Layer 7 Identity Management

How to configure SSL for imbulkloadclient 

08-18-2015 10:22 AM

In some cases when IdentityMinder(Manager) has already been configured for SSL, and you're configuring the bulk load client after that, it is then necessary to configure imbulkloadclient for SSL, the steps below will guide you through the process.

 

 

Step 1: We need to identify the correct key in the IM key store.
Locate java_home for the application server
It is best to identify the environment variable in use for java_home
The keystore will be located here:
java_home\jre\jdk<version>\lib\security

 

Step 2: Go to the keystore in use and export your CA cert chain
keytool -list -V -keystore <your keystore name>
Enter the keystore password
The above command lists out all of the certs in the store
you are looking for the certificate authority cert chain for your servers
Once you have identified the cert, export it with:
keytool -export -alias <cert alias> -file <filename> -keystore <your keystore name>
Enter the keystore password
This will create a cert file with a name that you specified for:<filename>

***If you receive a permissions error this could be due to the fact that you are not able to create files in the directory specified, try with /tmp/<filename>

Copy the file to the bulkload client machine

 

Step 3: On the server running bulkload client create a folder called sslkeystore
Create the folder under bulkloader:
example: D:\BulkLoader\windows\caim-bulk-loader\sslkeystore
Copy the file exported from javahome keystore to the bulkload client machine and place it in the folder you just created

 

Step 4: Import this into the bulkload client keystore
(This command also creates the keystore) cd to the directory that you created enter:
keytool -import -alias <aliasname> -file <filename> -keystore imbulkloadclientkeystore.jks
enter a keystore password
choose yes to trusting the cert

 

Step 5: Edit the bulkload client.bat to use SSL
Change these lines:
set TRUSTSTORE=%HOMEDRIVE%%HOMEPATH%\.imbulkloadclientkeystore
set TRUSTSTORE_PASSWORD=changeit
to:
set TRUSTSTORE=..\sslkeystore\imbulkloadclientkeystore.jks
set TRUSTSTORE_PASSWORD=<password you typed during the import>

 

At this point the bulkloadclient will now be able to make SSL commands into identityminder

 

Also,  if you are using java 1.7 see another cause for the issue below:

 

Error message:

  1. javax.net.ssl.SSLHandshakeException: Received fatal alert:
    handshake_failure

 

Just renamed the _uninst folder below “Bulk Loader”, this process will force bulkloaderclient to use the OS Java (1.7) instead of Java embedded with Bulkloaderclient (1.6)

 

Searching on google, there is a bug/problem where Java 1.7 send an “extra” Hello message, which depends on the format will cause disconnection.

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

11-09-2015 05:21 PM

Great info, Bill!

 

Wanted to offer a validation check process, that I have been using at customer sites, where it is difficult to find the "correct CA" being used.

 

The IM solution's IMPS (provisioning server) has the openssl binary included.

/opt/CA/IdentityManager/ProvisioningServer/bin/openssl

 

The openssl solution may also be part of the OS, or within CA Siteminder, or downloaded.

/opt/CA/siteminder/etpki-install/bin/openssl

/usr/lib64/openssl

 

There is one particular feature of openssl that has value with "finding" the correct CA certificate from the view of the "client server".

 

Use the following command line:

 

openssl  s_client  -connect  HOSTNAME:PORT  -showcerts      {check if service is public on a NIC; and not just using localhost with  netstat -an }

Note:  openssl opens a "session"; use control-C to break out or type exit.  (to view help  openssl s_client -help)

 

Example below, to connect to one of the IMPD DSAs on TCP 20394.    The switch "-showcerts" will not only include the "SERVER" cert, but also the "CA" cert (assuming this is not a "self-signed cert").

 

The certs may be "copied" (one at a time or both together) from the display (using the -----BEGIN CERTIFICATE-----  &  -----END CERTIFICATE-----  markers) and saved as text files with the extension of "der".    These "der" files can then be imported per the same steps listed above for Step #4 with the java jdk binary of "keytool".  You may import both, but you only NEED the CA cert.    

 

Note:  This process will also work for "self-signed certs" but you will need to copy just the one cert that is displayed.

 

After you import, you can re-run the openssl command again, to see how it responds.

 

 

[root@sandbox01 opt]# openssl s_client -connect sandbox01:20394 -showcerts

CONNECTED(00000003)

depth=1 C = US, ST = NY, L = Islandia, O = Identity Management, OU = Provisioning Services

verify error:num=19:self signed certificate in certificate chain

verify return:0

---

Certificate chain

0 s:/C=US/ST=NY/O=Identity Management/OU=Provisioning Services/CN=eta_server

  i:/C=US/ST=NY/L=Islandia/O=Identity Management/OU=Provisioning Services

-----BEGIN CERTIFICATE-----

MIIDSzCCArSgAwIBAgICATcwDQYJKoZIhvcNAQEFBQAwazELMAkGA1UEBhMCVVMx

CzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhJc2xhbmRpYTEcMBoGA1UEChMTSWRlbnRp

dHkgTWFuYWdlbWVudDEeMBwGA1UECxMVUHJvdmlzaW9uaW5nIFNlcnZpY2VzMB4X

DTA3MTEyODA4MjYwMVoXDTE3MTEyNTA4MjYwMVowbTELMAkGA1UEBhMCVVMxCzAJ

BgNVBAgTAk5ZMRwwGgYDVQQKExNJZGVudGl0eSBNYW5hZ2VtZW50MR4wHAYDVQQL

ExVQcm92aXNpb25pbmcgU2VydmljZXMxEzARBgNVBAMUCmV0YV9zZXJ2ZXIwgZ8w

DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKfDMksQeB+VAzMCGMWFl617BRrrZl0W

