Importing PKCS12/ PFX Certificate to Websphere 6.1

We recently encountered problems trying to import certificate generated by our local Enterprise Microsoft CA Server to Websphere Server. Both importing from WAS console and through ikeyman.bat gave errors: “Database is corrupted” and “Could not open keystore“.

Trying to see the content of this PFX file using keytool
\java\jre\bin>keytool -list -v -keystore test.pfx -storetype pkcs12 -storepass test

Also ended up in error “java.io.IOException: Error in loading the keystore: Private key decryption error: (java.security.InvalidKeyException: Illegal key size)

The issue appeared to boil down to a problem with the Java security policy files and thier ‘restricted’ and ‘unrestricted’ flavours and the size of the keys used by our local CA.

Downloading the unrestricted JCE policy files for IBM JVM 1.4.2+ (US_export_policy.jar and local_policy.jar) and replacing them in WAS JVM worked like a charm.

Resolution steps for WAS 6.1:

• Go to the developerWorks Java Technology Security page at URL: Java Technology Security
• Click on the “J2SE 5.0″ link for WebSphere Application Server 6.1.xx
• Scroll down on the resulting page and click on the “IBM SDK Policy files” link.
• Select “Unrestricted JCE Policy files for SDK for all newer versions 1.4.2+” and download them
• Extract the local_policy.jar and US_export_policy.jar files from the unrestricted.zip archive.
• Stop the application server
• Back up the local_policy.jar and US_export_policy.jar files located in the following directory: \java\jre\lib\security\
• Place the new files, previously downloaded to \java\jre\lib\security\
• Start the server

Now you will be able to open it with ikeyman and from admin console

Websphere Password Decoding

Passwords stored in Websphere Server configuration files actually could be decoded
http://robertmaldon.blogspot.com/2006/07/recovering-passwords-from-websphere.html

for the Websphere ESB 6.1 that runs on top of WAS 6.1.17 the actual comand is:
\IBM\WebSphere\ESB\deploytool\itp\plugins\com.ibm.websphere.v61_6.1.200>\IBM\WebSphere\ESB\java\bin\java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder {xor}booqL2sSOm0=encoded password == “{xor}bWcqL2sSOm0=”, decoded password == “hello”

And a very nice online password decoder
http://www.sysman.nl/wasdecoder/

WAS 6.1 setup Windows NT Service

There is a handy WASService command available in WAS_ROOT\bin allowing Websphere Application Server 6.1 integration with Windows Services.

Samples and documentation on IBM InforCenter – WASService Command

For WAS with security enabled first thing we encountered was a failure to stop WAS service from service console.

   RoleBasedAuth E   SECJ0306E: No received or invocation credential exist on the thread. … The stack trace  is java.lang.Exception: Invocation and received credentials are both null

To mitigate the problem add “stopArgs” parameters specifying username and password. In addition to make storing of passord more secure specify “-encodeParams” and password will be stored in registry in non readable format.

WASService.exe -add “DEV01N01″ -serverName server1 -profilePath C:\IBM\pf\ESB\DEV01N01 -stopArgs “-username userA -password passwordXXX” -encodeParams

Checking versions of Websphere FixPacks

Websphere Application Server has a nice utility to check Fixpacks and iFixes installed in the system

• <WAS_ROOT>/bin/versionInfo.bat  -maintenancePackages

It will print all the version details and information on Fixpacks.

More on versionInfo options:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/rins_versionInfo.html