Hi!
This a problem that starts to be a show stopper for ILMT.
It is more and more common that companies do not allow https certificates that are not CA signed.
E.g. the self signed certificate created during the ILMT installation.
The manual describes very well how to create a new certificate and have it signed by an authorized CA.
But for the last step, Security -> Configuring secure communication with a CA-signed certificate -> Step 3: Enabling secure communication, you must do it in ILMT WebUI.
You cannot do that if the original self signed certificate is not permitted!

So in this case I need instructions for:
1. Obtain the key_store password (as you can in the WebUI)
2. The keytool command to enable the new CA signed certificate

Or some other solution that fix this problem.

//Christer

Hello,

To find out key_server.p12 password we would require a master.tag file from your local ILMT instance.
That file presents some confidential data so the best way would be to pass this through Support ticket.

However, the quick workaround would be to use HTTP protocol to connect to ILMT and replace certificate.
Due to security concerns one should use a browser located directly on ILMT server, so, the whole http session would be confined to ILMT server itself.
To enable HTTP protocol please open up the server.xml file and change the httpsPort to httpPort.
Restart ILMT sever after that.

Hi!
This a problem that starts to be a show stopper for ILMT.
It is more and more common that companies do not allow https certificates that are not CA signed.
E.g. the self signed certificate created during the ILMT installation.
The manual describes very well how to create a new certificate and have it signed by an authorized CA.
But for the last step, Security -> Configuring secure communication with a CA-signed certificate -> Step 3: Enabling secure communication, you must do it in ILMT WebUI.
You cannot do that if the original self signed certificate is not permitted!

So in this case I need instructions for:
1. Obtain the key_store password (as you can in the WebUI)
2. The keytool command to enable the new CA signed certificate

Or some other solution that fix this problem.

//Christer

Thanks Oktawian!

One more question:

I create and sign my new cert and have the resulting file certificate.arm (as described in the documentation).
What is the keytool command to replace the current one (using the obtained key_store password)?

//Christer

Hello,

To find out key_server.p12 password we would require a master.tag file from your local ILMT instance.
That file presents some confidential data so the best way would be to pass this through Support ticket.

However, the quick workaround would be to use HTTP protocol to connect to ILMT and replace certificate.
Due to security concerns one should use a browser located directly on ILMT server, so, the whole http session would be confined to ILMT server itself.
To enable HTTP protocol please open up the server.xml file and change the httpsPort to httpPort.
Restart ILMT sever after that.

Hi!
This a problem that starts to be a show stopper for ILMT.
It is more and more common that companies do not allow https certificates that are not CA signed.
E.g. the self signed certificate created during the ILMT installation.
The manual describes very well how to create a new certificate and have it signed by an authorized CA.
But for the last step, Security -> Configuring secure communication with a CA-signed certificate -> Step 3: Enabling secure communication, you must do it in ILMT WebUI.
You cannot do that if the original self signed certificate is not permitted!

So in this case I need instructions for:
1. Obtain the key_store password (as you can in the WebUI)
2. The keytool command to enable the new CA signed certificate

Or some other solution that fix this problem.

//Christer

Following should do the job:
<install_dir>/jre/jre/bin/keytool -importcert -alias default -file certificate.arm -storetype PKCS12 -keystore <install_dir>\wlp\usr\servers\server1\resources\security\key_server.p12 -storepass <xxx>

------------------------------
Thank you,
Oktawian

Oktawian Powązka, L3 Support
IBM License Metric Tool

Original Message:
Sent: Wed May 14, 2025 03:44 AM
From: Christer Borg
Subject: Updating certificat from command line

Thanks Oktawian!

One more question:

I create and sign my new cert and have the resulting file certificate.arm (as described in the documentation).
What is the keytool command to replace the current one (using the obtained key_store password)?

//Christer

------------------------------
Christer Borg

Original Message:
Sent: Tue May 13, 2025 11:44 AM
From: Oktawian Powązka
Subject: Updating certificat from command line

Hello,

To find out key_server.p12 password we would require a master.tag file from your local ILMT instance.
That file presents some confidential data so the best way would be to pass this through Support ticket.

However, the quick workaround would be to use HTTP protocol to connect to ILMT and replace certificate.
Due to security concerns one should use a browser located directly on ILMT server, so, the whole http session would be confined to ILMT server itself.
To enable HTTP protocol please open up the server.xml file and change the httpsPort to httpPort.
Restart ILMT sever after that.

------------------------------
Thank you,
Oktawian

Oktawian Powązka, L3 Support
IBM License Metric Tool

Original Message:
Sent: Tue May 13, 2025 07:08 AM
From: Christer Borg
Subject: Updating certificat from command line

Hi!
This a problem that starts to be a show stopper for ILMT.
It is more and more common that companies do not allow https certificates that are not CA signed.
E.g. the self signed certificate created during the ILMT installation.
The manual describes very well how to create a new certificate and have it signed by an authorized CA.
But for the last step, Security -> Configuring secure communication with a CA-signed certificate -> Step 3: Enabling secure communication, you must do it in ILMT WebUI.
You cannot do that if the original self signed certificate is not permitted!

