Steps to convert IBM HTTP Server private keys to PEM format for APM CE

Article Id: 19256

Status: Published

Updated On: 14-02-2018 07:29

Legacy Id: TEC604588

Products:

CA Application Performance Management Agent (APM / Wily / Introscope) , INTROSCOPE

Issue/Introduction:

Description:

Steps to convert IBM HTTP Server private keys to PEM format for APM CE (CEM)

Solution:

Use the IBM KEY Management Utility (IKEYMAN Utility) to export the IBM key to a pkcs12 format file.

IKEYMAN is documented here: http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/2tabcontents.htm

Step 1: Export keys to a PKCS12 file with IKEYMAN:

Enter ikeyman on a command line in Unix or start the Key Management utility in the IBM HTTP Server folder on Windows.
Select Key Database File from the main menu. Click Open.
In the Open dialog box, enter your key database name or click on key.kdb if you are using the default. Click OK.
In the Password Prompt dialog box, enter your correct password and click OK.
Select Personal Certificates in the Key Database content frame, then click the Export/Import button on the label.
In the Export/Import Key window:
- Select Export Key
- Select the PKCS12 database file type
- Enter the file name or use the Browse option
- Enter the correct file location

Click OK.
In the Password Prompt dialog box, enter the correct password, enter the password again to confirm, then click OK to export the selected key to a PKCS12 file.

<Please see attached file for image>

<Please see attached file for image>

Step 2: Use openssl to convert pkcs12 to PEM format:

[[email protected] tmp]# openssl pkcs12 -in abcd_w7.p12 -nocerts -nodes -out abcd_w7.pemEnter Import Password:MAC verified OK

Step 3: Check the TIM log to verify that the TIM can decrypt IBM HTTP Server traffic.

Here is an example Timlog snippet. Entries in green show a successful IBM PEM key upload. Entries in blue show the TIM successfully decrypting traffic.

Thu Nov 28 08:03:19 2013 16314 WebServer: POST request for /tess/PrivateKeyFile from 127.0.0.1Thu Nov 28 08:03:19 2013 16314 WebServer: data is encryptedThu Nov 28 08:03:19 2013 16314 WebServer: request forwarded from 10.135.45.143Thu Nov 28 08:03:19 2013 16314 SslPrivateKeyConfig: private key file readThu Nov 28 08:03:19 2013 16314 SslPrivateKeyManager: writing /etc/wily/cem/tim/config/webservers/10.135.45.143-10.135.45.143~443.xml-encThu Nov 28 08:03:19 2013 16314 SslPrivateKeyManager: defining SSL server group "10.135.45.143-10.135.45.143~443"Thu Nov 28 08:03:19 2013 16314 SslPrivateKeyManager: IP address(es) 10.135.45.143, TCP port 443Thu Nov 28 08:03:19 2013 16314 sslinterface: creating network handler for 10.135.45.143-10.135.45.143~443Thu Nov 28 08:03:26 2013 16314 Trace: [10.135.47.180]:3084->[10.135.45.143]:443 openedThu Nov 28 08:03:26 2013 16314 Trace: Component #10 request: 10.135.45.143/home.html client=[10.135.47.180]:3084 server=[10.135.45.143]:443 at 08:03:26Thu Nov 28 08:03:26 2013 16314 Trace: Param: Url Req Port = 443.Thu Nov 28 08:03:26 2013 16314 Trace: Param: Url Req ClientIP = 10.135.47.180.Thu Nov 28 08:03:26 2013 16314 Trace: Param: Url Req Path = /home.html.Thu Nov 28 08:03:26 2013 16314 Trace: Param: HTTP Req Accept = image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-shockwave-flash, */*.Thu Nov 28 08:03:26 2013 16314 Trace: Param: HTTP Req Accept-Language = en-ind.Thu Nov 28 08:03:26 2013 16314 Trace: Param: HTTP Req User-Agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GIS IE 6.0 Build 20080321; BTRS112560; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; MS-RTC LM 8).Thu Nov 28 08:03:26 2013 16314 Trace: Param: HTTP Req Accept-Encoding = gzip, deflate.Thu Nov 28 08:03:26 2013 16314 Trace: Param: HTTP Req Host = 10.135.45.143.Thu Nov 28 08:03:26 2013 16314 Trace: Param: Url Req Host = 10.135.45.143.Thu Nov 28 08:03:26 2013 16314 Trace: Param: HTTP Req Connection = Keep-Alive.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: URL Port = 443.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: URL Path = /home.html.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: RequestHeader Accept = image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-shockwave-flash, */*.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: RequestHeader Accept-Language = en-ind.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: RequestHeader User-Agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GIS IE 6.0 Build 20080321; BTRS112560; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; MS-RTC LM 8).Thu Nov 28 08:03:26 2013 16314 Trace: Meta: RequestHeader Accept-Encoding = gzip, deflate.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: RequestHeader Host = 10.135.45.143.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: URL Host = 10.135.45.143.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: RequestHeader Connection = Keep-Alive.Thu Nov 28 08:03:26 2013 16314 Trace: Full host: 10.135.45.143Thu Nov 28 08:03:26 2013 16314 Trace: Component #10 request: no session id found for any appdefThu Nov 28 08:03:26 2013 16314 Trace: Component #10 does not match a transet definition or an expected componentThu Nov 28 08:03:26 2013 16314 Trace: Component #10 response header: status=200 at 08:03:26Thu Nov 28 08:03:26 2013 16314 Trace: Param: Resp Resp Status = 200.Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp Date = Thu, 28 Nov 2013 12:55:15 GMT.Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp Last-Modified = Thu, 28 Nov 2013 12:25:37 GMT.Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp ETag = "70-4ec3bcfa132a7".Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp Accept-Ranges = bytes.Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp Content-Length = 112.Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp Keep-Alive = timeout=10, max=100.Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp Connection = Keep-Alive.Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp Content-Type = text/html.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: Response Status = 200.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader Date = Thu, 28 Nov 2013 12:55:15 GMT.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader Last-Modified = Thu, 28 Nov 2013 12:25:37 GMT.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader ETag = "70-4ec3bcfa132a7".Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader Accept-Ranges = bytes.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader Content-Length = 112.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader Keep-Alive = timeout=10, max=100.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader Connection = Keep-Alive.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader Content-Type = text/html.Thu Nov 28 08:03:26 2013 16314 Trace: Component #10 response body at 08:03:26Thu Nov 28 08:03:38 2013 16314 Trace: [10.135.47.180]:3084->[10.135.45.143]:443 client RSTThu Nov 28 08:03:38 2013 16314 Trace: [10.135.47.180]:3084->[10.135.45.143]:443 closed by client

Environment:

Release:
Component: APMCEM