ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Steps to convert IBM HTTP Server private keys to PEM format for APM CE
Article ID: 19256
Updated On:
Products
CA Application Performance Management Agent (APM / Wily / Introscope)
INTROSCOPE
Issue/Introduction
Description:
Steps to convert IBM HTTP Server private keys to PEM format for APM CE (CEM)
Solution:
Use the IBM KEY Management Utility (IKEYMAN Utility) to export the IBM key to a pkcs12 format file.
- IKEYMAN is documented here: http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/2tabcontents.htm
Step 1: Export keys to a PKCS12 file with IKEYMAN:
- Enter ikeyman on a command line in Unix or start the Key Management utility in the IBM HTTP Server folder on Windows.
- Select Key Database File from the main menu. Click Open.
- In the Open dialog box, enter your key database name or click on key.kdb if you are using the default. Click OK.
- In the Password Prompt dialog box, enter your correct password and click OK.
- Select Personal Certificates in the Key Database content frame, then click the Export/Import button on the label.
- In the Export/Import Key window:
- Select Export Key
- Select the PKCS12 database file type
- Enter the file name or use the Browse option
- Enter the correct file location
- Click OK.
- In the Password Prompt dialog box, enter the correct password, enter the password again to confirm, then click OK to export the selected key to a PKCS12 file.
<Please see attached file for image>
<Please see attached file for image>
Step 2: Use openssl to convert pkcs12 to PEM format:
[[email protected] tmp]# openssl pkcs12 -in abcd_w7.p12 -nocerts -nodes -out abcd_w7.pemEnter Import Password:MAC verified OK
Step 3: Check the TIM log to verify that the TIM can decrypt IBM HTTP Server traffic.
- Here is an example Timlog snippet. Entries in green show a successful IBM PEM key upload. Entries in blue show the TIM successfully decrypting traffic.
Thu Nov 28 08:03:19 2013 16314 WebServer: POST request for /tess/PrivateKeyFile from 127.0.0.1Thu Nov 28 08:03:19 2013 16314 WebServer: data is encryptedThu Nov 28 08:03:19 2013 16314 WebServer: request forwarded from 10.135.45.143Thu Nov 28 08:03:19 2013 16314 SslPrivateKeyConfig: private key file readThu Nov 28 08:03:19 2013 16314 SslPrivateKeyManager: writing /etc/wily/cem/tim/config/webservers/10.135.45.143-10.135.45.143~443.xml-encThu Nov 28 08:03:19 2013 16314 SslPrivateKeyManager: defining SSL server group "10.135.45.143-10.135.45.143~443"Thu Nov 28 08:03:19 2013 16314 SslPrivateKeyManager: IP address(es) 10.135.45.143, TCP port 443Thu Nov 28 08:03:19 2013 16314 sslinterface: creating network handler for 10.135.45.143-10.135.45.143~443Thu Nov 28 08:03:26 2013 16314 Trace: [10.135.47.180]:3084->[10.135.45.143]:443 openedThu Nov 28 08:03:26 2013 16314 Trace: Component #10 request: 10.135.45.143/home.html client=[10.135.47.180]:3084 server=[10.135.45.143]:443 at 08:03:26Thu Nov 28 08:03:26 2013 16314 Trace: Param: Url Req Port = 443.Thu Nov 28 08:03:26 2013 16314 Trace: Param: Url Req ClientIP = 10.135.47.180.Thu Nov 28 08:03:26 2013 16314 Trace: Param: Url Req Path = /home.html.Thu Nov 28 08:03:26 2013 16314 Trace: Param: HTTP Req Accept = image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-shockwave-flash, */*.Thu Nov 28 08:03:26 2013 16314 Trace: Param: HTTP Req Accept-Language = en-ind.Thu Nov 28 08:03:26 2013 16314 Trace: Param: HTTP Req User-Agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GIS IE 6.0 Build 20080321; BTRS112560; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; MS-RTC LM 8).Thu Nov 28 08:03:26 2013 16314 Trace: Param: HTTP Req Accept-Encoding = gzip, deflate.Thu Nov 28 08:03:26 2013 16314 Trace: Param: HTTP Req Host = 10.135.45.143.Thu Nov 28 08:03:26 2013 16314 Trace: Param: Url Req Host = 10.135.45.143.Thu Nov 28 08:03:26 2013 16314 Trace: Param: HTTP Req Connection = Keep-Alive.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: URL Port = 443.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: URL Path = /home.html.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: RequestHeader Accept = image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-shockwave-flash, */*.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: RequestHeader Accept-Language = en-ind.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: RequestHeader User-Agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GIS IE 6.0 Build 20080321; BTRS112560; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; MS-RTC LM 8).Thu Nov 28 08:03:26 2013 16314 Trace: Meta: RequestHeader Accept-Encoding = gzip, deflate.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: RequestHeader Host = 10.135.45.143.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: URL Host = 10.135.45.143.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: RequestHeader Connection = Keep-Alive.Thu Nov 28 08:03:26 2013 16314 Trace: Full host: 10.135.45.143Thu Nov 28 08:03:26 2013 16314 Trace: Component #10 request: no session id found for any appdefThu Nov 28 08:03:26 2013 16314 Trace: Component #10 does not match a transet definition or an expected componentThu Nov 28 08:03:26 2013 16314 Trace: Component #10 response header: status=200 at 08:03:26Thu Nov 28 08:03:26 2013 16314 Trace: Param: Resp Resp Status = 200.Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp Date = Thu, 28 Nov 2013 12:55:15 GMT.Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp Last-Modified = Thu, 28 Nov 2013 12:25:37 GMT.Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp ETag = "70-4ec3bcfa132a7".Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp Accept-Ranges = bytes.Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp Content-Length = 112.Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp Keep-Alive = timeout=10, max=100.Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp Connection = Keep-Alive.Thu Nov 28 08:03:26 2013 16314 Trace: Param: RespHeader Resp Content-Type = text/html.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: Response Status = 200.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader Date = Thu, 28 Nov 2013 12:55:15 GMT.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader Last-Modified = Thu, 28 Nov 2013 12:25:37 GMT.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader ETag = "70-4ec3bcfa132a7".Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader Accept-Ranges = bytes.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader Content-Length = 112.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader Keep-Alive = timeout=10, max=100.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader Connection = Keep-Alive.Thu Nov 28 08:03:26 2013 16314 Trace: Meta: ResponseHeader Content-Type = text/html.Thu Nov 28 08:03:26 2013 16314 Trace: Component #10 response body at 08:03:26Thu Nov 28 08:03:38 2013 16314 Trace: [10.135.47.180]:3084->[10.135.45.143]:443 client RSTThu Nov 28 08:03:38 2013 16314 Trace: [10.135.47.180]:3084->[10.135.45.143]:443 closed by client
Environment
Release:
Component: APMCEM
Component: APMCEM
Attachments
Feedback
Yes
No
Powered by
