Db2

we have dmc on linux installed
if we need a https connection to console we need to follow this page : https://www.ibm.com/support/knowledgecenter/SS5Q8A_3.1.x/com.ibm.datatools.dsweb.ots.security.doc/topics/https_cert.html
according this you need to execute locally on server https://localhost:11081/console
and how todo this on a server we can access with mobaxterm/terminal and do not have a webbrowser installed on server machine  ?


------------------------------
Thank for all update/help
Best Regards, Guy Przytula
------------------------------

#Db2

Hi Guy,
The host name 'localhost' here is an example. You can request a certificate from CA with host name or IP address of your own server.

Thanks.

------------------------------
Yan Hao Zhang
------------------------------

Original Message:
Sent: Thu March 26, 2020 07:28 AM
From: Guy Przytula
Subject: https

we have dmc on linux installed
if we need a https connection to console we need to follow this page : https://www.ibm.com/support/knowledgecenter/SS5Q8A_3.1.x/com.ibm.datatools.dsweb.ots.security.doc/topics/https_cert.html
according this you need to execute locally on server https://localhost:11081/console
and how todo this on a server we can access with mobaxterm/terminal and do not have a webbrowser installed on server machine  ?


------------------------------
Thank for all update/help
Best Regards, Guy Przytula
------------------------------

#Db2

Hi Guy,

Currently there is an issue in the steps describing the encryption of the keystore password.  We will fix the issue in the upcoming release of DMC.

In order to assist you to set the security cert for your DMC, you can use the follow steps below in the mean time.

Certificate can be obtained different ways. e.g. from a cert authority (CA) or create your own self signed cert.  

Following is an example of creating a self-signed cert. It assumes openssl is available.

1. Issue the following command to generate the certificate (certificate.pem) and key (key.pem) files in /opt/keystore/dmc. The keystore for the cert is created in this directory.

cd /opt/keystore/dmc
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

You are prompted for information for the cert. Ensure that for the Common Name parameter is the hostname of the Data Management Console system.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:San Jose
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IBM
Organizational Unit Name (eg, section) []:Data and AI
Common Name (e.g. server FQDN or YOUR name) []:dsmga41.fyre.ibm.com
Email Address []:jsizto@us.ibm.com

2. Convert the certificate file into a pkcs12 format file (e.g. cert.p12). Provide a password when prompted, in this example, password is: changeme

openssl pkcs12 -export -in certificate.pem -inkey key.pem -out cert.p12

The cert.p12 is generated.

3. Configure DMC to use the exported cert (cert.p12).  Assume <dmchome> is the installation directory for DMC.

Explanation:
For wlp.keystore.type, it can be either jks or pkcs12 type. In this example it is: wlp.keystore.type=pkcs12
For wlp.keystore.location, it is the full path to the cert. In this example, it is: wlp.keystore.location=/opt/keystore/dmc/cert.p12
For wlp.keystore.password, it is the encrypted password for the cert. You need to use the following tool to encrypt the password.
Note: <dmchome>/dsutil/bin/libertyCertsCrypt.sh has some issue. Use the following steps to encrypt the password instead.

1. find the encryption key in file: <dmchome>/wlp/usr/servers/dsweb/bootstrap.properties  e.g.

grep wlp.password.encryption.key <dmchome>/wlp/usr/servers/dsweb/bootstrap.properties

In this example, you will get:
wlp.password.encryption.key=WTI201707121717ifhIuc6pWYWZRYg6CWX0*uDzRviJ8tTiTB+fvnNUBZcHG2nzGxmAdW4+W-ayoju-QeHaFLI-Ui7FR1TFvk2OpRSLxjRuIW85a8uJhyTE3zkVcL9VsHk+-0Hbtn6a5FB8d0DKb9c*ptYNAFOlZ7gkAeymI04BOuidNpV5seMXijPk6j*4vN3cVER4u45wNvwA15oQlxZz9XXb2i+Fadc40CnHFhaXxX5O1v+djXdQ8bhYxpzrQNUOMeNAGL+PXo9xKO1USegzGK3U7NGCP14y1zZD9E5emGdjTg7ew7NXKFTzHE0738y592*LUVtyPLSpmdIvhmHf4wJpLNvCBqmlFvfRVqKBZIYD3qej3SNcxtu0ke*nXUojG9Ta97lEuz3T5KiCy6Pncm-G2ZeQ8U+gAZe7SmbOkH6A+p9yYKz0MBFLoHJPE01izLTMHwO-BB8igZdMPIxXy9E1vyu0PIUxIjh8696z5D13kGDu7+OPWMmQbe*6s8nX\=\=

