CMS Stashfile problems when using sslStash command
 Technote (troubleshooting)
 
Problem(Abstract)
If the IBM® HTTP Server is configured to use a CMS keystore (*.kdb extension) for SSL, it is possible to stash the keystore's password into a file (stashfile, extension *.sth). When the password is stashed using the sslstash command, the resulting stashfile cannot be used to open the CMS keystore.
 
Cause
The sslstash command is not meant for usage with a CMS-type keystore. It is being used for PKCS11 devices (see SSLStash usage link below in "related URL" section)

There are three different ways to stash the password, but with different results.

  1. When creating the CMS keystore with IKEYMAN, you can check the "stash password" option, which will then generate the *.sth file along with the *.kdb keystore. This works fine.
  2. You can run the sslstash command from \<httpserver root>\bin. However, this generates a stashed password in another format, used for CRL and crypto definitions. Hence, this is not a suitable way to stash the password for a CMS key database.
  3. You can run gsk7cmd to create a keystore along with the stash file, which is basically the same result as in 1), or you can run gsk7cmd against an existing keystore and only generate the stashfile.
 
Resolving the problem
Do not use the sslstash command to create a password stashfile for a CMS type database.

If you need to create a new keystore with stashfile from command line, use

gsk7cmd -keydb -create -db <db name> -pw <password> -type cms -expire <days valid> -stash

or if you want to create a stashfile for an existing keystore, use:

gsk7cmd -keydb -stashpw -db <db name> -pw <password>

Both of these commands will generate a file with extension *.sth and the same filename as the *.kdb keystore.

 
Related information
iKeyMan User's Guide
SSLStash usage
 
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > IBM HTTP Server > SSL
Operating system(s): Windows
Software version: 6.1
Software edition:
Reference #: 1256084
IBM Group: Software Group
Modified date: Mar 1, 2007