Where does one get this magical GUI?  I wonder, John, if I am unable to
procure such an animal if I sent you my key file if you could see if you
could nominate a default for me?

On Wed, Feb 20, 2013 at 1:58 PM, John Hester <jhes...@momtex.com> wrote:

> This would be an IBM support issue rather than Rocket since you're
> dealing specifically with IHS.  You might want to check with the
> customer to see if they're currently under maintenance.  There's a good
> chance they are if the IHS install was recent because AFAIK you can't
> even get the installation files without a support login.
>
> One other thing you might try is using the iKeyman GUI to create the
> keystore database rather than the command line utility.  That's what I
> always use.  You can run it via an X session, or locally on Windows
> desktop.  I typically create and test a keystore locally on my desktop
> and copy the kdb file to the server when I'm sure it's working
> correctly.  The iKeyman interface is fairly intuitive, and it's easy to
> designate a default cert with the click of a button.
>
> -John
>
> -----Original Message-----
> From: u2-users-boun...@listserver.u2ug.org
> [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King
> Sent: Tuesday, February 19, 2013 6:23 PM
> To: U2 Users List
> Subject: Re: [U2] AIX 5.3 IBMIHS Web Server
>
> I tried checking for a default certificate and it reports "null".  The
> KDB file has the GSK certs and my cert - that's it, and when I follow
> the instructions to set up my cert as the default, it gives me a cryptic
> "I'm sorry Dave, I can't do that" kind of message.
>
> This is on a customer's system, and they don't have any good paths to
> contact Rocket, as their vendor is entirely unresponsive which is why
> they work with us in the first place, and we're not a var.  So I post
> here and hope someone from Rocket is listening.  Wally, Kevin, Mike, ...
> there've been a number of very good Rocket folks helping out here over
> the years.
>  (Apologies for anyone I missed.)
>
> -K
>
> On Tue, Feb 19, 2013 at 6:12 PM, John Hester <jhes...@momtex.com> wrote:
>
> > I doubt the unqualified listen has any connection.  It sounds like
> > something's corrupt in the kdb file.  If you only have one cert in the
>
> > file, you might try removing the SSLServerCert directive altogether.
> > Normally one cert in the database is marked as the default to use when
>
> > none is specified, and if you only have one, that should be it.  I
> > would also create a new kdb file from scratch just to make sure it's
> clean.
> >
> > If it still won't work after that, I'd suggest opening a case with IBM
>
> > support if you have a current entitlement.  I open cases with them all
>
> > the time for issues with new software installations, and they're
> > always very responsive.
> >
> > -John
> >
> > -----Original Message-----
> > From: u2-users-boun...@listserver.u2ug.org
> > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King
> > Sent: Tuesday, February 19, 2013 4:03 PM
> > To: U2 Users List
> > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server
> >
> > Yes, I have both the LoadModule and Listen, though my Listen is
> > unqualified, like this:
> >
> > Listen 443
> >
> > The error I'm getting in the logs tells me there is no key for "api"
> > or "
> > api.client.com" (I've tried both) despite the fact that gsk7cmd shows
> > that the certificate absolutely is in there.  That's what's vexing; I
> > can see the certificate, but for some reason Apache cannot.
> >
> > You don't suppose the unqualified Listen might have something to do
> > with it, do you?
> >
> >
> > On Tue, Feb 19, 2013 at 11:19 AM, John Hester <jhes...@momtex.com>
> > wrote:
> >
> > > Kevin, I have both chained and self-signed certs on various servers.
> > > The example from my workstation is a self-signed cert.  Self-signed
> > > is
> >
> > > actually less prone to error because you don't have to worry about
> > > importing the intermediate certs into the keystore database.  The
> > > only
> >
> > > other thing I know to suggest at the moment is verify you're loading
>
> > > the IBM ssl module and listening on port 443:
> > >
> > > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443
> > >
> > > Are you getting any errors in the IHS SSL logs, either at server
> > > startup or when you attempt to browse to port 443?
> > >
> > > -John
> > >
> > > -----Original Message-----
> > > From: u2-users-boun...@listserver.u2ug.org
> > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin
> > > King
> > > Sent: Monday, February 18, 2013 5:04 PM
> > > To: U2 Users List
> > > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server
> > >
> > > John (Thompson)... This IHS Apache is definitely a cracked Apache
> > > with
> >
> > > some odd configuration  SSL setup in particular is completely
> > different.
> > >
> > > John (Hester), I can see the cert in the key file (through the
> > > gsk7cmd
> > > command) but with the name api.client.com it cannot be found.  I
> > > even recreated the cert as "api" (without dots) because I found a
> > > page that
> >
> > > said that the dots could be causing problems, but still no love.  It
>
> > > seems I've done everything correctly but still it just can't find a
> > > combination that works.  I'm wondering if the problem here is the
> > > fact
> >
> > > that it's a self-signed cert without a chain?  Are you using a
> > > self-signed cert here?
> > >  Do you have other certs in your key file that may represent a chain
>
> > > for the self-signed cert?
> > >
> > > Thank you gentlemen for the insight.  Most appreciated.