So in this case I need instructions for:
1. Obtain the key_store password (as you can in the WebUI)
2. The keytool command to enable the new CA signed certificate

Or some other solution that fix this problem.

//Christer

------------------------------
Christer Borg
------------------------------

Hi!

I have an update on this issue.

The customer deleted the original key_server.p12 and created a new one, signed by an authorized CA.
They then edited server.xml, and changed the password in section  <keyStore ...>
This seems to work, at least they could go on and do the initial setup, defining Db2 parameters etc.

My question is if this method is OK, or may there be some implications later?

//Christer

------------------------------
Christer Borg

Original Message:
Sent: Wed May 14, 2025 06:03 AM
From: Oktawian Powązka
Subject: Updating certificat from command line

Following should do the job:
<install_dir>/jre/jre/bin/keytool -importcert -alias default -file certificate.arm -storetype PKCS12 -keystore <install_dir>\wlp\usr\servers\server1\resources\security\key_server.p12 -storepass <xxx>

------------------------------
Thank you,
Oktawian

Oktawian Powązka, L3 Support
IBM License Metric Tool

Original Message:
Sent: Wed May 14, 2025 03:44 AM
From: Christer Borg
Subject: Updating certificat from command line

Thanks Oktawian!

One more question:

I create and sign my new cert and have the resulting file certificate.arm (as described in the documentation).
What is the keytool command to replace the current one (using the obtained key_store password)?

//Christer

------------------------------
Christer Borg

Original Message:
Sent: Tue May 13, 2025 11:44 AM
From: Oktawian Powązka
Subject: Updating certificat from command line

Hello,

To find out key_server.p12 password we would require a master.tag file from your local ILMT instance.
That file presents some confidential data so the best way would be to pass this through Support ticket.

However, the quick workaround would be to use HTTP protocol to connect to ILMT and replace certificate.
Due to security concerns one should use a browser located directly on ILMT server, so, the whole http session would be confined to ILMT server itself.
To enable HTTP protocol please open up the server.xml file and change the httpsPort to httpPort.
Restart ILMT sever after that.

------------------------------
Thank you,
Oktawian

Oktawian Powązka, L3 Support
IBM License Metric Tool

Original Message:
Sent: Tue May 13, 2025 07:08 AM
From: Christer Borg
Subject: Updating certificat from command line

Hi!
This a problem that starts to be a show stopper for ILMT.
It is more and more common that companies do not allow https certificates that are not CA signed.
E.g. the self signed certificate created during the ILMT installation.
The manual describes very well how to create a new certificate and have it signed by an authorized CA.
But for the last step, Security -> Configuring secure communication with a CA-signed certificate -> Step 3: Enabling secure communication, you must do it in ILMT WebUI.
You cannot do that if the original self signed certificate is not permitted!

So in this case I need instructions for:
1. Obtain the key_store password (as you can in the WebUI)
2. The keytool command to enable the new CA signed certificate

Or some other solution that fix this problem.

//Christer

------------------------------
Christer Borg
------------------------------

It's OK,
I don't see any implications.
Upgrade process should keep key_server.p12 without alterations.

Hi!

I have an update on this issue.

The customer deleted the original key_server.p12 and created a new one, signed by an authorized CA.
They then edited server.xml, and changed the password in section  <keyStore ...>
This seems to work, at least they could go on and do the initial setup, defining Db2 parameters etc.

My question is if this method is OK, or may there be some implications later?

//Christer

------------------------------
Christer Borg

Original Message:
Sent: Wed May 14, 2025 06:03 AM
From: Oktawian Powązka
Subject: Updating certificat from command line

Following should do the job:
<install_dir>/jre/jre/bin/keytool -importcert -alias default -file certificate.arm -storetype PKCS12 -keystore <install_dir>\wlp\usr\servers\server1\resources\security\key_server.p12 -storepass <xxx>

------------------------------
Thank you,
Oktawian

Oktawian Powązka, L3 Support
IBM License Metric Tool

Original Message:
Sent: Wed May 14, 2025 03:44 AM
From: Christer Borg
Subject: Updating certificat from command line

Thanks Oktawian!

One more question:

I create and sign my new cert and have the resulting file certificate.arm (as described in the documentation).
What is the keytool command to replace the current one (using the obtained key_store password)?

//Christer

------------------------------
Christer Borg

Original Message:
Sent: Tue May 13, 2025 11:44 AM
From: Oktawian Powązka
Subject: Updating certificat from command line

Hello,

To find out key_server.p12 password we would require a master.tag file from your local ILMT instance.
That file presents some confidential data so the best way would be to pass this through Support ticket.

However, the quick workaround would be to use HTTP protocol to connect to ILMT and replace certificate.
Due to security concerns one should use a browser located directly on ILMT server, so, the whole http session would be confined to ILMT server itself.
To enable HTTP protocol please open up the server.xml file and change the httpsPort to httpPort.
Restart ILMT sever after that.

