198 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
More on Elasticsearch, Logstash and Kibana (ELK)
Fri, Oct 20th 2017 27
Zipping and Tarring on macOS - with added funkiness
Thu, Oct 19th 2017 28
IBM BPM and Elasticsearch - with added TLS
Thu, Oct 19th 2017 27
Apple Watch - go, no go, go
Mon, Oct 16th 2017 125
IBM Cloud Private - My first foray
Mon, Oct 16th 2017 101
Ubuntu - Software Updater and the Insufficient Disk Space
Mon, Oct 16th 2017 62
Git and Jenkins - Learning Resources
Fri, Oct 13th 2017 57
Top 10
Apple Watch - go, no go, go
Mon, Oct 16th 2017 125
IBM Cloud Private - My first foray
Mon, Oct 16th 2017 101
Ubuntu - Software Updater and the Insufficient Disk Space
Mon, Oct 16th 2017 62
Git and Jenkins - Learning Resources
Fri, Oct 13th 2017 57
Jenkins to Git - SSH says "No"
Fri, Oct 13th 2017 52
Transport Layer Security (TLS) 1.2 and SoapUI
Fri, Jun 12th 2015 48
Learning Times - Or Git being a bit of a Git
Fri, Oct 13th 2017 46
Executing external Python/Jython scripts from within WebSphere Application Server's wsadmin tool
Thu, Feb 27th 2014 42
IBM HTTP Server - Checking Personal Certificates
Wed, Oct 11th 2017 42
IBM HTTP Server - Tinkering with CMS Keystore Passwords
Wed, Oct 11th 2017 37


IBM HTTP Server - Tinkering with CMS Keystore Passwords
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
   

Last week, I was demonstrating to a client how one can change the password on a Certificate Management System (CMS) using the IBM Global Security Toolkit (GSK).

Therefore, I'd changed the password from my default ( passw0rd ) to something else ( f00bar ).

To make it 100% clear, this is a sacrificial TEST VM, hence the weak password.

Alas muscle memory makes me type the old the password each and every time ( yes, I can/do use the stashed password when I remember ).

This is how I check what password I currently have: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -pw f00bar

Certificates found
* default, - personal, ! trusted, # secret key
*- wlpn.uk.ibm.com


 and this is how I change it BACK to my favourite ( albeit weak ) password: -

/opt/IBM/HTTPServer/bin/gskcapicmd -keydb -changepw -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -pw f00bar -new_pw passw0rd -stash

- Note that I'm stashing the new password as I change it

and this is how I verify the new password: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
*- wlpn.uk.ibm.com


and this is how I verify the new stashed password: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -stashed

Certificates found
* default, - personal, ! trusted, # secret key
*- wlpn.uk.ibm.com


Nice.

Note that I'm using gskcapicmd rather than gskcmd, simply because the former uses a C++ API whereas the latter uses Java, as evidenced below: -

/opt/IBM/HTTPServer/bin/gskcmd -version

iKeyman 8.0.414
CMS provider version 2.57
Java version 1.8.0

(C) Copyright IBM Corp. 2007, 2012.
ALL RIGHTS RESERVED


/opt/IBM/HTTPServer/bin/gskcapicmd -version

GSKCAPICMD
==========
@(#)CompanyName:      IBM Corporation
@(#)LegalTrademarks:  IBM
@(#)FileDescription:  IBM Global Security Toolkit
@(#)FileVersion:      8.0.50.69
@(#)InternalName:     gskcapicmd
@(#)LegalCopyright:   Licensed Materials - Property of IBM GSKit 
                      (C) Copyright IBM Corp.1995, 2016 
                      All Rights Reserved. US Government Users 
                      Restricted Rights - Use, duplication or disclosure
                      restricted by GSA ADP Schedule Contract with IBM Corp.
@(#)OriginalFilename: gsk8capicmd_64
@(#)ProductName:      gsk8j (GoldCoast Build) 160809
@(#)ProductVersion:   8.0.50.69
@(#)ProductInfo:      16/08/03.02:49:36.16/08/09.17:05:03
@(#)CMVCInfo:         gsk8j_160808/gsk8j_doc gsk8j_160808/gsk8j_ikm gsk8j_160808/gsk8j_cms gsk8j_160615/gsk8j_support gsk8j_160525/gsk8j_pkg gsk8j_160803/gsk8j_ssl gsk8j_160413/gsk8j_acme

and it's typically bad practice to have Java installed/running on a web server, especially if it's located within a DMZ, as per this: -





---------------------
http://portal2portal.blogspot.com/2017/10/ibm-http-server-tinkering-with-cms.html
Oct 11, 2017
38 hits



