How to convert PFX certificate to JKS format
Use ikeyman.bat provided by IBM as part of Websphere and other IBM products, or similar key management utility for your Java platform. It has capability to import PKCS12 certificates (which exactly what PFX is) and save it as Java Key Store.
Or Another possible way consists of 3 steps conversion: (prerequisite – having JDK installed on the machine) :
1. Extract from PFX file key and cert in PEM format
openssl pkcs12 -nocerts -in %_PFXFILE% -out %_KEYPEM% -passin pass:%_PASSWD% -passout pass:%_PASSWD%openssl pkcs12 -clcerts -nokeys -in %_PFXFILE% -out %_CERTPEM% -passin pass:%_PASSWD
2. Convert both cert and key from PEM to DER format
openssl pkcs8 -topk8 -nocrypt -in %_KEYPEM% -inform PEM -out %_KEYDER% -outform DER -passin pass:%PASSWD%
openssl x509 -in %_CERTPEM% -inform PEM -out %_CERTDER% -outform DER
3. Use java code to combine Cert and Key to JKS store format
java ImportKey %_KEYDER% %_CERTDER% %_KEYSTORE% %_ALIAS% %_JKSPASSWD%
To automate this process I have created batch utility you could use.
Download “How to convert PFX to JKS.doc” file from the right side bar Box.net widget, extract all the files in the attachement, and set JAVA_HOME to your JDK installation, then run the bat file:
>pfx2jks.bat <pfxFile> <pfxPassword> <JksPassword>
Where
pfxFile – pfx file you would like to convert
pfxPassword – password set on pfx file (provided to you along with pfx)
jksPassword – password you would like to set on JKS store
Here is the sample output:
C:\certtests\pfx2jks>set JAVA_HOME=c:\IBM\WID62\jdk
C:\certtests\pfx2jks>PFX2JKS.bat ..\certs\intesbtest.pfx xxxx testjks
Using JAVA_HOME: c:\IBM\WID62\jdk
Converting: C:\certtests\certs\intesbtest.pfx
To JKS store: C:\certtests\certs\intesbtest.jks
With Password: xxxx
MAC verified OK
Key extracted in PEM format
MAC verified OK
Cert extracted in PEM format
Key converted to DER format
Cert converted to DER format
Using keystore-file : C:\certtests\certs\intesbtest.jks
One certificate, no chain.
Key and certificate stored.
Alias:intesbtest Password:testjks
Java Keystore C:\certtests\certs\intesbtest.jks was created successfully….. with password testjks
More useful SSL information on http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
Convert PFX certificate to PEM format
PEM format is widely used by PHP applications and by LoadRunner scripts. To convert PFX /PKCS12 formatted certificate use OpenSSL tool:
openssl pkcs12 -in c:\pathTo\cert.pfx -out c:\pathTo\cert.pem
Cool SSL site and tools https://www.sslshopper.com/ssl-converter.html
Renew certificate in Websphere keystore while retaining same alias
Renewing expired SSL certificates in Websphere in some cases is problematic. There are not many functions available for manipulating aliases in keystores using Websphere admin console. And if certificate alias is used throughout your infrastructure mappings – for example in SSL Configurations and web chains fixing the entries with new alias could be cumbersome. Below are few easy steps to renew/replace ssl certificate in keystore while retaining same alias. General idea is to manipulate keystore and truststore using iKeyman utility instead of websphere admin console.
- Copy key.p12 and trust.p12 from Deployment Manager config (<DeploymentManager_profile\>config\cells\<cell_name>) to some separate backup directory
- Start iKeyman.bat uitlity from \bin directory in Deployment manager profile
- Open key.p12 from the backup directory and delete the certificate that you would like to replace in “Personal Certificates”
- Now import the new obtained from CA certificate to keystore “Personal Cerificates”
- When prompted to change label (it is GUID in case of Microsoft CA issuer), give it the same alias name as it was before. Click “Apply”, and “OK”
- You will see the new certificate with proper alias in the list of “Personal Certificates”
- Save the key.p12 file changes
Repeat same steps with trust.p12 file, but use .cer file instead of .pfx to import just public certificate part. And use “Signer Certificates” folder instead of “Personal Certificates”
Now that you have prepared both key.12 and trust.p12 files :
- Stop Deployment Manager\
- Copy new key.p12 and trust.p12 files to Deployment Manager config (<DeploymentManager_profile\>config\cells\<cell_name>)
- Start Deployment manager
And if you have option “Synchronize nodes on startup” you are done and could verify the new certificates in Websphere console. If not just synchronize the nodes and they will get the updated key and trust files.
Lotus/Domino 8.5 WebService Provider manipulating SOAP Header
Similar to previous post Domino WebService Consumer manipulating SOAP Header WebService Provider in some cases have to read SOAP Header passed. It may process the header (e.g log it’s data) and send enhanced Header back along with response. To achieve that we have to add some code to inspect and inject SOAP Header to the payload. Steps are shown below.
