ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Commodore
Commodore
477 views

Fail to Import Engine SSL CertificateDNS_Serve.ks

Hello,

As suggested from MicroFocus support for importing SSL CertificateDNS_server.ks in IDM Apps 4.7.2 upgrade, we are trying to import SSL CertificateDNS_server.ks on tomcat server from IDM engine using following script


/opt/netiqhttps://www.novell.com/common/jre/bin/keytool -genkey -keyalg RSA -keysize 2048 -keystore /tmp/tomcat.ks -storepass $1 -keypass $1 -alias idm -validity 7300 -dname "cn=delete"

/opt/netiqhttps://www.novell.com/common/jre/bin/keytool -delete -alias idm -keysize 2048 -keystore /tmp/tomcat.ks -storepass $1 -keypass $1

echo "/opt/netiqhttps://www.novell.com/common/jre/bin/java -cp ${2}https://www.novell.com/common/lib/dirxml_misc.jar:${2}https://www.novell.com/common/lib/ldap.jar:${2}https://www.novell.com/common/lib/xp.jar:${2}https://www.novell.com/common/lib/nxsl.jar:${2}https://www.novell.com/common/lib/jclient.jar com.novell.nds.dirxml.util.DxCommand -v -accept 1 -host ${3} -port ${4} -user "${5}" -password ${6} -exportcerts "SSL CertificateDNS" server java /tmp"

/opt/netiqhttps://www.novell.com/common/jre/bin/java -cp /mnt/idm47https://www.novell.com/common/lib/dirxml_misc.jar:/mnt/idm47https://www.novell.com/common/lib/ldap.jar:/mnt/idm47https://www.novell.com/common/lib/xp.jar:/mnt/idm47https://www.novell.com/common/lib/nxsl.jar:/mnt/idm47https://www.novell.com/common/lib/jclient.jar com.novell.nds.dirxml.util.DxCommand -v -accept 1 -host 10.182.71.23 -port 636 -user "cn=admin,o=jnet" -password novell -exportcerts "SSL CertificateDNS" server java /tmp

/opt/netiqhttps://www.novell.com/common/jre/bin/keytool -importkeystore -srckeystore "/tmp/SSL CertificateDNS_server.ks" -destkeystore /tmp/tomcat.ks -srcstorepass dirxml -deststorepass novell -srcalias "SSL CertificateDNS" -srckeypass dirxml -destkeypass novell -deststoretype JKS -noprompt

/opt/netiqhttps://www.novell.com/common/jre/bin/keytool -importkeystore -srckeystore "/tmp/SSL CertificateDNS_server.ks" -destkeystore "/tmp/tomcat.ks" -srcstorepass dirxml -deststorepass novell -srcalias "trustedcert" -destalias "trustedcert" -srckeypass dirxml -deststoretype JKS -noprompt

rm "/tmp/SSL CertificateDNS_server.ks"



But when we execute the script we had following error:

./generate_keystore.sh novell /mnt/idm47/ xx.xx.xx.xx 636 "cn=admin,o=xx" novell

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /tmp/tomcat.ks -destkeystore /tmp/tomcat.ks -deststoretype pkcs12".
/opt/netiqhttps://www.novell.com/common/jre/bin/java -cp /mnt/idm47/https://www.novell.com/common/lib/dirxml_misc.jar:/mnt/idm47/https://www.novell.com/common/lib/ldap.jar:/mnt/idm47/https://www.novell.com/common/lib/xp.jar:/mnt/idm47/https://www.novell.com/common/lib/nxsl.jar:/mnt/idm47/https://www.novell.com/common/lib/jclient.jar com.novell.nds.dirxml.util.DxCommand -v -accept 1 -host xx.xx.xx.xx -port 636 -user cn=admin,o=xx -password novell -exportcerts SSL CertificateDNS server java /tmp

NetIQ Identity Manager Command Line Utility
version 4.7.0.0
Copyright (c) 2017 NetIQ Corporation. All Rights Reserved

Logging in using:
host: /xx.xx.xx.xx:636
user: cn=admin,o=jnet
Using LDAP protocol with SSL
DirXML version is 4.7.2.0 AE.
Driver set CN=xxx,OU=services,O=xx is associated with the server.
Importing keystore /tmp/SSL CertificateDNS_server.ks to /tmp/tomcat.ks...
keytool error: java.io.FileNotFoundException: /tmp/SSL CertificateDNS_server.ks (No such file or directory)
Importing keystore /tmp/SSL CertificateDNS_server.ks to /tmp/tomcat.ks...
keytool error: java.io.FileNotFoundException: /tmp/SSL CertificateDNS_server.ks (No such file or directory)


