Hi Guy,
Currently there is an issue in the steps describing the encryption of the keystore password. We will fix the issue in the upcoming release of DMC.
In order to assist you to set the security cert for your DMC, you can use the follow steps below in the mean time.
Certificate can be obtained different ways. e.g. from a cert authority (CA) or create your own self signed cert.
Following is an example of creating a self-signed cert. It assumes openssl is available.
1. Issue the following command to generate the certificate (certificate.pem) and key (key.pem) files in /opt/keystore/dmc. The keystore for the cert is created in this directory.
cd /opt/keystore/dmc
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
You are prompted for information for the cert. Ensure that for the Common Name parameter is the hostname of the Data Management Console system.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:San Jose
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IBM
Organizational Unit Name (eg, section) []:Data and AI
Common Name (e.g. server FQDN or YOUR name) []:dsmga41.fyre.ibm.com
Email Address []:jsizto@us.ibm.com
2. Convert the certificate file into a pkcs12 format file (e.g. cert.p12). Provide a password when prompted, in this example, password is:
changeme
openssl pkcs12 -export -in certificate.pem -inkey key.pem -out cert.p12
The cert.p12 is generated.
3. Configure DMC to use the exported cert (cert.p12). Assume <dmchome> is the installation directory for DMC.
a) Stop DMC
b) Edit file: <dmchome>/wlp/usr/servers/dsweb/bootstrap.properties
c) add/modify the following properties (see below for more explanation)
i) wlp.keystore.type
ii) wlp.keystore.location
iii) wlp.keystore.password
d) Start DMC
Explanation:
For wlp.keystore.type, it can be either jks or pkcs12 type. In this example it is:
wlp.keystore.type=pkcs12
For wlp.keystore.location, it is the full path to the cert. In this example, it is:
wlp.keystore.location=/opt/keystore/dmc/cert.p12
For wlp.keystore.password, it is the encrypted password for the cert. You need to use the following tool to encrypt the password.
Note: <dmchome>/dsutil/bin/libertyCertsCrypt.sh has some issue. Use the following steps to encrypt the password instead.
1. find the encryption key in file:
<dmchome>/wlp/usr/servers/dsweb/bootstrap.properties
e.g.
grep wlp.password.encryption.key <dmchome>/wlp/usr/servers/dsweb/bootstrap.properties
In this example, you will get:
wlp.password.encryption.key=WTI201707121717ifhIuc6pWYWZRYg6CWX0*uDzRviJ8tTiTB+fvnNUBZcHG2nzGxmAdW4+W-ayoju-QeHaFLI-Ui7FR1TFvk2OpRSLxjRuIW85a8uJhyTE3zkVcL9VsHk+-0Hbtn6a5FB8d0DKb9c*ptYNAFOlZ7gkAeymI04BOuidNpV5seMXijPk6j*4vN3cVER4u45wNvwA15oQlxZz9XXb2i+Fadc40CnHFhaXxX5O1v+djXdQ8bhYxpzrQNUOMeNAGL+PXo9xKO1USegzGK3U7NGCP14y1zZD9E5emGdjTg7ew7NXKFTzHE0738y592*LUVtyPLSpmdIvhmHf4wJpLNvCBqmlFvfRVqKBZIYD3qej3SNcxtu0ke*nXUojG9Ta97lEuz3T5KiCy6Pncm-G2ZeQ8U+gAZe7SmbOkH6A+p9yYKz0MBFLoHJPE01izLTMHwO-BB8igZdMPIxXy9E1vyu0PIUxIjh8696z5D13kGDu7+OPWMmQbe*6s8nX\=\=
Remove the
"\"s at the end, and the encryption key is:
WTI201707121717ifhIuc6pWYWZRYg6CWX0*uDzRviJ8tTiTB+fvnNUBZcHG2nzGxmAdW4+W-ayoju-QeHaFLI-Ui7FR1TFvk2OpRSLxjRuIW85a8uJhyTE3zkVcL9VsHk+-0Hbtn6a5FB8d0DKb9c*ptYNAFOlZ7gkAeymI04BOuidNpV5seMXijPk6j*4vN3cVER4u45wNvwA15oQlxZz9XXb2i+Fadc40CnHFhaXxX5O1v+djXdQ8bhYxpzrQNUOMeNAGL+PXo9xKO1USegzGK3U7NGCP14y1zZD9E5emGdjTg7ew7NXKFTzHE0738y592*LUVtyPLSpmdIvhmHf4wJpLNvCBqmlFvfRVqKBZIYD3qej3SNcxtu0ke*nXUojG9Ta97lEuz3T5KiCy6Pncm-G2ZeQ8U+gAZe7SmbOkH6A+p9yYKz0MBFLoHJPE01izLTMHwO-BB8igZdMPIxXy9E1vyu0PIUxIjh8696z5D13kGDu7+OPWMmQbe*6s8nX==
2. Encrypt the password using
<dmchome>/wlp/bin/securityUtility
In this example, password is changeme. e.g.
<dmchome>/wlp/bin/securityUtility encode --encoding=aes --key=WTI201707121717ifhIuc6pWYWZRYg6CWX0*uDzRviJ8tTiTB+fvnNUBZcHG2nzGxmAdW4+W-ayoju-QeHaFLI-Ui7FR1TFvk2OpRSLxjRuIW85a8uJhyTE3zkVcL9VsHk+-0Hbtn6a5FB8d0DKb9c*ptYNAFOlZ7gkAeymI04BOuidNpV5seMXijPk6j*4vN3cVER4u45wNvwA15oQlxZz9XXb2i+Fadc40CnHFhaXxX5O1v+djXdQ8bhYxpzrQNUOMeNAGL+PXo9xKO1USegzGK3U7NGCP14y1zZD9E5emGdjTg7ew7NXKFTzHE0738y592*LUVtyPLSpmdIvhmHf4wJpLNvCBqmlFvfRVqKBZIYD3qej3SNcxtu0ke*nXUojG9Ta97lEuz3T5KiCy6Pncm-G2ZeQ8U+gAZe7SmbOkH6A+p9yYKz0MBFLoHJPE01izLTMHwO-BB8igZdMPIxXy9E1vyu0PIUxIjh8696z5D13kGDu7+OPWMmQbe*6s8nX== changeme
{aes}AI38wJr/8Ky8tPvoa1tUJHoFsuGtid5Y75CgZfrDIxkL
So, in this example:
wlp.keystore.password={aes}AI38wJr/8Ky8tPvoa1tUJHoFsuGtid5Y75CgZfrDIxkL
Now, set the 3 properties, save and exit for file <dmchome>/wlp/usr/servers/dsweb/bootstrap.properties
After restart DMC.
If you go back to browser, e.g. chrome. You can check the cert for DMC, you should see it is updated. In this example, you can see:
Above steps are for self-signed cert. For cert provided from CA, the steps should be similar. Hope this helps.
------------------------------
Jason Sizto
------------------------------
Original Message:
Sent: Thu March 26, 2020 07:28 AM
From: Guy Przytula
Subject: https
we have dmc on linux installed
if we need a https connection to console we need to follow this page : https://www.ibm.com/support/knowledgecenter/SS5Q8A_3.1.x/com.ibm.datatools.dsweb.ots.security.doc/topics/https_cert.html
according this you need to execute locally on server https://localhost:11081/console
and how todo this on a server we can access with mobaxterm/terminal and do not have a webbrowser installed on server machine ?
------------------------------
Thank for all update/help
Best Regards, Guy Przytula
------------------------------
#Db2