Locate generated Web Service Stub with the methods prepared for implementation and access MessageContext to read and set Header:
public void echo()
{
MessageContext mc = MessageContext.getCurrentContext();
// get received SOAP Header
SOAPHeaderElement header = mc.getRequestMessage().getSOAPEnvelope().getHeaderByName(wsNamespace, "auth");
// manipulate header
…
// set new manipulated header to response
mc.getResponseMessage().getSOAPEnvelope().addHeader(header);
}
Lotus/Domino 8.5 WebService Consumer manipulating SOAP Header
There is pretty often a need to incorporate SOAP Header in the message sent by Web Service consumer. While Domino 8.5 is using Axis Java library under the hood of it’s generated Java Web Service Consumers,it blocks standard setHeader API in the client proxy. We had to look through all generated java files to find the solution. Below is example of sending SOAP Header from Lotus Web Consumer agent.
In the generated by Domino class for endpoint – XXXEndpointStub.java locate the code responsible for making the call, similar to the following:
lotus.domino.websvc.client.Call _call = createCall("submitRequest");
java.lang.Object _resp = _call.invoke(new java.lang.Object[] {parameters});
Modify it to create and addHeader before call invocation.For example to create following SoapHeader:
<soap:Envelope …>
<soap:Header>
<au:auth xmlns:au=”http://www.example.com“>
<au:username>john</au:username>
</au.auth>
</soap:Header>
<soap:Body>
….
</soap:Body>
</soap:Envelope>
Code will be:
lotus.domino.websvc.client.Call _call = createCall("submitRequest");
try {
// Create soap header elements
SOAPHeaderElement header = new SOAPHeaderElement(“http://www.example.com”, “auth”);
SOAPElement elemSystem = header.addChildElement(“username”, “au”, “http://www.example.com”);
elemSystem.addTextNode(“john”);
// add header to payload
_call.addHeader(header);
} catch (Exception e) {
throw new ….
}
java.lang.Object _resp = _call.invoke(new java.lang.Object[] {parameters});
Error Importing PKCS12/ PFX Certificate to Websphere 6.1
We recently encountered problems trying to import certificate generated by our local Enterprise Microsoft CA Server to Websphere Server. Both importing from WAS console and through ikeyman.bat gave errors: “Database is corrupted” and “Could not open keystore“.
Trying to see the content of this PFX file using keytool
\java\jre\bin>keytool -list -v -keystore test.pfx -storetype pkcs12 -storepass test
Also ended up in error “java.io.IOException: Error in loading the keystore: Private key decryption error: (java.security.InvalidKeyException: Illegal key size)
The issue appeared to boil down to a problem with the Java security policy files and thier ‘restricted’ and ‘unrestricted’ flavours and the size of the keys used by our local CA.
Downloading the unrestricted JCE policy files for IBM JVM 1.4.2+ (US_export_policy.jar and local_policy.jar) and replacing them in WAS JVM worked like a charm.
Resolution steps for WAS 6.1:
- Go to the developerWorks Java Technology Security page at URL: Java Technology Security
- Click on the “J2SE 5.0″ link for WebSphere Application Server 6.1.xx
- Scroll down on the resulting page and click on the “IBM SDK Policy files” link.
- Select “Unrestricted JCE Policy files for SDK for all newer versions 1.4.2+” and download them
- Extract the local_policy.jar and US_export_policy.jar files from the unrestricted.zip archive.
- Stop the application server
- Back up the local_policy.jar and US_export_policy.jar files located in the following directory: \java\jre\lib\security\
- Place the new files, previously downloaded to \java\jre\lib\security\
- Start the server
Now you will be able to open it with ikeyman and from admin console
Functional Quality Testing for SOA / WebServices
As the number of services is growing in our environment, the need for automatic regression/functional testing is increasing. I have recenly encountered articles on IBM Rational Tester for SOA Quality. It is nice tool, but having budget contraints we will have to build something on our own.
First thing that comes to mind to use Ant ant Junit tests that would be able to send SOAP and test results against expected XMLs. And quick search reveals IBM’s recent article on that topic:
Testing SOA applications with WebSphere Integration Developer and Ant scripts
Also so far we have been using SOAPUI for our initial and integration unit testing, it would be nice to re-use existing SOAPUI projects in Continous Integration scripts and also expand them not only to send and receive results, but verify results against predefined set of results. Researching few articles on this theme:
Testing Web Services with SoapUI
Series of articles on continuous integration (CI), SoapUI and Groovy:
Functional Web Services Testing Made Easy with SoapUI – Part 1
Functional Web Services Testing Made Easy with SoapUI – Part 2
Functional Web Services Testing Made Easy with SoapUI – Part 3
Websphere wsadmin.bat utility running out of memory
Recently we have encountered Memory problems running Websphere wsadmin based scripts.
