How to create a NEW keydatabase for webSEAL instance.
Sometimes by mistake if other instance's certificate is copied over another.
In that case, we can follow the similar steps but the only difference we need to delete all the certs from "/var/pdweb/keytab-<instance>/" location and then perform steps directly on "/var/pdweb/keytab-<instance>/" path (i.e. no need to create a temp directory and replace the certificate).
It sometimes gets corrupted during the auto refresh of the certificate.
Most common error we see in such cases is as below:
1)
HPDBA0230E. The certificate label or DN is invalid
OR
2)
HPDCF0061E The function, GSKKM_GetKeyItemByLabel(), returned the error
code: 0x00000075.
HPDCF0117E An error occurred in the "IKeyMan" API. Configuration
failed.
SSL configuration failed.
Steps to create webSEAL.kdb file when its corupted with above errors:
Before starting with the steps make sure the java path is configured. If not you may export it like below:
export PATH=/opt/ibm/ldap/V6.1/java/bin/:/usr/local/ibm/gsk7/bin/:$PATH
1) Make a temp dir and change to it
mkdir /var/pdweb/keytab-<instance>/temp
cd /var/pdweb/keytab-<instance>/temp
2) Create a mostly empty kdb
gsk7cmd -keydb -create -db replaceicert-webseald.kdb -pw passw0rd -stash -type cms -expire 7200
3) Add Policy Director CA certificate.
# Note if the /var/PolicyDirector/keytab/pdcacert.b64 doesn't exist you need to get it from the policy server first.
gsk7cmd -cert -add -db replaceicert-webseald.kdb -pw passw0rd -file /var/PolicyDirector/keytab/pdcacert.b64 -label "Policy Director CA"
4) Remove the other CAs
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Entrust.net Global Secure Server Certification Authority"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Entrust.net Global Client Certification Authority"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Entrust.net Client Certification Authority"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Entrust.net Certification Authority (2048)"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Entrust.net Secure Server Certification Authority"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 3 Secure Server CA"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 3 Public Primary Certification Authority"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 2 Public Primary Certification Authority"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 1 Public Primary Certification Authority"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 4 Public Primary Certification Authority - G2"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 3 Public Primary Certification Authority - G2"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 2 Public Primary Certification Authority - G2"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 1 Public Primary Certification Authority - G2"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 4 Public Primary Certification Authority - G3"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 3 Public Primary Certification Authority - G3"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 2 Public Primary Certification Authority - G3"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 1 Public Primary Certification Authority - G3"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Thawte Personal Premium CA"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Thawte Personal Freemail CA"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Thawte Personal Basic CA"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Thawte Premium Server CA"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Thawte Server CA"
5) Create a self signed cert with the correct subject
gsk7cmd -cert -create -db replaceicert-webseald.kdb -pw passw0rd -dn "CN=<instance>-webseald-<hostname>,OU=Default,O=Access Manager,C=US" -label "PD Server"
6) Copy the new keystore and sth file over the existing for the non-working instance.
Leave the temp dir
cd ..
cp /var/pdweb/keytab-<instance>/temp/replaceicert-webseald.kdb /var/pdweb/keytab-<instance>/<instance>-webseald.kdb
cp /var/pdweb/keytab-<instance>/temp/replaceicert-webseald.sth /var/pdweb/keytab-<instance>/<instance>-webseald.sth
7) Correct the permissions
chmod 600 /var/pdweb/keytab-<instance>/<instance>-webseald.kdb
chmod 600 /var/pdweb/keytab-<instance>/<instance>-webseald.sth
chown ivmgr:ivmgr /var/pdweb/keytab-<instance>/<instance>-webseald.kdb
chown ivmgr:ivmgr /var/pdweb/keytab-<instance>/<instance>-webseald.sth
8) Change the password and request a new cert from the Policy Server
svrsslcfg -chgpwd -f /opt/pdweb/etc/webseald-<instance>.conf
svrsslcfg -chgcert -f /opt/pdweb/etc/webseald-<instance>.conf
9) Verify the key is correct
/opt/PolicyDirector/sbin/dispkdb -f /var/pdweb/keytab-<instance>/<instance>-webseald.kdb
10) Start the WebSEAL server.
pdweb start <instance>
11) If everything works remove the temp dir and the temp key
rm -r /var/pdweb/keytab-<instance>/temp
Sometimes by mistake if other instance's certificate is copied over another.
