IC89642: UNABLE TO EDIT THE SSL CERTIFICATES IMPORTED VIA MANAGEKEYCERTS.SH

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • cannot download SSL certificates private key to
    the desktop/laptop from SSPCM server, so we use CLI on SSPCM to
    import
    the certificates
    Used the following and certificate import was successful
    Usage:
      ./manageKeyCerts.sh -import [parms]
    Parms:
      certStore=<certificate store name>
         Name of SSP system certificate store. Optional.
    Default=dfltKeyStore
      certName=<certificate name>
         Name for certificate. Required.
      desc=<description>
         Description for certificate. Optional.
         If the description has embedded spaces, enclose the whole
    parameter
         in double quotes (ex: "desc=My certificate")
      engine=<engine name>
         Name of engine with access to HSM. Optional.
      alias=<alias>
         Alias for key on HSM. Optional.
         If omitted, defaults to the certificate name.
      file=<import file name>
         Fully-qualified path of key-certificate file to import.
    Required.
         File must be in PEM (*.txt, *.pem) or PKCS12 (*.pfx, *.p12)
    formats.
      replace=<y|n>
         Whether to replace certificate if a certificate with the
    same name
         already exists on the system certificate store. Also,
    whether to
         replace key in HSM if a key with the same alias already
    exists on
         the HSM. Optional. Default=n.
      systemPass=<passphrase>
         System passphrase. Optional. Prompts if omitted.
      adminID=<administrator ID>
         Administrator ID. Optional. Prompts if omitted.
      adminPass=<password>
         Administrator password. Optional. Prompts if omitted.
      keyStorePass=<password>
         HSM keystore password. Optional. Prompts if omitted.
      keyPass=<passphrase>
         Passphrase for key in HSM. Optional. Prompts if omitted.
      pkcs12StorePass=<password>
         Password for import PKCS12 file. Optional. Prompts if
    omitted.
      pkcs12KeyPass=<password>
         Password for key in PKCS12 file. Optional. Prompts if
    omitted.
      pemKeyPass=<password>
         Password for private key in import PEM file. Optional.
    Prompts if
    omitted.
    Key-certificate imported to [NWcertStore]:
      Name       : citadel.nationwide.com
      Description: Verisign Certificate for Adapters NW_FTPS_ and
    NW_HTTPS_Pswd_
      Key in HSM : false
      Alias      : citadel.nationwide.com
      Type       : JKS
      Provider   :
      Issuer     : CN=VeriSign Class 3 International Server CA - G3,
    OU=Terms of use at https://www.verisign.com/rpa (c)10,
    OU=VeriSign
    Trust Network, O="VeriSign, Inc.", C=US
      Subject    : CN=citadel.nationwide.com, OU=Terms of use at
    www.
    verisign.com/rpa (c)05, OU=Infrastructure Security Operations,
    O=Nationwide Mutual Insurance Company, L=Columbus, ST=Ohio, C=US
      Serial     : -729917781
      Version    : 3
      Valid from : Mon Oct 29 20:00:00 EDT 2012
      Valid to   : Thu Oct 30 19:59:59 EDT 2014
    After that SSP CM GUI we are unable to edit. See the attached
    word doc for error
    

Local fix

  • they can point to the keycert file in the netmap and it works
    fine. There's no problem with the keycert. Just when you go to
    save after the edit that's when the error occurs. He wanted to
    change the description and that's how he discovered the
    problem. He was able to use the manageKeyCerts.sh and use the
    replace option with the correct description. That's the work
    around.
    

Problem summary

  • Unable to edit the SSL certificates imported via manageKeyCerts.
    sh
    When a new KeyCert is added into a new KeyStore using the
    manageKeyCerts.sh script, it cannot be edited by the CM GUI.  It
    can be assigned to an adapter and used successfully, but the
    description cannot be updated in the GUI, for example.
    The manageKeyCert tool was not setting the Format Version and
    Version Stamp fields when it created the new KeyStore, which
    caused it to be unusable when edited by the CM.
    

Problem conclusion

  • Updated the manageKeyCerts tool to correctly set the Format
    Version and Version Stamp fields when creating a new key store.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC89642

  • Reported component name

    STR SECURE PROX

  • Reported component ID

    5725D0300

  • Reported release

    341

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-01-18

  • Closed date

    2013-03-01

  • Last modified date

    2013-03-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    STR SECURE PROX

  • Fixed component ID

    5725D0300

Applicable component levels

  • R341 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

Sterling Secure Proxy

Software version:

341

Reference #:

IC89642

Modified date:

2013-03-01

Translate my page

Machine Translation

Content navigation