------------------------------
Thank you,
Oktawian

Oktawian Powązka, L3 Support
IBM License Metric Tool

Original Message:
Sent: Tue May 13, 2025 07:08 AM
From: Christer Borg
Subject: Updating certificat from command line

Hi!
This a problem that starts to be a show stopper for ILMT.
It is more and more common that companies do not allow https certificates that are not CA signed.
E.g. the self signed certificate created during the ILMT installation.
The manual describes very well how to create a new certificate and have it signed by an authorized CA.
But for the last step, Security -> Configuring secure communication with a CA-signed certificate -> Step 3: Enabling secure communication, you must do it in ILMT WebUI.
You cannot do that if the original self signed certificate is not permitted!

So in this case I need instructions for:
1. Obtain the key_store password (as you can in the WebUI)
2. The keytool command to enable the new CA signed certificate

Or some other solution that fix this problem.

//Christer

------------------------------
Christer Borg
------------------------------

OK!

FWIW, here how it was done, if any one else is stuck in the same situation:

A private.key and a csr-file was generated, as described in the documentation (step 1). 

It was sent to get signed by a authorized CA cert, and a cer-file was returned (step 2).

Instead of step3, these commands where done:

1. Remove the old keystore, which we did not have the password to
   cd <install_dir>/wlp/usr/servers/server1/resources/security
   ren key_server.p12 key_server_original.p12
   
   
2. Create a new keystore, with a signed cert and known password:
   cd <dir of new keystore, with signed cert>
   openssl pkcz12 -export -inkey <private.key> -in <signed-cert.cer> -out key_server_new.p12
   <install_dir>/jre/bin/keytool -import \
     -destkeystore <install_dir>/wlp/usr/servers/server1/resources/security/key_server.p12 \
     -srckeystore key_server_new.p12 -srcstoretype PKCS12 \
     -deststoretype PKCS12 -deststorepass <password>
   
   
3. Edit the file <install_dir>/wlp/usr/servers/server1/server.xml.
   Change the password=  in the <keyStore section

This worked for us.

If this is an unsupported way of doing it, please tell me.

Otherwise I think it should go into the manual.

//Christer

It's OK,
I don't see any implications.
Upgrade process should keep key_server.p12 without alterations.

Hi!

I have an update on this issue.

The customer deleted the original key_server.p12 and created a new one, signed by an authorized CA.
They then edited server.xml, and changed the password in section  <keyStore ...>
This seems to work, at least they could go on and do the initial setup, defining Db2 parameters etc.

My question is if this method is OK, or may there be some implications later?

//Christer

------------------------------
Christer Borg

Original Message:
Sent: Wed May 14, 2025 06:03 AM
From: Oktawian Powązka
Subject: Updating certificat from command line

Following should do the job:
<install_dir>/jre/jre/bin/keytool -importcert -alias default -file certificate.arm -storetype PKCS12 -keystore <install_dir>\wlp\usr\servers\server1\resources\security\key_server.p12 -storepass <xxx>

------------------------------
Thank you,
Oktawian

Oktawian Powązka, L3 Support
IBM License Metric Tool

Original Message:
Sent: Wed May 14, 2025 03:44 AM
From: Christer Borg
Subject: Updating certificat from command line

Thanks Oktawian!

One more question:

I create and sign my new cert and have the resulting file certificate.arm (as described in the documentation).
What is the keytool command to replace the current one (using the obtained key_store password)?

//Christer

------------------------------
Christer Borg

Original Message:
Sent: Tue May 13, 2025 11:44 AM
From: Oktawian Powązka
Subject: Updating certificat from command line

Hello,

To find out key_server.p12 password we would require a master.tag file from your local ILMT instance.
That file presents some confidential data so the best way would be to pass this through Support ticket.

However, the quick workaround would be to use HTTP protocol to connect to ILMT and replace certificate.
Due to security concerns one should use a browser located directly on ILMT server, so, the whole http session would be confined to ILMT server itself.
To enable HTTP protocol please open up the server.xml file and change the httpsPort to httpPort.
Restart ILMT sever after that.

------------------------------
Thank you,
Oktawian

Oktawian Powązka, L3 Support
IBM License Metric Tool

Original Message:
Sent: Tue May 13, 2025 07:08 AM
From: Christer Borg
Subject: Updating certificat from command line

Hi!
This a problem that starts to be a show stopper for ILMT.
It is more and more common that companies do not allow https certificates that are not CA signed.
E.g. the self signed certificate created during the ILMT installation.
The manual describes very well how to create a new certificate and have it signed by an authorized CA.
But for the last step, Security -> Configuring secure communication with a CA-signed certificate -> Step 3: Enabling secure communication, you must do it in ILMT WebUI.
You cannot do that if the original self signed certificate is not permitted!

So in this case I need instructions for:
1. Obtain the key_store password (as you can in the WebUI)
2. The keytool command to enable the new CA signed certificate

Or some other solution that fix this problem.

//Christer

------------------------------
Christer Borg
------------------------------