Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Upcomming Trips

Social Networks

Popular Articles

Winmail.dat

Who am I?

Feeds

 Content
 Comments

Recent Entries

Microsoft requires DMARC
Balkonsolar - year two in
Bug: Mail routing and mai
Dezember 2024: AcceptIT A
Welcome Domino License An

Archives

April 2025 (1)
January 2025 (1)
December 2024 (1)
November 2024 (2)
October 2024 (2)
September 2024 (1)
July 2024 (1)
May 2024 (2)
April 2024 (3)
March 2024 (1)
February 2024 (2)
January 2024 (5)
December 2023 (3)
November 2023 (2)
October 2023 (1)
September 2023 (4)
June 2023 (1)
April 2023 (3)
March 2023 (1)
February 2023 (1)
July 2022 (1)
September 2021 (1)
August 2021 (2)
May 2021 (1)
February 2021 (3)
January 2021 (1)
November 2020 (1)
October 2020 (2)
September 2020 (2)
March 2020 (1)
November 2019 (1)
August 2019 (1)
July 2019 (1)
March 2019 (1)
December 2018 (1)
November 2018 (1)
October 2018 (1)
September 2018 (1)
May 2018 (1)
January 2018 (1)
December 2017 (1)
November 2017 (1)
September 2017 (1)
March 2017 (2)
February 2017 (5)
November 2016 (1)
September 2016 (4)
April 2016 (1)
March 2016 (7)
January 2016 (1)
December 2015 (1)
November 2015 (3)
August 2015 (1)
July 2015 (2)
June 2015 (5)
May 2015 (5)
March 2015 (3)
February 2015 (2)
January 2015 (4)
December 2014 (3)
November 2014 (1)
September 2014 (4)
August 2014 (1)
May 2014 (4)
April 2014 (1)
March 2014 (2)
February 2014 (3)
January 2014 (2)
October 2013 (1)
September 2013 (1)
August 2013 (2)
July 2013 (2)
March 2013 (2)
February 2013 (4)
January 2013 (3)
December 2012 (2)
November 2012 (1)
October 2012 (2)
September 2012 (4)
August 2012 (3)
July 2012 (1)
June 2012 (6)
May 2012 (1)
February 2012 (2)
January 2012 (1)
December 2011 (4)
November 2011 (2)
September 2011 (1)
May 2011 (2)
March 2011 (1)
January 2011 (1)
November 2010 (5)
October 2010 (2)
September 2010 (2)
August 2010 (1)
July 2010 (3)
June 2010 (1)

IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client

Thomas Hampel
 22 September 2014
Following up on David's post, here is a WIMP's Guide to get a GUI version of an iKeyman which is supproting the CMS format that is used by the IBM HTTP Server.
iKeyman is actually part of your Notes Client, it is available in "/jvm/bin/ikeyman.exe" but this version does not provide support for CMS keystores unfortunately.
Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client
So what does it take to add support for the CMS format
There is a (much) longer method to get the same done by downloading a specific version of ikeyman which includes CMS support... but this I'll explain at the end of this post.

Here is the short version:

What you need:
  • Notes Client (which you should already have installed)
  • Text editor of your choice

Actions:
  • Edit the file /jvm/lib/security/java.security
  • Find the list of security providers, e.g. by searching for "security.provider", which should look like this:
    security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.4=com.ibm.security.cert.IBMCertPath
    security.provider.5=com.ibm.security.sasl.IBMSASL
    security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.8=org.apache.harmony.security.provider.PolicyProvider
    security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
  • Append one new line at the end of this list, where [X] is the next integer value available
    security.provider.[X]=com.ibm.security.cmskeystore.CMSProvider
  • Save

So it should look like this:
{...}
#
# List of providers and their preference orders (see above):
#
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.cmskeystore.CMSProvider
{...}

Result:
Voila: CMS support is ready
Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client
Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client

This blog post could end here but I'd like to share what someone would have to do without using the method above:

The (very) long route:
  1. Try downloading IBM HTTP Server from www.ibm.com/software/webservers/httpservers/download or here
  2. Recognize this website only offers version:  7.0.0.0 dated from 15 May 2009
  3. Try anyway and download and install v7.0.0
  4. Notice iKeyman in this version does not Subject Alternate Support
    Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client
  5. Read Technote 1444027
    Notice it clearly describes "later versions of IBM HTTP Server (IHS), after v7.0, do not require these special steps to enable SAN functionality."
  6. Conclude the Technote 1444027 is wrong or needs update
  7. Try downloading t he IBM HTTP Server trial 8.0 or 8.5
  8. Notice the web site does not offer a download link and only shows a blank page (why?)
  9. Get IBM HTTP Server in the latest version, (which is part of Websphere Application Server 8.5.5 Supplements disks, so its just 3 Gbyte to download)
  10. Install the IBM Installation Manager v1.8  and add the WAS Supplements folder location as a new repository
  11. Install IBM HTTP Server
  12. Launch iKeyman with CMS support and Subject Alternative Support
    Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client
  13. Notice that iKeyman is actually part of the Notes Client anyway and the same could have been done without all those actions before: priceless

For reference:
Creating a certificate request incl. Subject Alternate Names can be done by using the GSKTool command line version
/opt/IBM/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -label foobar -dn "cn=www.foobar.ibm.com" -size 2048 -file /tmp/foobar.csr -san_dnsname "www.foobar.ibm.com" -san_emailaddr "admin@us.ibm.com" -san_ipaddr "192.168.1.221"

Further reading:
Comments [1]
Tagged with: HTTPServer SSL
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.