SslPort for AXESJSM

[RobCol]

Hello ,

I need to configure AXESJSM on an SSL secure port, I performed these steps:

1- I have created a certificate in DCM
2- I created a server application called "AXES_APP_ID"
3- I have associated the certificate to the application
4-I modified the configuration file /axesjsm/jsm/instance/system/httpd.xml as follows:

<listen port="5563" interface="*ALL" backlog="256" sslport="5564" sslappid="AXES_APP_ID"
sslprotocol="TLSV1.2" secure="false" store="pki/wwwssl.jks" password="password"
buffersend="-1" bufferreceive="-1" nodelay="false" timeout="5"/>

restarted the AXESJSM subsystem,
but only the port 5563 responds in http and not in https on 5564

thank you for helping me

regards

[Fairdinkum]

Hi RobCol,

I've conirmed that AXESJSM is running on SSL/TLS secure connection with a *self-signed* certificate for testing.

1. ===> QSH
2. then execute the following Java keytool command to generate the keystore (/axesjsm/jsm/instance/pki/wwwssl.jks) and the key pairs.

Code: Select all

keytool
  -genkeypair
  -alias sslkey
  –keyalg RSA
  -keysize 2048
  -sigalg SHA256withRSA
  -dname "CN=192.168.253.102,OU=aXes Team,O=Fairdinkum,L=Asakusabashi,S=Tokyo,C=JP"
  -ext san=ip:192.168.253.102
  -validity 9999
  -keypass password
  -keystore /axesjsm/jsm/instance/pki/wwwssl.jks
  -storepass password
  -v

3. edit the AXESJSM configuration file (httpd.xml) like the following.

Image 484.png (145.56 KiB) Viewed 14263 times

*If my understanding is correct, AXESJSM allows secure/non-secure port execlusively. So it seems sslport parameter in AXESJSM (v4.2.0) is no longer available.

4. export the certificate file.

Code: Select all

keytool
-exportcert
-alias sslkey
-keystore /axesjsm/jsm/instance/pki/wwwssl.jks
-storepass password
-file /axesjsm/jsm/instance/pki/axes.cer
-v

5. install it (axes.cer) into a trusted root CA on your PC.

6. re-start AXESJSM subsystem. If the steps above have been done correctly, the secure connection will be established.

Image 485.png (84.75 KiB) Viewed 14263 times

Hope this helps!

Regards,
Hide

[RobCol]

Hi Fairdinkum,
Thanks for your help, I ran your commands and got stuck with this error :

keytool -exportcert -alias sslkey -keystore /axesjsm/jsm/instance/pki/wwwssl.
jks -storepass password -file /axesjsm/jsm/instance/pki/axes.cer -v
errore keytool (probabilmente non tradotto): java.io.EOFException


maybe it depends on the java runtime version or maybe permissions I don't know, the keystore was created successfully ...

Thanks again

[Fairdinkum]

Hi RobCol,

You can check the key store you made earlier by the following command:

Code: Select all

keytool 
-keystore "/axesjsm/jsm/instance/pki/wwwssl.jks" 
-list 
-storepass password 
-v 
> /home/<USERNAME>/list.txt                                   

If the key pairs and the keystore were generated correctly there should be an lias "sslkey" in list .txt.

Regards,
Hide

[RobCol]

You are great Fairdinkum!!!

There was an error in the keystore, I redid everything and it generated correctly!
It works !!

Fantastic Thank you so much !!!

[Fairdinkum]

Hi RobCol,

Great news! I'm happy I can help you. Thanks.

Regards,
Hide (from Fairdinkum)

[RobCol]

hello Fairdinkum,

I ask for your help again, to configure ssl port in a production environment and use a valid certificate, how do the steps to follow change? Do I need to import the certificate into the directory?

Thanks so much !

[Fairdinkum]

Hi RobCol,

We just experienced the same situation and have dealt with it. What we did are as follows.