In that case, we can follow the similar steps but the only difference we need to delete all the certs from "/var/pdweb/keytab-<instance>/" location and then perform steps directly on "/var/pdweb/keytab-<instance>/" path (i.e. no need to create a temp directory and replace the certificate).
It sometimes gets corrupted during the auto refresh of the certificate.
Most common error we see in such cases is as below:
1)
HPDBA0230E. The certificate label or DN is invalid
OR
2)
HPDCF0061E The function, GSKKM_GetKeyItemByLabel(), returned the error
code: 0x00000075.
HPDCF0117E An error occurred in the "IKeyMan" API. Configuration
failed.
SSL configuration failed.
Steps to create webSEAL.kdb file when its corupted with above errors:
Before starting with the steps make sure the java path is configured. If not you may export it like below:
export PATH=/opt/ibm/ldap/V6.1/java/bin/:/usr/local/ibm/gsk7/bin/:$PATH
1) Make a temp dir and change to it
mkdir /var/pdweb/keytab-<instance>/temp
cd /var/pdweb/keytab-<instance>/temp
2) Create a mostly empty kdb
gsk7cmd -keydb -create -db replaceicert-webseald.kdb -pw passw0rd -stash -type cms -expire 7200
3) Add Policy Director CA certificate.
# Note if the /var/PolicyDirector/keytab/pdcacert.b64 doesn't exist you need to get it from the policy server first.
gsk7cmd -cert -add -db replaceicert-webseald.kdb -pw passw0rd -file /var/PolicyDirector/keytab/pdcacert.b64 -label "Policy Director CA"
4) Remove the other CAs
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Entrust.net Global Secure Server Certification Authority"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Entrust.net Global Client Certification Authority"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Entrust.net Client Certification Authority"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Entrust.net Certification Authority (2048)"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Entrust.net Secure Server Certification Authority"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 3 Secure Server CA"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 3 Public Primary Certification Authority"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 2 Public Primary Certification Authority"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 1 Public Primary Certification Authority"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 4 Public Primary Certification Authority - G2"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 3 Public Primary Certification Authority - G2"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 2 Public Primary Certification Authority - G2"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 1 Public Primary Certification Authority - G2"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 4 Public Primary Certification Authority - G3"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 3 Public Primary Certification Authority - G3"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 2 Public Primary Certification Authority - G3"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "VeriSign Class 1 Public Primary Certification Authority - G3"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Thawte Personal Premium CA"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Thawte Personal Freemail CA"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Thawte Personal Basic CA"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Thawte Premium Server CA"
gsk7cmd -cert -delete -db replaceicert-webseald.kdb -pw passw0rd -label "Thawte Server CA"
5) Create a self signed cert with the correct subject
gsk7cmd -cert -create -db replaceicert-webseald.kdb -pw passw0rd -dn "CN=<instance>-webseald-<hostname>,OU=Default,O=Access Manager,C=US" -label "PD Server"
6) Copy the new keystore and sth file over the existing for the non-working instance.
Leave the temp dir
cd ..
cp /var/pdweb/keytab-<instance>/temp/replaceicert-webseald.kdb /var/pdweb/keytab-<instance>/<instance>-webseald.kdb
cp /var/pdweb/keytab-<instance>/temp/replaceicert-webseald.sth /var/pdweb/keytab-<instance>/<instance>-webseald.sth
7) Correct the permissions
chmod 600 /var/pdweb/keytab-<instance>/<instance>-webseald.kdb
chmod 600 /var/pdweb/keytab-<instance>/<instance>-webseald.sth
chown ivmgr:ivmgr /var/pdweb/keytab-<instance>/<instance>-webseald.kdb
chown ivmgr:ivmgr /var/pdweb/keytab-<instance>/<instance>-webseald.sth
8) Change the password and request a new cert from the Policy Server
svrsslcfg -chgpwd -f /opt/pdweb/etc/webseald-<instance>.conf
svrsslcfg -chgcert -f /opt/pdweb/etc/webseald-<instance>.conf
9) Verify the key is correct
/opt/PolicyDirector/sbin/dispkdb -f /var/pdweb/keytab-<instance>/<instance>-webseald.kdb
10) Start the WebSEAL server.
pdweb start <instance>
11) If everything works remove the temp dir and the temp key
rm -r /var/pdweb/keytab-<instance>/temp