Remove the "\"s at the end, and the encryption key is:
WTI201707121717ifhIuc6pWYWZRYg6CWX0*uDzRviJ8tTiTB+fvnNUBZcHG2nzGxmAdW4+W-ayoju-QeHaFLI-Ui7FR1TFvk2OpRSLxjRuIW85a8uJhyTE3zkVcL9VsHk+-0Hbtn6a5FB8d0DKb9c*ptYNAFOlZ7gkAeymI04BOuidNpV5seMXijPk6j*4vN3cVER4u45wNvwA15oQlxZz9XXb2i+Fadc40CnHFhaXxX5O1v+djXdQ8bhYxpzrQNUOMeNAGL+PXo9xKO1USegzGK3U7NGCP14y1zZD9E5emGdjTg7ew7NXKFTzHE0738y592*LUVtyPLSpmdIvhmHf4wJpLNvCBqmlFvfRVqKBZIYD3qej3SNcxtu0ke*nXUojG9Ta97lEuz3T5KiCy6Pncm-G2ZeQ8U+gAZe7SmbOkH6A+p9yYKz0MBFLoHJPE01izLTMHwO-BB8igZdMPIxXy9E1vyu0PIUxIjh8696z5D13kGDu7+OPWMmQbe*6s8nX==

2. Encrypt the password using <dmchome>/wlp/bin/securityUtility In this example, password is changeme.  e.g.

<dmchome>/wlp/bin/securityUtility encode --encoding=aes --key=WTI201707121717ifhIuc6pWYWZRYg6CWX0*uDzRviJ8tTiTB+fvnNUBZcHG2nzGxmAdW4+W-ayoju-QeHaFLI-Ui7FR1TFvk2OpRSLxjRuIW85a8uJhyTE3zkVcL9VsHk+-0Hbtn6a5FB8d0DKb9c*ptYNAFOlZ7gkAeymI04BOuidNpV5seMXijPk6j*4vN3cVER4u45wNvwA15oQlxZz9XXb2i+Fadc40CnHFhaXxX5O1v+djXdQ8bhYxpzrQNUOMeNAGL+PXo9xKO1USegzGK3U7NGCP14y1zZD9E5emGdjTg7ew7NXKFTzHE0738y592*LUVtyPLSpmdIvhmHf4wJpLNvCBqmlFvfRVqKBZIYD3qej3SNcxtu0ke*nXUojG9Ta97lEuz3T5KiCy6Pncm-G2ZeQ8U+gAZe7SmbOkH6A+p9yYKz0MBFLoHJPE01izLTMHwO-BB8igZdMPIxXy9E1vyu0PIUxIjh8696z5D13kGDu7+OPWMmQbe*6s8nX== changeme

{aes}AI38wJr/8Ky8tPvoa1tUJHoFsuGtid5Y75CgZfrDIxkL

So, in this example: wlp.keystore.password={aes}AI38wJr/8Ky8tPvoa1tUJHoFsuGtid5Y75CgZfrDIxkL

Now, set the 3 properties, save and exit for file <dmchome>/wlp/usr/servers/dsweb/bootstrap.properties

After restart DMC.

If you go back to browser, e.g. chrome. You can check the cert for DMC, you should see it is updated.  In this example, you can see:


Above steps are for self-signed cert.  For cert provided from CA, the steps should be similar.  Hope this helps.