Recent Blog Posts
27
More on Elasticsearch, Logstash and Kibana (ELK)
Fri, Oct 20th 2017 10:28a   Dave Hay
Following earlier posts: -Tinkering with Elasticsearch and Kibana - on Docker, of courseFurther stories of a tinkerer - this time it's IBM BPM, Apache Kibana and ElasticsearchIBM BPM and Elasticsearch - with added TLSI've had a brief play with a new ( to me ) Docker image, ELK: -sebp/elkCollect, search and visualise log data with Elasticsearch, Logstash, and Kibana.using this documentation: -Elasticsearch, Logstash, Kibana (ELK) Docker image documentationThis time around, I built it using Dock
28
Zipping and Tarring on macOS - with added funkiness
Thu, Oct 19th 2017 5:41p   Dave Hay
So I had a specific requirement yesterday - I wanted to extract three specific files from a ZIP file.This is what I had: -unzip -l certificate-bundle.zipArchive: certificate-bundle.zip Length Date Time Name--------- ---------- ----- ---- 0 10-19-2017 16:58 ca/ 1310 10-19-2017 16:58 ca/ca.crt 1679 10-19-2017 16:58 ca/ca.key 0 10-19-2017 16:58 node1/ 1379 10-19-2017 16:58 node1/node1.crt 1679 10-19-2017 16:58 node1/node1.key---------
27
IBM BPM and Elasticsearch - with added TLS
Thu, Oct 19th 2017 5:29p   Dave Hay
Following this: -Tinkering with Elasticsearch and Kibana - on Docker, of courseFurther stories of a tinkerer - this time it's IBM BPM, Apache Kibana and ElasticsearchI've been tinkering further with Elasticsearch on Docker, establishing a TLS connection between it and IBM BPM.Here's my notes: -Pull Imagedocker pull docker.elastic.co/elasticsearch/elasticsearch:5.6.3Start containeres=`docker run -d -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elas
125
Apple Watch - go, no go, go
Mon, Oct 16th 2017 3:29p   Dave Hay
So I had a weird experience last evening, and not in a good way.For no apparent reason, this was my Apple Watch: -and this: -I have no earthly idea what happened.So, being a true nerd, and a big fan of The IT Crowd, I decided to ( all together now ) TURN IT OFF AND ON AGAIN ….Obviously I couldn't read the display, what with it being all garbled n' all, so I just hit the big button on the right-hand side, below the digital crown and chose the appropriate gibberish - it was the one in red, so
101
IBM Cloud Private - My first foray
Mon, Oct 16th 2017 10:37a   Dave Hay
So this week, along with many other things, I'm starting to get to grips with the newly announced IBM Cloud Private: - IBM brings the power of cloud behind the enterprise firewall I'm running on Ubuntu Linux: - lsb_release -a No LSB modules are available. Distributor ID:    Ubuntu Description:    Ubuntu 16.04.3 LTS Release:    16.04 Codename:    xenial so started by installing the pre-requisites of VirtualBox and Vagrant: - sudo apt-get install virtualbox su
62
Ubuntu - Software Updater and the Insufficient Disk Space
Mon, Oct 16th 2017 8:13a   Dave Hay
So I'm trying to update Ubuntu 16.0.4.3 LTS using Software Updater, but couldn't get past this: -      Now I have LOADS of disk space: - df -kmh Filesystem                   Size  Used Avail Use% Mounted on udev                          16G     0   16G   0% /dev tmpfs                        3.2G  9.4M  3.2G   1% /run /dev/mapper/ubuntu--vg-root  2.7T  346G  2.2T  14% / tmpfs               
57
Git and Jenkins - Learning Resources
Fri, Oct 13th 2017 10:35a   Dave Hay
This is what I've been reading and using over the past few days: -git-server-dockerHow to Setup Git Repository and Credentials for Jenkins Jobs.ssh/id_rsa failed: permission deniedMy simply Git Cheatsheet4.2 Git on the Server - Getting Git on a Server2.5 Git Basics - Working with Remotes'Your branch is ahead of 'origin/master' by 1 commit' on explicit push [duplicate]Unable to push to repositorycannot push into git repositoryJenkins TutorialIBM WebSphere Liberty ConfigurationDeploying with
52
Jenkins to Git - SSH says "No"
Fri, Oct 13th 2017 10:28a   Dave Hay
As per my earlier post: -Learning Times - Or Git being a bit of a GitI'm on a voyage of discovery with Jenkins and Git.Whilst trying to plumb onto into t'other, I was hitting a blocker.To recap, I have Jenkins installed on my MacBook, running locally, and I have Git running on a Docker container on a remote Mac.Therefore, I'm connecting to the remote Git repository using SSH rather than, say, HTTPS or a local file-system.This works OK for me using Git commands such as: -git clone ssh://git@19
46
Learning Times - Or Git being a bit of a Git
Fri, Oct 13th 2017 9:56a   Dave Hay
I'm on a bit of a voyage of discovery this week, having previously been tinkering with Elasticsearch and Kibana a few days back: -Further stories of a tinkerer - this time it's IBM BPM, Apache Kibana and ElasticsearchNow I'm playing with Jenkins and Git, the latter of which is running on Docker, with the intention of automating the push of Java code to WebSphere Liberty Profile, also running in Docker.I also intend to get to grips with Maven at the same time, what's not to like ?Anyway, back
42
IBM HTTP Server - Checking Personal Certificates
Wed, Oct 11th 2017 3:54p   Dave Hay
Whilst on the subject of IBM HTTP Server (IHS), as per an earlier post: -IBM HTTP Server - Tinkering with CMS Keystore PasswordsI was "auditing" the SSL certificate that I'm using for IHS, specifically the signature algorithm.So I have a single certificate in the key store: -/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -pw passw0rdCertificates found* default, - personal, ! trusted, # secret key*- wlpn.uk.ibm.comwhich I validated as follows: -/op




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition