× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. November 2019

Re: HMC Wildcard Certificate - Java Keystore

Hello Paul,

Am 29.11.2019 um 22:29 schrieb Steinmetz, Paul via MIDRANGE-L <midrange-l@xxxxxxxxxxxxxxxxxx>:

Were you ever able to import a wildcard cert into the HMC?
I found a lot links for a normal cert, but nothing for a WC.
I've tried many scenarios, all coming up empty.

Nope, but I had a similar issue with an Openfire Jabber Server, also a Java Application. I wanted to integrate Letsencrypt Certificates with automatic refresh and had success. However, since I changed employment since then, I don't have access to that anymore. But I found out that with an installed JRE, there's a command line tool (in Linux) to manage Java Keystores.

In the end, I just had to find out once where the keystore was located, delete it, build a new one with the same name from already fetched Letsencrypt Certificates and finally restart Openfire. Worked like a charm.

So, in short, if you can find out where the java keystore in the HMC is located, it should be possible to do the same once with a wildcard cert, if you manage to get command line access (ssh). I see no apparent reason for "doesn't support wildcard certs" beyond "we never tested it".

Search google for java keystore command line management and openssl command line tool for converting a multitude of certificate/key formats into a fitting source file for the java stuff. If I remember right, I first had to build a PKCS#12 from PEM key and cert, because the java importer didn't know about other formats, then.

I'm leaving Larry's request below for completeness and further context.

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxx> On Behalf Of DrFranken
Sent: Wednesday, April 19, 2017 11:54 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: HMC Wildcard Certificate - Java Keystore

We are getting crap from providers now that having an HMC with a self signed certificate is no longer acceptable. Such a device may be banned from their equipment racks and it now violates various requirements.
It's not just the HMC of course it's IBM i, switches, firewalls, routers, SANs, tape libraries, and the beat goes on.

Obtaining a separate key for every device in the DC is both expensive and a management nightmare.

So a wildcard it is. Working in many places but from IBM: "the hmc does not support adding a wildcard certificate."

There is a POSSIBLE workaround that involves creating a java keystore in jks or pkcs12 format, importing the wildcard to that and then importing that keystore into the HMC.

Has anyone experience with creating a Java Keystore that might have insights into doing that? 'The Google' returns thousands of hits but they all seem to think I'm a java expert to start with.

Anyone put a wildcard cert into their HMC??

--

- Larry "DrFranken" Bolhuis

Following up there: Yes, I fully agree that it's a mess to have properly signed certs on all devices requiring SSL access.

I'm wondering why I took so long until "someone" came up with what evolved to Letsencrypt. From time to time I search the net for alternate (more portable) server code, implementing the ACME protocol, but until today, I didn't find a solution.

Unfortunately, it's very hard to automate such a process like "deploy new certs on a switch" or HP ILO or whatever, so even it there'd be a "private" letsencrypt server for signing new certificates, it stays a horrible labour to put these on the devices in question.

:wq! PoC

PGP-Key: DDD3 4ABF 6413 38DE - https://www.pocnet.net/poc-key.asc


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.