|
Problem(Abstract) |
If the IBM® HTTP Server is configured to use a CMS
keystore (*.kdb extension) for SSL, it is possible to stash the keystore's
password into a file (stashfile, extension *.sth). When the password is
stashed using the sslstash command, the resulting stashfile cannot be used
to open the CMS keystore.
|
|
|
|
Cause |
The sslstash command is not meant for usage with a
CMS-type keystore. It is being used for PKCS11 devices (see SSLStash
usage link below in "related URL" section)
There are three different ways to stash the password, but with
different results.
- When creating the CMS keystore with IKEYMAN, you can check the "stash
password" option, which will then generate the *.sth file along with the
*.kdb keystore. This works fine.
- You can run the sslstash command from \<httpserver root>\bin.
However, this generates a stashed password in another format, used for CRL
and crypto definitions. Hence, this is not a suitable way to stash the
password for a CMS key database.
- You can run gsk7cmd to create a keystore along with the stash file,
which is basically the same result as in 1), or you can run gsk7cmd
against an existing keystore and only generate the stashfile.
|
|
|
Resolving the
problem |
Do not use the sslstash command to create a password
stashfile for a CMS type database.
If you need to create a new keystore with stashfile from command line,
use
gsk7cmd -keydb -create -db <db name> -pw
<password> -type cms -expire <days valid>
-stash
or if you want to create a stashfile for an existing keystore, use:
gsk7cmd -keydb -stashpw -db <db name> -pw
<password>
Both of these commands will generate a file with extension *.sth and the
same filename as the *.kdb keystore.
|
|
|
|