------------------------------
Jason Sizto
------------------------------

Original Message:
Sent: Thu March 26, 2020 07:28 AM
From: Guy Przytula
Subject: https

we have dmc on linux installed
if we need a https connection to console we need to follow this page : https://www.ibm.com/support/knowledgecenter/SS5Q8A_3.1.x/com.ibm.datatools.dsweb.ots.security.doc/topics/https_cert.html
according this you need to execute locally on server https://localhost:11081/console
and how todo this on a server we can access with mobaxterm/terminal and do not have a webbrowser installed on server machine  ?


------------------------------
Thank for all update/help
Best Regards, Guy Przytula
------------------------------

#Db2

many thanks for the detailed info
I will follow the guideline and implement
best regards, Guy

------------------------------
Thank for all update/help
Best Regards, Guy Przytula
------------------------------

Original Message:
Sent: Wed April 01, 2020 05:44 PM
From: Jason Sizto
Subject: https

Hi Guy,

Currently there is an issue in the steps describing the encryption of the keystore password.  We will fix the issue in the upcoming release of DMC.

In order to assist you to set the security cert for your DMC, you can use the follow steps below in the mean time.

Certificate can be obtained different ways. e.g. from a cert authority (CA) or create your own self signed cert.  

Following is an example of creating a self-signed cert. It assumes openssl is available.

1. Issue the following command to generate the certificate (certificate.pem) and key (key.pem) files in /opt/keystore/dmc. The keystore for the cert is created in this directory.

cd /opt/keystore/dmc
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

You are prompted for information for the cert. Ensure that for the Common Name parameter is the hostname of the Data Management Console system.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:San Jose
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IBM
Organizational Unit Name (eg, section) []:Data and AI
Common Name (e.g. server FQDN or YOUR name) []:dsmga41.fyre.ibm.com
Email Address []:jsizto@us.ibm.com

2. Convert the certificate file into a pkcs12 format file (e.g. cert.p12). Provide a password when prompted, in this example, password is: changeme

openssl pkcs12 -export -in certificate.pem -inkey key.pem -out cert.p12

The cert.p12 is generated.

3. Configure DMC to use the exported cert (cert.p12).  Assume <dmchome> is the installation directory for DMC.

a) Stop DMC

b) Edit file: <dmchome>/wlp/usr/servers/dsweb/bootstrap.properties

c) add/modify the following properties  (see below for more explanation)

i) wlp.keystore.type

ii) wlp.keystore.location

iii) wlp.keystore.password

d) Start DMC

Explanation:
For wlp.keystore.type, it can be either jks or pkcs12 type. In this example it is: wlp.keystore.type=pkcs12
For wlp.keystore.location, it is the full path to the cert. In this example, it is: wlp.keystore.location=/opt/keystore/dmc/cert.p12
For wlp.keystore.password, it is the encrypted password for the cert. You need to use the following tool to encrypt the password.
Note: <dmchome>/dsutil/bin/libertyCertsCrypt.sh has some issue. Use the following steps to encrypt the password instead.

1. find the encryption key in file: <dmchome>/wlp/usr/servers/dsweb/bootstrap.properties  e.g.

grep wlp.password.encryption.key <dmchome>/wlp/usr/servers/dsweb/bootstrap.properties

In this example, you will get:
wlp.password.encryption.key=WTI201707121717ifhIuc6pWYWZRYg6CWX0*uDzRviJ8tTiTB+fvnNUBZcHG2nzGxmAdW4+W-ayoju-QeHaFLI-Ui7FR1TFvk2OpRSLxjRuIW85a8uJhyTE3zkVcL9VsHk+-0Hbtn6a5FB8d0DKb9c*ptYNAFOlZ7gkAeymI04BOuidNpV5seMXijPk6j*4vN3cVER4u45wNvwA15oQlxZz9XXb2i+Fadc40CnHFhaXxX5O1v+djXdQ8bhYxpzrQNUOMeNAGL+PXo9xKO1USegzGK3U7NGCP14y1zZD9E5emGdjTg7ew7NXKFTzHE0738y592*LUVtyPLSpmdIvhmHf4wJpLNvCBqmlFvfRVqKBZIYD3qej3SNcxtu0ke*nXUojG9Ta97lEuz3T5KiCy6Pncm-G2ZeQ8U+gAZe7SmbOkH6A+p9yYKz0MBFLoHJPE01izLTMHwO-BB8igZdMPIxXy9E1vyu0PIUxIjh8696z5D13kGDu7+OPWMmQbe*6s8nX\=\=