> > >
> > > -K
> > >
> > > On Mon, Feb 18, 2013 at 3:09 PM, John Hester <jhes...@momtex.com>
> > wrote:
> > >
> > > > It sounds like you've done all you need to for basic IHS SSL
> > > > functionality.  As long as api.client.com matches the name you
> > > > gave the certificate via ikeyman, and you have the KeyFile
> > > > directive, you
> >
> > > > should be OK.  There are a lot of other options you can add for
> > > > optimization and browser compatibility, but I don't think leaving
> > > > any of those out would break it outright.  Here's my working IHS
> > > > config from the development server on my Windows workstation for
> > comparison:
> > > >
> > > > <VirtualHost *:443>
> > > > SSLEnable
> > > > SSLProtocolDisable SSLv2
> > > > SSLServerCert is12.momtex.com
> > > >      <Directory "c:/IBM/HTTPServer/htdocs/html">
> > > >      Options +Includes
> > > >      AddType text/html .shtml
> > > >      AddOutputFilter INCLUDES .shtml
> > > >      </Directory>
> > > > </VirtualHost>
> > > > KeyFile "C:/IBM/HTTPServer/key.kdb"
> > > > SSLDisable
> > > >
> > > > -John
> > > >
> > > > -----Original Message-----
> > > > From: u2-users-boun...@listserver.u2ug.org
> > > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin
> > > > King
> > > > Sent: Saturday, February 16, 2013 4:02 PM
> > > > To: U2 Users List
> > > > Subject: [U2] AIX 5.3 IBMIHS Web Server
> > > >
> > > > Might anyone have any tips or tricks for getting SSL to work on
> > > > the IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box?  The
> > > > documentation I've found on the web is byzantine at best and it
> > > > would be fine if the
> > >
> > > > commands actually worked, but I keep getting odd error messages
> > > > and stalled at every turn.
> > > >
> > > > I've upgrade the GSK so that the server will start with SSL
> > > > enabled,
> >
> > > > I
> > >
> > > > have a virtual host configured, but I have no clue how to tie a
> > > > specific certificate to the VirtualHost.  Well, let's say I have
> > > > clues, but nothing is working.  Here's the <VirtualHost> stanza I
> > > > have
> > >
> > > > set up in
> > > > httpd.conf:
> > > >
> > > > <VirtualHost *:443>
> > > >         SSLEnable
> > > >         SSLClientAuth None
> > > >         SSLServerCert api.client.com
> > > >         ServerName api.client.com
> > > >         DocumentRoot /usr/www
> > > >         <Directory "/usr/www">
> > > >              Order Allow,Deny
> > > >              Allow From All
> > > >         </Directory>
> > > >         ErrorLog logs/api_error.log
> > > >         CustomLog logs/api_error.log common </VirtualHost>
> > > >
> > > > I've been able to generate a CSR and create a self-signed
> > > > certificate,
> > >
> > > > and it would appear that I've even successfully imported that
> > > > certificate into my key database, as demonstrated by this command:
> > > >
> > > > $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label "
> > > > api.client.com" -pw "password"
> > > >
> > > > ...which produces the following output...
> > > >
> > > > Label: api.client.com
> > > > Key Size: 512
> > > > Version: X509 V1
> > > > Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By:
> > > > api.client.com CLIENT City, ST, US
> > > > Subject: api.client.com
> > > > CLIENT
> > > > City, ST, US
> > > > Valid From: Saturday, February 16, 2013 6:06:08 PM EST To:
> > > > Saturday,
> >
> > > > April 17, 2032 7:06:08 PM EDT
> > > > Fingerprint: ...
> > > > Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled
> > > >
> > > > But even though this certificate is in the keyfile (and yes, I
> > > > have a KeyFile directive elsewhere in the httpd.conf file pointing
>
> > > > to the
> >
> > > > client.kdb file) I can't seem to associate it to the virtual host.
> > > > What am I missing?
> > > >
> > > > (And yes, I'm aware this is not specifically a U2 question but I
> > > > need this to provide web connectivity to a Unidata machine from a
> > > > Rackspace
> > >
> > > > hosted server.  So in a way... it sorta is U2 related.)
> > > >
> > > > Help?
> > > > _______________________________________________
> > > > U2-Users mailing list
> > > > U2-Users@listserver.u2ug.org
> > > > http://listserver.u2ug.org/mailman/listinfo/u2-users
> > > > _______________________________________________
> > > > U2-Users mailing list
> > > > U2-Users@listserver.u2ug.org
> > > > http://listserver.u2ug.org/mailman/listinfo/u2-users
> > > >
> > > _______________________________________________
> > > U2-Users mailing list
> > > U2-Users@listserver.u2ug.org
> > > http://listserver.u2ug.org/mailman/listinfo/u2-users
> > > _______________________________________________
> > > U2-Users mailing list
> > > U2-Users@listserver.u2ug.org
> > > http://listserver.u2ug.org/mailman/listinfo/u2-users
> > >
> > _______________________________________________
> > U2-Users mailing list
> > U2-Users@listserver.u2ug.org
> > http://listserver.u2ug.org/mailman/listinfo/u2-users
> > _______________________________________________
> > U2-Users mailing list
> > U2-Users@listserver.u2ug.org
> > http://listserver.u2ug.org/mailman/listinfo/u2-users
> >
> _______________________________________________
> U2-Users mailing list
> U2-Users@listserver.u2ug.org
> http://listserver.u2ug.org/mailman/listinfo/u2-users
> _______________________________________________
> U2-Users mailing list
> U2-Users@listserver.u2ug.org
> http://listserver.u2ug.org/mailman/listinfo/u2-users
>
_______________________________________________
U2-Users mailing list
U2-Users@listserver.u2ug.org
http://listserver.u2ug.org/mailman/listinfo/u2-users

Reply via email to