PAzCjt5GuPE7ceEdtQHh4VKjbZpp9u9rySRRCECwQomScUDFZ+eozAIZ5WvUk8IA

wF+7qJ7GnkBw9rBLZ7KzVZtooz0dH4rEhX1V0jy5UuPHzC/YacjxSR3qzM+jVFpl

OXbhl9UxFc6xAgMBAAGjgfswgfgwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd

T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFMmVElyriyS6

dQroAhwmn9S+DGvVMIGdBgNVHSMEgZUwgZKAFBIzatHaFgMtKHN9BDlhcPDIpH53

oW+kbTBrMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCElzbGFu

ZGlhMRwwGgYDVQQKExNJZGVudGl0eSBNYW5hZ2VtZW50MR4wHAYDVQQLExVQcm92

aXNpb25pbmcgU2VydmljZXOCCQDS9BvlyoIiqDANBgkqhkiG9w0BAQUFAAOBgQCS

/wM4qgreDh5uri3WL3JfDkg3jbgPtg3qPfTr1Ugg7Mo/OYbY1iK5iNyCleAQDDV5

e/vRdD9isLoW/2yD/AdT6gA5RpH0QmyyVhVE1zyjeM2TRqHIvd3zIREdZx6V7EzC

hnAwDnJDPJhTghgG7R1jSMGBudxdZVHFZkSMikhtEA==

-----END CERTIFICATE-----

1 s:/C=US/ST=NY/L=Islandia/O=Identity Management/OU=Provisioning Services

  i:/C=US/ST=NY/L=Islandia/O=Identity Management/OU=Provisioning Services

-----BEGIN CERTIFICATE-----

MIIDJTCCAo6gAwIBAgIJANL0G+XKgiKoMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV

BAYTAlVTMQswCQYDVQQIEwJOWTERMA8GA1UEBxMISXNsYW5kaWExHDAaBgNVBAoT

E0lkZW50aXR5IE1hbmFnZW1lbnQxHjAcBgNVBAsTFVByb3Zpc2lvbmluZyBTZXJ2

aWNlczAeFw0wNzExMjgwODI1NTBaFw0xNzEwMDYwODI1NTBaMGsxCzAJBgNVBAYT

AlVTMQswCQYDVQQIEwJOWTERMA8GA1UEBxMISXNsYW5kaWExHDAaBgNVBAoTE0lk

ZW50aXR5IE1hbmFnZW1lbnQxHjAcBgNVBAsTFVByb3Zpc2lvbmluZyBTZXJ2aWNl

czCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuXFJ8Uqw2uAOxbb0XfPZG38m

KPNiFnD3MlpYTuiiOXx7+hzL/EXrqKsOd4XXZYixP2Jq56ti9zg2dwgmxRGLge4W

1DDW5W8bqAen0QprHe6TGTCSvTd99ltGVNJXsG8rF9jZNnJqoo1DKYhNS7Kz7rNC

2Kkhp6mrbWMFVuNGiVMCAwEAAaOB0DCBzTAdBgNVHQ4EFgQUEjNq0doWAy0oc30E

OWFw8MikfncwgZ0GA1UdIwSBlTCBkoAUEjNq0doWAy0oc30EOWFw8Mikfnehb6Rt

MGsxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTERMA8GA1UEBxMISXNsYW5kaWEx

HDAaBgNVBAoTE0lkZW50aXR5IE1hbmFnZW1lbnQxHjAcBgNVBAsTFVByb3Zpc2lv

bmluZyBTZXJ2aWNlc4IJANL0G+XKgiKoMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN

AQEFBQADgYEApf9rcEfB2sKijPQBjXg2y0ezxZwxRE/dnw4J1A/3TmLrOYDAHb/w

CuANmPD03xIyzVkgb1wW5j9zipcirAGhuGCaOVoblUiU5nghOeVOQH4Yen7sMB03

KUbqY5+Q4iR2MeET+G+lbJQjSD0tSlkXusqIfd5ZHwYVhonxRUEFIoU=

-----END CERTIFICATE-----

---

Server certificate

subject=/C=US/ST=NY/O=Identity Management/OU=Provisioning Services/CN=eta_server

issuer=/C=US/ST=NY/L=Islandia/O=Identity Management/OU=Provisioning Services

---

 

 

 

 

Example:   Checking a server CERT (remote) against a local keystore.

 

[root@sandbox01 ssld]# pwd

/opt/CA/Directory/dxserver/config/ssld

[root@sandbox01 ssld]# openssl s_client -connect sandbox01:20394 -verify -showcerts -CAfile impd_trusted.pem

 

 

I have found this of use, as well, as checking customer Active Directory domain CA SSL Certificate; and pulling it for use with CA IMPS (provisioning server).

 

 

 

Cheers,

 

A.

10-20-2015 09:33 AM

Fixed that typo. Thanks!

10-20-2015 03:49 AM

Title should be SSL instead of SLL?

08-18-2015 11:03 AM

Done!

08-18-2015 10:24 AM

kristen.palazzolo

  This does not exist in the IdentityMinder guides, can you mark this as official?

 

Thanks,

Bill

Related Entries and Links

No Related Resource entered.