It looks like SSL CertificateDNS_server.ks was not exported to /tmp.... Any suggestions on this issue.
Labels (1)
0 Likes
5 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

If you are working with Micro Focus support, I would probably recommend
asking them, as presumably they wrote this and understand why they did
what they did. For such a simple script, this is pretty ugly. From which
version are you upgrading to 4.7 SP2?

On 02/14/2019 07:34 AM, ngujjula wrote:
> /tmp/SSL CertificateDNS_server.ks


Does that file exist on your system? What is supposed to create it? Why
in the world would they have a space in the filename?

Anyway, I'd start with them. If they just typed these up and hoped they
would work I think they should try again.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

ab;2495332 wrote:
If you are working with Micro Focus support, I would probably recommend
asking them, as presumably they wrote this and understand why they did
what they did. For such a simple script, this is pretty ugly. From which
version are you upgrading to 4.7 SP2?

On 02/14/2019 07:34 AM, ngujjula wrote:
> /tmp/SSL CertificateDNS_server.ks


Does that file exist on your system? What is supposed to create it? Why
in the world would they have a space in the filename?

Anyway, I'd start with them. If they just typed these up and hoped they
would work I think they should try again.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.


If I recall correctly, in the IDM47 "configure.sh" script, they do a bunch of mucking about with certificates, one step of which builds a keystore under /tmp, then moves it somewhere under /opt/netiq. They build the keystore from an import of whatever the server's LDAP server is using, in this case probably "SSL CertificateDNS".

The PKCS12 warning from Oracle is just annoying.
0 Likes
Admiral
Admiral

On 14.02.19 15:34, ngujjula wrote:
>
> Hello,
>
> As suggested from MicroFocus support for importing SSL
> CertificateDNS_server.ks in IDM Apps 4.7.2 upgrade, we are trying to
> import SSL CertificateDNS_server.ks on tomcat server from IDM engine
> using following script
>
>
> /opt/netiq/common/jre/bin/keytool -genkey -keyalg RSA -keysize 2048
> -keystore /tmp/tomcat.ks -storepass $1 -keypass $1 -alias idm -validity
> 7300 -dname "cn=delete"
>
> /opt/netiq/common/jre/bin/keytool -delete -alias idm -keysize 2048
> -keystore /tmp/tomcat.ks -storepass $1 -keypass $1
>
> echo "/opt/netiq/common/jre/bin/java -cp
> ${2}/common/lib/dirxml_misc.jar:${2}/common/lib/ldap.jar:${2}/common/lib/xp.jar:${2}/common/lib/nxsl.jar:${2}/common/lib/jclient.jar
> com.novell.nds.dirxml.util.DxCommand -v -accept 1 -host ${3} -port ${4}
> -user "${5}" -password ${6} -exportcerts "SSL CertificateDNS" server
> java /tmp"
>
> /opt/netiq/common/jre/bin/java -cp
> /mnt/idm47/common/lib/dirxml_misc.jar:/mnt/idm47/common/lib/ldap.jar:/mnt/idm47/common/lib/xp.jar:/mnt/idm47/common/lib/nxsl.jar:/mnt/idm47/common/lib/jclient.jar
> com.novell.nds.dirxml.util.DxCommand -v -accept 1 -host 10.182.71.23
> -port 636 -user "cn=admin,o=jnet" -password novell -exportcerts "SSL
> CertificateDNS" server java /tmp
>
> /opt/netiq/common/jre/bin/keytool -importkeystore -srckeystore "/tmp/SSL
> CertificateDNS_server.ks" -destkeystore /tmp/tomcat.ks -srcstorepass
> dirxml -deststorepass novell -srcalias "SSL CertificateDNS" -srckeypass
> dirxml -destkeypass novell -deststoretype JKS -noprompt
>
> /opt/netiq/common/jre/bin/keytool -importkeystore -srckeystore "/tmp/SSL
> CertificateDNS_server.ks" -destkeystore "/tmp/tomcat.ks" -srcstorepass
> dirxml -deststorepass novell -srcalias "trustedcert" -destalias
> "trustedcert" -srckeypass dirxml -deststoretype JKS -noprompt
>
> rm "/tmp/SSL CertificateDNS_server.ks"
>
>
> But when we execute the script we had following error:
>
> ./generate_keystore.sh novell /mnt/idm47/ xx.xx.xx.xx 636
> "cn=admin,o=xx" novell
>
> Warning:
> The JKS keystore uses a proprietary format. It is recommended to migrate
> to PKCS12 which is an industry standard format using "keytool
> -importkeystore -srckeystore /tmp/tomcat.ks -destkeystore /tmp/tomcat.ks
> -deststoretype pkcs12".
> /opt/netiq/common/jre/bin/java -cp
> /mnt/idm47//common/lib/dirxml_misc.jar:/mnt/idm47//common/lib/ldap.jar:/mnt/idm47//common/lib/xp.jar:/mnt/idm47//common/lib/nxsl.jar:/mnt/idm47//common/lib/jclient.jar
> com.novell.nds.dirxml.util.DxCommand -v -accept 1 -host xx.xx.xx.xx
> -port 636 -user cn=admin,o=xx -password novell -exportcerts SSL
> CertificateDNS server java /tmp
>
> NetIQ Identity Manager Command Line Utility
> version 4.7.0.0
> Copyright (c) 2017 NetIQ Corporation. All Rights Reserved
>
> Logging in using:
> host: /xx.xx.xx.xx:636
> user: cn=admin,o=jnet
> Using LDAP protocol with SSL
> DirXML version is 4.7.2.0 AE.
> Driver set CN=xxx,OU=services,O=xx is associated with the server.
> Importing keystore /tmp/SSL CertificateDNS_server.ks to
> /tmp/tomcat.ks...
> keytool error: java.io.FileNotFoundException: /tmp/SSL
> CertificateDNS_server.ks (No such file or directory)
> Importing keystore /tmp/SSL CertificateDNS_server.ks to
> /tmp/tomcat.ks...
> keytool error: java.io.FileNotFoundException: /tmp/SSL
> CertificateDNS_server.ks (No such file or directory)
>
>
> It looks like SSL CertificateDNS_server.ks was not exported to /tmp....
> Any suggestions on this issue.
>
>