We were trying to retrieve large amount of CBE events from WESB using eventquery.bat script and default 256K memory settings were easily exhausted.
Our first option was to find in wsadmin.bat the line shown below and increase it
set PERFJAVAOPTION=-Xms256m -Xmx256m -Xj9 -Xquickstart
But of course we wanted somewhat more elegant solution and came by the following IBM Tech Note, with the ‘javaoption’ parameter described:
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&uid=swg1PQ73288
Instead of modyfing wsadmin.bat file passing ‘javaoption’ parameters worked perfectly
wsadmin.bat -javaoption –Xms256m -javaoption –Xmx768m .. rest of parameters…
or in event query case:
eventquery.bat -javaoption –Xms256m -javaoption –Xmx768m .. rest of parameters…
Websphere Password Decoding
Passwords stored in Websphere Server configuration files actually could be decoded
http://robertmaldon.blogspot.com/2006/07/recovering-passwords-from-websphere.html
for the Websphere ESB 6.1 that runs on top of WAS 6.1.17 the actual comand is:
\IBM\WebSphere\ESB\deploytool\itp\plugins\com.ibm.websphere.v61_6.1.200>\IBM\WebSphere\ESB\java\bin\java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder {xor}booqL2sSOm0=encoded password == “{xor}bWcqL2sSOm0=”, decoded password == “hello”
And a very nice online password decoder
http://www.sysman.nl/wasdecoder/
Websphere Articles
- Using the service integration bus link in WebSphere Application Server to route messages from a local queue to a remote queue
- Using Jython servlets with WebSphere Application Server for more than system administration
- Capturing and analyzing interface characteristics, Part 2: Reference guide to integration characteristics
- WebSphere proxy server routing capabilities in a secured environment
- Comment lines: Choosing the right web content management delivery solution
- Create custom installation repositories for WebSphere Application Server with the IBM Packaging Utility
- Associating WebSphere Lombardi V7.2 attributes with users defined in OpenLDAP and routing tasks
Websphere Tutorials
- Migrating WebSphere Commerce to the SOA foundation tooling: Part 3, Migrating a business process to WebSphere Process Server
- Migrating WebSphere Commerce to the SOA foundation tooling: Part 4, Migration benefits
- Build grid-ready apps with ObjectGrid
- Use WS-AtomicTransaction to integrate and synchronize CICS and WebSphere distributed transactions
- Creating and consuming Web services with EGL using WebSphere Developer for zSeries
- Creating and deploying a portlet service for IBM and JSR168 portlets
- Tutorial: Creating a JSR 168 portlet for use by diverse portals
SOA and Webservices
- The IBM advantage for SOA reference architecture standards
- USB-Like Universal Ports Type for Enterprise Service Bus, Part 3: Benefits of Universal Ports
- Service-oriented architecture (SOA) standards
- Enforcing SOA message security policy with WebSphere Service Registry and Repository and WebSphere DataPower
- Creating virtual servers through VMControl REST APIs
- Configuring secured Web service calls from WebSphere Process Server V7 to a non-WebSphere server via SSL
- Building a sample application to showcase integration between WESB and WSRR V7
Websphere BPM
- Capturing and analyzing interface characteristics, Part 2: Reference guide to integration characteristics
- Associating WebSphere Lombardi V7.2 attributes with users defined in OpenLDAP and routing tasks
- Modeling your business processes with IBM WebSphere Lombardi Edition, Part 5: Customize the user experience with Coaches
- Modeling your business processes with IBM WebSphere Lombardi Edition, Part 6: Using KPIs and reports for monitoring and performance analysis
- Configuring secured Web service calls from WebSphere Process Server V7 to a non-WebSphere server via SSL
- A solution model for integrating BPM and package solutions
Websphere ESB
- Using WebSphere Service Registry and Repository primitives in WebSphere Enterprise Service Bus mediation flows
- Using WebSphere Message Broker to enable side-by-side integration of IBM Sterling Selling and Fulfillment Suite and WebSphere Commerce
- Aggregation design patterns and performance considerations in WebSphere Enterprise Service Bus V7.5
- Aggregation design patterns and performance considerations in WebSphere Enterprise Service Bus V7.5
- Introduction to WebSphere Enterprise Service Bus Registry Edition V7.5
- What's new in WebSphere Enterprise Service Bus V7.5
- Tracing, logging, and error handling in mediation modules using IBM Integration Designer, WebSphere ESB, WebSphere Process Server, and Business Process Manager Advanced Edition, Part 2
Redbooks Websphere
- IBM Business Process Manager (BPM) 7.5 Performance Tuning and Best Practices
- IBM WebSphere Cast Iron Introduction and Technical Overview
- IBM Workload Deployer: Pattern based application and middleware deployments in a private cloud
- WebSphere Transaction Cluster Facility
- Getting Started with IBM WebSphere Cast Iron Cloud Integration
- Set Up Security and Integration with the DataPower XI50z for zEnterprise