Remove the "\"s at the end, and the encryption key is:
WTI201707121717ifhIuc6pWYWZRYg6CWX0*uDzRviJ8tTiTB+fvnNUBZcHG2nzGxmAdW4+W-ayoju-QeHaFLI-Ui7FR1TFvk2OpRSLxjRuIW85a8uJhyTE3zkVcL9VsHk+-0Hbtn6a5FB8d0DKb9c*ptYNAFOlZ7gkAeymI04BOuidNpV5seMXijPk6j*4vN3cVER4u45wNvwA15oQlxZz9XXb2i+Fadc40CnHFhaXxX5O1v+djXdQ8bhYxpzrQNUOMeNAGL+PXo9xKO1USegzGK3U7NGCP14y1zZD9E5emGdjTg7ew7NXKFTzHE0738y592*LUVtyPLSpmdIvhmHf4wJpLNvCBqmlFvfRVqKBZIYD3qej3SNcxtu0ke*nXUojG9Ta97lEuz3T5KiCy6Pncm-G2ZeQ8U+gAZe7SmbOkH6A+p9yYKz0MBFLoHJPE01izLTMHwO-BB8igZdMPIxXy9E1vyu0PIUxIjh8696z5D13kGDu7+OPWMmQbe*6s8nX==

2. Encrypt the password using <dmchome>/wlp/bin/securityUtility In this example, password is changeme.  e.g.

<dmchome>/wlp/bin/securityUtility encode --encoding=aes --key=WTI201707121717ifhIuc6pWYWZRYg6CWX0*uDzRviJ8tTiTB+fvnNUBZcHG2nzGxmAdW4+W-ayoju-QeHaFLI-Ui7FR1TFvk2OpRSLxjRuIW85a8uJhyTE3zkVcL9VsHk+-0Hbtn6a5FB8d0DKb9c*ptYNAFOlZ7gkAeymI04BOuidNpV5seMXijPk6j*4vN3cVER4u45wNvwA15oQlxZz9XXb2i+Fadc40CnHFhaXxX5O1v+djXdQ8bhYxpzrQNUOMeNAGL+PXo9xKO1USegzGK3U7NGCP14y1zZD9E5emGdjTg7ew7NXKFTzHE0738y592*LUVtyPLSpmdIvhmHf4wJpLNvCBqmlFvfRVqKBZIYD3qej3SNcxtu0ke*nXUojG9Ta97lEuz3T5KiCy6Pncm-G2ZeQ8U+gAZe7SmbOkH6A+p9yYKz0MBFLoHJPE01izLTMHwO-BB8igZdMPIxXy9E1vyu0PIUxIjh8696z5D13kGDu7+OPWMmQbe*6s8nX== changeme

{aes}AI38wJr/8Ky8tPvoa1tUJHoFsuGtid5Y75CgZfrDIxkL

So, in this example: wlp.keystore.password={aes}AI38wJr/8Ky8tPvoa1tUJHoFsuGtid5Y75CgZfrDIxkL

Now, set the 3 properties, save and exit for file <dmchome>/wlp/usr/servers/dsweb/bootstrap.properties

After restart DMC.

If you go back to browser, e.g. chrome. You can check the cert for DMC, you should see it is updated.  In this example, you can see:

Above steps are for self-signed cert.  For cert provided from CA, the steps should be similar.  Hope this helps.

------------------------------
Jason Sizto

Original Message:
Sent: Thu March 26, 2020 07:28 AM
From: Guy Przytula
Subject: https

we have dmc on linux installed
if we need a https connection to console we need to follow this page : https://www.ibm.com/support/knowledgecenter/SS5Q8A_3.1.x/com.ibm.datatools.dsweb.ots.security.doc/topics/https_cert.html
according this you need to execute locally on server https://localhost:11081/console
and how todo this on a server we can access with mobaxterm/terminal and do not have a webbrowser installed on server machine  ?


------------------------------
Thank for all update/help
Best Regards, Guy Przytula
------------------------------

#Db2