PQ48611: SSL ENCRYPTION USING CA BET WAS3.5.3 AND NETSCAPE DEFECT # PMR758327TD000 AND DEFECT 100755


APAR

APAR status
Closed as documentation error.

Error description
SSL connection configuration between WAS 3.5.3 and Netscape
LDAP Server 4.13 fails on Solaris 2.6
when using a 3rd party cert. The configuration works when the Cu
uses self-signed cert.
Tried simulating the problem in the lab. Verified that it fails.
I could connect to the LDAP making a SSL call
via  Netscape Cummnicator/Address Book.
.
Defect #    PMR758327TD000
.
It was determined By L3 that its not a Code defect but a
documentation defect. So a Document Defect 100755 was created.
Please associate this APAR with Defect 100755.
Local fix
Defined the steps to configure SSL connection between WAS-LDAp
using 3rd party Cert.
Problem summary
The customer is asking for a keyring file which has a CA
certificate which can communicate with the Netscape LDAP
server over SSL.  The following are steps to do this.
It consists of using two keyring files.  A server keyring
and a client keyring.  The server keyring will store the
private key from the certificate request, the public key,
and the CA's root certificate.  The client keyring will
store the public key, the CA's root certificate and the
Netscape LDAP server's public key (all as signer certs).
.
STEPS
.
Save External Public Certificates (LDAP and CA Root)
1.  Export the public key from the LDAP server to a file
    called "LDAP.arm".
2.  Download the CA's root certificate to a file called
    "CARoot.arm".
.
Generate the Server Keyring File from IKeyMan:
3.  Create a new keyring class file called ServerKeyring.class.
4.  Generate a certificate request and save it as "certreq.arm".
5.  Go to the CA's Web Site to request the cert.  Get the cert
    and save it as "newcert.arm".
6.  Go to the Personal Certificates section of IKeyMan and
    select "Receive".  Enter the filename "newcert.arm".
7.  Select "Extract Certificate" and save it as "websphere.arm".
8.  Go to the Signer Certificates section of IKeyMan and select
    "Add".  Enter the filename "caroot.arm".
.
Generate the Client Keyring File from IKeyMan:Generate the Server Keyring File from IKeyMan:3.  Create a new keyring class file called ServerKeyring.class.4.  Generate a certificate request and save it as "certreq.arm".5.  Go to the CA's Web Site to request the cert.  Get the certand save it as "newcert.arm".6.  Go to the Personal Certificates section of IKeyMan andselect "Receive".  Enter the filename "newcert.arm".7.  Select "Extract Certificate" and save it as "websphere.arm".8.  Go to the Signer Certificates section of IKeyMan and select"Add".  Enter the filename "caroot.arm"..
9. Create a new keyring class file called ClientKeyring.class. 10. Go to the Signer Certificates section of IKeyMan and select "Add". Enter the filename "ldap.arm". 11. Go to the Signer Certificates section of IKeyMan and select "Add". Enter the filename "caroot.arm". 12. Go to the Signer Certificates section of IKeyMan and select "Add". Enter the filename "websphere.arm". . You are now ready to install these in WebSphere:Generate the Client Keyring File from IKeyMan:9. Create a new keyring class file called ClientKeyring.class.10. Go to the Signer Certificates section of IKeyMan and select"Add". Enter the filename "ldap.arm".11. Go to the Signer Certificates section of IKeyMan and select"Add". Enter the filename "caroot.arm".12. Go to the Signer Certificates section of IKeyMan and select"Add". Enter the filename "websphere.arm"..
13. Edit the SAS.SERVER.PROPS file. Both the ServerKeyring and ClientKeyring files need to be on the server. Modify the following lines:You are now ready to install these in WebSphere:13. Edit the SAS.SERVER.PROPS file. Both the ServerKeyring andClientKeyring files need to be on the server. Modify the
com.ibm.CORBA.KeyRingFile=ServerKeyring com.ibm.CORBA.KeyRingPassword=WebAS com.ibm.CORBA.SSLClientKeyRingPassword=WebAS com.ibm.CORBA.SSLClientKeyRing=ClientKeyring 14. Edit the SAS.CLIENT.PROPS file. Only the ClientKeyring file needs to be on the client. Modify the following lines:following lines:com.ibm.CORBA.KeyRingFile=ServerKeyringcom.ibm.CORBA.KeyRingPassword=WebAScom.ibm.CORBA.SSLClientKeyRingPassword=WebAScom.ibm.CORBA.SSLClientKeyRing=ClientKeyring14. Edit the SAS.CLIENT.PROPS file. Only the ClientKeyring
com.ibm.CORBA.SSLKeyRing=ClientKeyring com.ibm.CORBA.SSLKeyRingPassword=WebAS com.ibm.CORBA.SSLServerKeyRing=ClientKeyring com.ibm.CORBA.SSLServerKeyRingPassword=WebAS
file needs to be on the client. Modify the following lines:com.ibm.CORBA.SSLKeyRing=ClientKeyringcom.ibm.CORBA.SSLKeyRingPassword=WebAScom.ibm.CORBA.SSLServerKeyRing=ClientKeyringcom.ibm.CORBA.SSLServerKeyRingPassword=WebAS
Problem conclusion
Temporary fix
Comments
APAR information
APAR numberPQ48611
Reported component nameWAS ADVANCED SU
Reported component ID5648C8402
Reported release350
StatusCLOSED DOC
PENoPE
HIPERNoHIPER
Submitted date2001-05-09
Closed date2001-05-10
Last modified date2001-05-10

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:


Modules/Macros

Fix information
APAR is sysrouted TO one or more of the following:Modules/Macros

Applicable component levels











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ48611
IBM Group: Software Group
Modified date: 2001-05-10