may make it easier than working in pase or the command prompt.

The default location in the JRE for the keystore is "
jre/lib/security/cacerts"


I'm not sure where the JRE would be on the HMC.
Maybe something like:
<WAS_INSTALL_ROOT>/java/jre/


Here is a keystore for jdk60:
/QOpenSys/QIBM/ProdData/JavaVM/jdk60/64bit/jre/lib/security/cacerts

Here is an example of importing a certificate to the keystore:

/QOpenSys/QIBM/ProdData/JavaVM/jdk60/64bit/jre/bin/keytool
-import
-noprompt
-trustcacerts
-alias ALIASOFNEWCERT
-file "/pathtocertfile/certfile.cer"
-keystore "/QOpenSys/QIBM/ProdData/JavaVM/jdk60/64bit/jre/lib/security
/cacerts"
-storepass changeit

From what I've read, "changeit" is the default password for the java
keystore.



Hopefully this helps.


Chris Hiebert
Senior Programmer/Analyst
Disclaimer: Any views or opinions presented are solely those of the
author and do not necessarily represent those of the company.
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
DrFranken
Sent: Friday, April 21, 2017 8:30 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Re: HMC Wildcard Certificate - Java Keystore

Zip - nadda.


- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 4/21/2017 10:14 AM, Jim Oberholtzer wrote:

I don't see any responses. Did you get it figured out?

I'm starting to run into the same issue.


--
Jim Oberholtzer
Agile Technology Architects


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
DrFranken
Sent: Wednesday, April 19, 2017 10:54 AM
To: Midrange Systems Technical Discussion
Subject: HMC Wildcard Certificate - Java Keystore

We are getting crap from providers now that having an HMC with a self
signed certificate is no longer acceptable. Such a device may be
banned from their equipment racks and it now violates various
requirements.
It's not just the HMC of course it's IBM i, switches, firewalls,
routers, SANs, tape libraries, and the beat goes on.

Obtaining a separate key for every device in the DC is both expensive
and a management nightmare.

So a wildcard it is. Working in many places but from IBM: "the hmc
does not support adding a wildcard certificate."

There is a POSSIBLE workaround that involves creating a java keystore
in jks or pkcs12 format, importing the wildcard to that and then
importing that keystore into the HMC.

Has anyone experience with creating a Java Keystore that might have
insights into doing that? 'The Google' returns thousands of hits but
they all seem to think I'm a java expert to start with.

Anyone put a wildcard cert into their HMC??

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.