GSKit How To

How to enable editing CMS KDB with iKeyman

for GSKIT 8.0+
sed -i "/# security.provider.<n>=com.ibm.security.cmskeystore.CMSProvider/security.provider.10=com.ibm.security.cmskeystore.CMSProvider" /opt/ibm/ldap/V6.4/java/jre/lib/security/java.security
then run
/opt/ibm/ldap/V6.4/java/jre/bin/ikeyman

How to test if SSLv3 is enabled

openssl s_client -connect <server>:<port> -ssl3

If the connection succeeds, sslv3 is enabled. If it fails, it is disabled. Or run nmap cipher discovery:

nmap --script ssl-enum-ciphers -p 443 <server>

It should find no SSLv3 ciphers.

How to change password on a key db

Make sure you backup first - this may corrupt the key chain

C:\Program Files\IBM\gsk7\bin>gsk7cmd -keydb -changepw -db "c:\Program Files\Tivoli\PDWeb\keytab-default\default-webseald.kdb" -new_pw pdsrv -stash

How to create a cert request

  1. install gskit7
  2. make sure java_home is defined
set path=c:\program files\java142\bin and c:\program files\java142\lib
  1. start gsk7ikm
  2. create a new db in CMS format (kdb) stash password into file (just in case)
  3. click create -> new request
  4. the common name should be the host name with www
  5. save as an arm file

How to create an SSL certificate keytab

  1. Login to a server where you have a working GSK7kit utility (adcontroller)
  2. Run c:\program files\ibm\gsk7\bin\gsk7ikm
  3. Key database file->new
  4. Key database type: cms
  5. File name - httpserver-ihs.kdb
  6. Location: pick a temporary location (c:\program files\ibm\keydb)
  7. Password: pick the one you can remember (IsslGSK7Util!)
  8. Checkmark "Stash the password", click Ok
  9. Create -> new certificatie request
  10. Keylabel: Server name (HTTPSERVER)
  11. CN: Full domain name (HTTPSERVER.xxx.com)
  12. Organization: Company name
  13. Name: path/hostname.arm (d\program files\ibm\keydb\httpserver.arm). Click OK twice
  14. Browse to CA server http://adcontroller/CertSrv. Click request cert, then advanced cert request, then submit using base 64
  15. Copy/paste contents from the arm file that was just created
  16. set cert template to web server, click submit.
  17. Select base 64 and click download certificate (not chain)
  18. Back in GSK7kit select "signer certificates" and click "add". Add an AD CA cert signed by recognized authority. If you don't have it export one from
  19. Certificate Authority MMC on the AD CA to base 64 x.509 certificates
  20. Now select "personal certificates" and click "receive", pick the IHS certificate that was just signed. (.CER)
  21. Click on "export certificate" and export as Base-64 encoded into c:\IBMHTTPServer\keytab\httpserver-ihs.arm

How to do the wireshark ssl decryption

Works for the one way SSL (where all the traffic is encrypted with the server's public key) Save your server _private_ key in the PEM format. in wireshark click edit/preferences, expand protocols, type ssl to jump to ssl and in the "RSA Keys list" enter
xxx.23.0.22,636,ldaps,c:\2\key.pem

How to encrypt big files with ssl

Basically, it boils down to this: Generate secretkey:

dd if=/dev/random of=secretkey bs=1k count=1

Symmetric encryption:

openssl enc -blowfish -pass "file:secretkey" < bigfile > bigfile.bf

Symmetric decryption:

openssl enc -d -blowfish -pass "file:secretkey" < bigfile.bf > bigfile

How to export a private key from a CMS KDB or PKCS12

If using KDB first open it in the iKeyman and export it into the PKCS12 format Then run

openssl pkcs12 -in reaar.p12 -out reaar.pem -nocerts -nodes

Tested with cygwin openssl. works in the wireshark ssl decryption

How to import Microsoft PFX into an IBM KDB

1) Have Ikeyman installed and configured on your desktop (not required but recommended)
2) Double click on the PFX on your desktop. Run trough all import steps accepting defaults until successfully imported
3) Start Ikeyman. Click File->Open, In the database type select "Microsoft Certificate Store"
4) Select the certificate you just imported and hit "export/import". Select PKCS12 as the key type and export it. Any non-empty password will do. Now you have a compliant PKCS12 file.
5) Hit Open in IKeyman again, select PKCS12 as the database and open the file you just exported.
6) Select "signer certificates" and delete the signer certificate. Now you will not have collisions trying to import this file.
7) Hit Open in IKeyman again, select CMS and pick the key database you need the certificate to be imported into (finally)
8) Hit "export/import", select import, PKCS12 as the key type and import it. Done with the import
9) NOW delete the temporary export key database and the certificate from your desktop's certificate store. To delete it from your desktop run mmc, add the certificates add-on, browse to personal->certificates and hit del.
10) Done.

How to install GSKit

Uninstall old GSKIT or rename the gskit folder and the gskit registry entry. Run

setup.exe LDAP

(to install an ldap gskit, overwise see the registry entry for the already installed gskit) if you need to unzip it run

gskit7bas . /D

How to store the PDB password in a stash file after a database has been created.

gsk7cmd -keydb -stashpw -db <db_name> -pw <password>

How to use keytool

Move the file to {WO}/Data
On the client machine, make sure you have JDK 1.42+ installed. There is a binary called "keytool.exe" that we will use to create the keystore.
Create a file called pmcli.jks with an alias of pmssl as follows:
a) Run: From the machine that has a has JDK 1.42+ installed
cd into ${WO}/Code
convert_certificate.bat stage
keytool -import -trustcacerts -file ssl.cer -alias pmssl -keystore pmcli.jks
b) Enter a password for the keystore - "public" will work just fine c) When prompted to trust certificate, enter Yes.

How to view the SSL certificate of an SSL Server

openssl s_client -connect 'host:port' -showcerts

or

echo | openssl s_client -connect 'host:port'

For more info see 1


@HowTo @Security @Networking @IBM