I tried checking for a default certificate and it reports "null". The KDB file has the GSK certs and my cert - that's it, and when I follow the instructions to set up my cert as the default, it gives me a cryptic "I'm sorry Dave, I can't do that" kind of message.
This is on a customer's system, and they don't have any good paths to contact Rocket, as their vendor is entirely unresponsive which is why they work with us in the first place, and we're not a var. So I post here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... there've been a number of very good Rocket folks helping out here over the years. (Apologies for anyone I missed.) -K On Tue, Feb 19, 2013 at 6:12 PM, John Hester <jhes...@momtex.com> wrote: > I doubt the unqualified listen has any connection. It sounds like > something's corrupt in the kdb file. If you only have one cert in the > file, you might try removing the SSLServerCert directive altogether. > Normally one cert in the database is marked as the default to use when > none is specified, and if you only have one, that should be it. I would > also create a new kdb file from scratch just to make sure it's clean. > > If it still won't work after that, I'd suggest opening a case with IBM > support if you have a current entitlement. I open cases with them all > the time for issues with new software installations, and they're always > very responsive. > > -John > > -----Original Message----- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Tuesday, February 19, 2013 4:03 PM > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > Yes, I have both the LoadModule and Listen, though my Listen is > unqualified, like this: > > Listen 443 > > The error I'm getting in the logs tells me there is no key for "api" or > " > api.client.com" (I've tried both) despite the fact that gsk7cmd shows > that the certificate absolutely is in there. That's what's vexing; I > can see the certificate, but for some reason Apache cannot. > > You don't suppose the unqualified Listen might have something to do with > it, do you? > > > On Tue, Feb 19, 2013 at 11:19 AM, John Hester <jhes...@momtex.com> > wrote: > > > Kevin, I have both chained and self-signed certs on various servers. > > The example from my workstation is a self-signed cert. Self-signed is > > > actually less prone to error because you don't have to worry about > > importing the intermediate certs into the keystore database. The only > > > other thing I know to suggest at the moment is verify you're loading > > the IBM ssl module and listening on port 443: > > > > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 > > > > Are you getting any errors in the IHS SSL logs, either at server > > startup or when you attempt to browse to port 443? > > > > -John > > > > -----Original Message----- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > > Sent: Monday, February 18, 2013 5:04 PM > > To: U2 Users List > > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > > > John (Thompson)... This IHS Apache is definitely a cracked Apache with > > > some odd configuration SSL setup in particular is completely > different. > > > > John (Hester), I can see the cert in the key file (through the gsk7cmd > > command) but with the name api.client.com it cannot be found. I even > > recreated the cert as "api" (without dots) because I found a page that > > > said that the dots could be causing problems, but still no love. It > > seems I've done everything correctly but still it just can't find a > > combination that works. I'm wondering if the problem here is the fact > > > that it's a self-signed cert without a chain? Are you using a > > self-signed cert here? > > Do you have other certs in your key file that may represent a chain > > for the self-signed cert? > > > > Thank you gentlemen for the insight. Most appreciated. > > > > -K > > > > On Mon, Feb 18, 2013 at 3:09 PM, John Hester <jhes...@momtex.com> > wrote: > > > > > It sounds like you've done all you need to for basic IHS SSL > > > functionality. As long as api.client.com matches the name you gave > > > the certificate via ikeyman, and you have the KeyFile directive, you > > > > should be OK. There are a lot of other options you can add for > > > optimization and browser compatibility, but I don't think leaving > > > any of those out would break it outright. Here's my working IHS > > > config from the development server on my Windows workstation for > comparison: > > > > > > <VirtualHost *:443> > > > SSLEnable > > > SSLProtocolDisable SSLv2 > > > SSLServerCert is12.momtex.com > > > <Directory "c:/IBM/HTTPServer/htdocs/html"> > > > Options +Includes > > > AddType text/html .shtml > > > AddOutputFilter INCLUDES .shtml > > > </Directory> > > > </VirtualHost> > > > KeyFile "C:/IBM/HTTPServer/key.kdb" > > > SSLDisable > > > > > > -John > > > > > > -----Original Message----- > > > From: u2-users-boun...@listserver.u2ug.org > > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin > > > King > > > Sent: Saturday, February 16, 2013 4:02 PM > > > To: U2 Users List > > > Subject: [U2] AIX 5.3 IBMIHS Web Server > > > > > > Might anyone have any tips or tricks for getting SSL to work on the > > > IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The > > > documentation I've found on the web is byzantine at best and it > > > would be fine if the > > > > > commands actually worked, but I keep getting odd error messages and > > > stalled at every turn. > > > > > > I've upgrade the GSK so that the server will start with SSL enabled, > > > > I > > > > > have a virtual host configured, but I have no clue how to tie a > > > specific certificate to the VirtualHost. Well, let's say I have > > > clues, but nothing is working. Here's the <VirtualHost> stanza I > > > have > > > > > set up in > > > httpd.conf: > > > > > > <VirtualHost *:443> > > > SSLEnable > > > SSLClientAuth None > > > SSLServerCert api.client.com > > > ServerName api.client.com > > > DocumentRoot /usr/www > > > <Directory "/usr/www"> > > > Order Allow,Deny > > > Allow From All > > > </Directory> > > > ErrorLog logs/api_error.log > > > CustomLog logs/api_error.log common </VirtualHost> > > > > > > I've been able to generate a CSR and create a self-signed > > > certificate, > > > > > and it would appear that I've even successfully imported that > > > certificate into my key database, as demonstrated by this command: > > > > > > $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label " > > > api.client.com" -pw "password" > > > > > > ...which produces the following output... > > > > > > Label: api.client.com > > > Key Size: 512 > > > Version: X509 V1 > > > Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: api.client.com > > > CLIENT City, ST, US > > > Subject: api.client.com > > > CLIENT > > > City, ST, US > > > Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: Saturday, > > > > April 17, 2032 7:06:08 PM EDT > > > Fingerprint: ... > > > Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled > > > > > > But even though this certificate is in the keyfile (and yes, I have > > > a KeyFile directive elsewhere in the httpd.conf file pointing to the > > > > client.kdb file) I can't seem to associate it to the virtual host. > > > What am I missing? > > > > > > (And yes, I'm aware this is not specifically a U2 question but I > > > need this to provide web connectivity to a Unidata machine from a > > > Rackspace > > > > > hosted server. So in a way... it sorta is U2 related.) > > > > > > Help? > > > _______________________________________________ > > > U2-Users mailing list > > > U2-Users@listserver.u2ug.org > > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > > _______________________________________________ > > > U2-Users mailing list > > > U2-Users@listserver.u2ug.org > > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > > > > _______________________________________________ > > U2-Users mailing list > > U2-Users@listserver.u2ug.org > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > _______________________________________________ > > U2-Users mailing list > > U2-Users@listserver.u2ug.org > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > > _______________________________________________ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > _______________________________________________ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > _______________________________________________ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
