IBM i Global

 View Only
  • 1.  Import Certificate Store API - QykmImportKeyStore

    Posted Mon September 26, 2022 10:03 AM
    Hello,

    I am trying to use DCM API QykmImportKeyStore for importing a server/client certificate. But it is always getting imported as CA Only certificate. Is this API no more valid in V7R4.

    Can anyone please advise :)

    ------------------------------
    Sarfaraj Pirjade
    ------------------------------


  • 2.  RE: Import Certificate Store API - QykmImportKeyStore

    IBM Champion
    Posted Tue September 27, 2022 02:20 PM

    I am not sufficiently au fait with Certs to know if this will help or not but ...

    I was able to deal with a number of cert store issues by using this new tooling from Jesse Gorzinski  https://github.com/ThePrez/DCM-tools#dcmimport - he is expanding its capabilities all the time.



    ------------------------------
    Jon Paris
    ------------------------------



  • 3.  RE: Import Certificate Store API - QykmImportKeyStore

    Posted Wed September 28, 2022 05:11 AM
    Thank you Jon for replying.
    Infact, I am using Jesse's repository to achieve IWS cert renewal automation
    I was thinking of doing it 2 ways
    1) Import the new certificate with QykmImportKeyStore and then assign to IWS with QycdUpdateCertUsage
    OR
    2) Get new certificate. Renew the existing certificate by this new certificate using QycdRenewCertificate and then  assign to IWS with QycdUpdateCertUsage 

    Now I am trying work on 2nd way. But here now i am facing issue with API

    AS400Message (ID: CPF9872 text: Program or service program QYCDRNWC in library QICSS ended. Reason code 2.):com.ibm.as400.access
    AS400Message@95ab79de
    java.io.IOException: DCM API call failure
    at com.github.ibmioss.dcmtools.utils.DcmApiCaller.runProgram(DcmApiCaller.java:287)
    at com.github.ibmioss.dcmtools.utils.DcmApiCaller.callQycdRenewCertificate_RNWC0300(DcmApiCaller.java:141)
    at com.github.ibmioss.dcmtools.CertRenewer.renewCert(CertRenewer.java:56)
    at com.github.ibmioss.dcmtools.CertRenewer.doRenew(CertRenewer.java:46)
    at com.github.ibmioss.dcmtools.DcmRenewCmd.main(DcmRenewCmd.java:45)

    Message CPF9872 description says

    2--A pointer was used, either directly or as a basing pointer, that has not been set to an address



    Any idea on this failure ?



    ------------------------------
    Sarfaraj Pirjade
    ------------------------------



  • 4.  RE: Import Certificate Store API - QykmImportKeyStore

    IBM Champion
    Posted Tue September 27, 2022 07:53 PM
    Dear Sarfaraj

    Does this APAR error description sounds like what you are facing? 

    APAR Error Description / Circumvention
    -----------------------------------------------
    An issue was identified when using API QykmExportKeyStore to create a PKCS12 file from a .KDB file, modifying the contents of that file using Java, and then importing the keys and certificates back to a .KDB using API QykmImportKeyStore.  The issue that is seen is the certificates that had private keys end up incorrectly imported as CA certificates without private keys.

    If this is the case, you need to apply some PTFs as indicated in this APAR :
    SI79679 - OSP-CERT QYKMIMPORTKEYSTORE IMPORTS JAVA MANAGED CERTS AS CA  

    I found this with Google search using "ibm i dcm QykmImportKeyStore".

    ------------------------------
    Right action is better than knowledge; but in order to do what is right, we must know what is right.
    -- Charlemagne

    Satid Singkorapoom
    ------------------------------



  • 5.  RE: Import Certificate Store API - QykmImportKeyStore

    IBM Champion
    Posted Wed September 28, 2022 12:31 PM
    Sorry - not a clue.  If Satid's information doesn't help you might pose a question on Jesse's github page.  I know when first using the tool we discovered a number of issues which Jesse and other IBM groups fixed.

    ------------------------------
    Jon Paris
    ------------------------------



  • 6.  RE: Import Certificate Store API - QykmImportKeyStore

    Posted Thu September 29, 2022 09:03 AM

    Hello Sarfaraj.

    I agree with the suggestion provided by Satid since prior to that fix, it was occasionally seen that certificates were being imported incorrectly as CA certificates.

    The major difference between a Server certificate and CA certificate from DCM's point of view is a server certificate has an associated private key with that certificate stored in the certificate store; a CA certificate does not have a private key in the certificate store.  It was seen that various platforms organize the contents of a PKCS12 files differently and the QykmImportKeyStore API needed to be updated which now does a much better job of associating private keys that reside in a PKCS12 file with the correct certificate during import so the certificate will be correctly imported as a server certificate instead of a CA.



    ------------------------------
    Thom Haze
    ------------------------------