IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client
Thomas Hampel
22 September 2014Following up on David's post, here is a WIMP's Guide to get a GUI version of an iKeyman which is supproting the CMS format that is used by the IBM HTTP Server.
iKeyman is actually part of your Notes Client, it is available in "
So what does it take to add support for the CMS format
There is a (much) longer method to get the same done by downloading a specific version of ikeyman which includes CMS support... but this I'll explain at the end of this post.
Here is the short version:
What you need:
- Notes Client (which you should already have installed)
- Text editor of your choice
Actions:
- Edit the file
/jvm/lib/security/java.security - Find the list of security providers, e.g. by searching for "security.provider", which should look like this:
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO - Append one new line at the end of this list, where [X] is the next integer value available
security.provider.[X]=com.ibm.security.cmskeystore.CMSProvider - Save
So it should look like this:
{...}
#
# List of providers and their preference orders (see above):
#
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.cmskeystore.CMSProvider
{...}
Result:
Voila: CMS support is ready
This blog post could end here but I'd like to share what someone would have to do without using the method above:
The (very) long route:
- Try downloading IBM HTTP Server from www.ibm.com/software/webservers/httpservers/download or here
- Recognize this website only offers version: 7.0.0.0 dated from 15 May 2009
- Try anyway and download and install v7.0.0
- Notice iKeyman in this version does not Subject Alternate Support
- Read Technote 1444027
Notice it clearly describes "later versions of IBM HTTP Server (IHS), after v7.0, do not require these special steps to enable SAN functionality." - Conclude the Technote 1444027 is wrong or needs update
- Try downloading t he IBM HTTP Server trial 8.0 or 8.5
- Notice the web site does not offer a download link and only shows a blank page (why?)
- Get IBM HTTP Server in the latest version, (which is part of Websphere Application Server 8.5.5 Supplements disks, so its just 3 Gbyte to download)
- Install the IBM Installation Manager v1.8 and add the WAS Supplements folder location as a new repository
- Install IBM HTTP Server
- Launch iKeyman with CMS support and Subject Alternative Support
- Notice that iKeyman is actually part of the Notes Client anyway and the same could have been done without all those actions before: priceless
For reference:
Creating a certificate request incl. Subject Alternate Names can be done by using the GSKTool command line version
/opt/IBM/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -label foobar -dn "cn=www.foobar.ibm.com" -size 2048 -file /tmp/foobar.csr -san_dnsname "www.foobar.ibm.com" -san_emailaddr "admin@us.ibm.com" -san_ipaddr "192.168.1.221"
Further reading:
- Wikipedia Article subjectAltName
- GSKCapiCmd User's Guide (for GSKit version 8)
- Blog post IBM HTTP Server / IBM Global Security Toolkit - Commanding the line by David Hay
Tagged with: HTTPServer SSL