1. Generate a self-certificate in JSM. (Same steps as previously)
2. Create CSR using the self-certicate.
3. Create local CA on IBMi so that generating a signed-certificate to the CSR.
4. Import the signed-certificate into the AXESJSM key store (wwwssl.jks).

*Clients have to install the local CA's certificate into their PC.
*For the production environment, CSR should be sent to "real" CA, and receieve the signed-certificate.

1. Generate a self-certificate in JSM

Code: Select all

keytool
-genkeypair
-alias sslkey
–keyalg RSA
-keysize 2048
-sigalg SHA256withRSA
-dname "CN=192.168.253.102,OU=WilComm/aXes Team,O=Fairdinkum,L=Asakusabashi,S=Tokyo,C=JP"
-ext san=ip:192.168.253.102
-validity 398
-keypass password
-keystore /axesjsm/jsm/instance/pki/wwwssl.jks
-storepass password
-v

2. Create CSR

Code: Select all

keytool
-certreq
-alias sslkey
-keypass password
-sigalg SHA256withRSA
-keystore /axesjsm/jsm/instance/pki/wwwssl.jks
-storepass password
-file /axesjsm/jsm/instance/pki/server.csr

3. Create a local CA on IBMi and issue the signed-certificate

--->See the attached. (Sorry but it's Japanese edition. Google Lens or other apps will translate for you

4. Import the signed-certificate

Firstly, import the CA certificate into wwwssl.jks

Code: Select all

keytool
-import
-file /QOpenSys/QIBM/ProdData/SC1/OpenSSL/demoCA/cacert.x509
-alias demoCA
-keystore /axesjsm/jsm/instance/pki/wwwssl.jks

*-file option specifys the CA certificate file.

Nextly, signed-certificate.

Code: Select all

keytool
-import
-file /axesjsm/jsm/instance/pki/server.crt
-alias sslkey
-noprompt
-trustcacerts
-keystore /axesjsm/jsm/instance/pki/wwwssl.jks

*-file option specifys the signed-certificate.


Hope this helps!

Regards,
Hide

[RobCol]

Hello Fairdinkum,

I begin to thank you very much for the excellent explanations and for the help! I'll let you know as soon as I try.

I believe I use the translator for the attachment

Thanks so much

[jaimosky]

Hi,

I did the steps you mention here, but instead I have used Digital Certificate Manager (I did a CA and a Certificate for ldv720 signed with the CA and exported the files).
So I created the jks file

Code: Select all

keytool                                                                                 
  -genkeypair                                                                           
  -alias sslkey                                                                         
  -keyalg RSA                                                                           
  -keysize 2048                                                                         
  -sigalg SHA256withRSA                                                                 
  -dname "CN=10.90.10.201,OU=eZollOnline,O=LDV Systema,L=Salzburg,S=Salzburg,C=AT"     
  -ext san=ip:10.90.10.201                                                           
  -validity 9999                                                                        
  -keypass password
  -keystore /axesjsm/jsm/instance/pki/wwwssl.jks                                        
  -storepass password
  -v 

then imported the 2 certificates

Code: Select all

keytool
-import
-file /ezollat/cert/CACERT_new.cer
-alias CA-LDV720
-keystore /axesjsm/jsm/instance/pki/wwwssl.jks  	
	
 keytool                                           
 -import                                           
 -file /ezollat/cert/SERVERCERT_new.cer                    
 -alias server-LDV720
 -noprompt                                         
 -trustcacerts                                     
 -keystore /axesjsm/jsm/instance/pki/wwwssl.jks  
 

I have seen, in the import you detailed in your example you use twice the alias sslkey, but it seems not working unless you modify this alias.
I modify as you say the httpd.xml file and restart the JSM SBS.

So when I call https://ldv720 i get an error, and when I open the certificate I see is extenden to the IP Address. It seems as the server presents not the certificate but the keyEntry(alias sslkey) instead of the trustedCertEntry(alias server-LDV720). I checked with -list the content of the jks file and there are one keyEntry and two trustedCertEntry.

I am sure I am doing something wrong, but I cannot figure out what.

Any ideas?