Intersting, it should only be from Java11 where pkcs12 would be forced
as keystore format.

What version is your java in /opt/netiq/common/jre?


Casper
0 Likes
Micro Focus Expert
Micro Focus Expert

On 2019-02-15 09:02, Casper Pedersen wrote:
>> ./generate_keystore.sh novell /mnt/idm47/ xx.xx.xx.xx 636
>> "cn=admin,o=xx" novell
>>
>> Warning:
>> The JKS keystore uses a proprietary format. It is recommended to migrate
>> to PKCS12 which is an industry standard format using "keytool
>> -importkeystore -srckeystore /tmp/tomcat.ks -destkeystore /tmp/tomcat.ks
>> -deststoretype pkcs12".



> Intersting, it should only be from Java11 where pkcs12 would be forced
> as keystore format.


That warning is present since
https://www.oracle.com/technetwork/java/javase/8u151-relnotes-3850493.html

--
Norbert
--
Norbert
0 Likes
Admiral
Admiral

On 15.02.19 11:38, Norbert Klasen wrote:
> On 2019-02-15 09:02, Casper Pedersen wrote:
>>> ./generate_keystore.sh novell /mnt/idm47/ xx.xx.xx.xx 636
>>> "cn=admin,o=xx" novell
>>>
>>> Warning:
>>> The JKS keystore uses a proprietary format. It is recommended to migrate
>>> to PKCS12 which is an industry standard format using "keytool
>>> -importkeystore -srckeystore /tmp/tomcat.ks -destkeystore /tmp/tomcat.ks
>>> -deststoretype pkcs12".

>
>
>> Intersting, it should only be from Java11 where pkcs12 would be forced
>> as keystore format.

>
> That warning is present since
> https://www.oracle.com/technetwork/java/javase/8u151-relnotes-3850493.html
>


Ahh, as long it's just a warning then one can ignore it.

I was wrong about Java11, it's from Java9 it will default to PKCS12
(https://docs.oracle.com/javase/9/whatsnew/toc.htm#JSNEW-GUID-71A09701-7412-4499-A88D-53FA8BFBD3D0)


Casper
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.