Friday September 29, 2006 Meena Vyas
All
|
WebServer7.0
Friday September 29, 2006 Migrating JKS Keystore Entries to NSS datbase in Sun Java System Web Server 7.0 or 6.x
Migrating JKS Keystore Entries to NSS database in Sun Java System Web Server 7.0 or 6.x
Migrating JKS Keystore Entries to NSS database in Sun Java System Web Server 7.0 using Administration CLI
I installed Sun Java System Web Server
7.0 in <server-installation>directory
and started Administration server.
I confirmed that migration worked by listing the certificates using list-certs CLI
$
./admin-server/bin/startserv
Now I used wadm to run
Administration CLIs
$
./bin/
wadm --user=admin
Please enter admin-user-password> typed-admin-password-here
wadm>
I have a config named "test"Please enter admin-user-password> typed-admin-password-here
wadm>
wadm>
list-configs
test
If the keystore is in file /tmp/
my-jks-key-store.jks,
keystore password is storepass,
key password is keypass,
and NSS DB password is nsspass, I
run
migrate-jks-keycert CLI
test
wadm>
migrate-jks-keycert
--config=test --keystore=/tmp/my-jks-key-store.jks
Please enter keystore-password> storepass
Please enter key-password> keypass
Please enter certdb-password> nsspass
CLI201 Command "migrate-jks-keycert" ran successful.
Please enter keystore-password> storepass
Please enter key-password> keypass
Please enter certdb-password> nsspass
CLI201 Command "migrate-jks-keycert" ran successful.
I confirmed that migration worked by listing the certificates using list-certs CLI
wadm>
list-certs --config=test
CN=test,OU=WS,O=SUN,L=BLR,ST=KA,C=IN
wadm>
CN=test,OU=WS,O=SUN,L=BLR,ST=KA,C=IN
wadm>
After all the changes are done, run deploy-config CLI.
From server instance's config directory run certutil to
confirm that the certificates are present in NSS DB.
$.${server-install-dir}/bin/certutil
-L -d ${server-instance-dir}/config
CN=test,OU=WS,O=SUN,L=BLR,ST=KA,C=IN u,u,u
CN=test,OU=WS,O=SUN,L=BLR,ST=KA,C=IN u,u,u
Migrating JKS Keystore Entries to NSS Datbase in Sun One Web Server 6.x
We have to manually migrate jks keystore to NSS Database here is what we have to do
From the server instance config directory, initialize NSS DB if required
From the server instance config directory, initialize NSS DB if required
$${server-install-dir}/bin/certutil
-N -d ${server-instance-dir}/config
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long, and should contain at least one non-alphabetic character.
Enter new password: nsspass
Re-enter password: nsspass
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long, and should contain at least one non-alphabetic character.
Enter new password: nsspass
Re-enter password: nsspass
Use keytool from JDK greater than version 6, it has importkeystore option which converts JKS keystore to PKCS12 format.
$/share/builds/components/jdk/1.6.0_01/SunOS/bin/keytool
-importkeystore -srckeystore
server-keystore.jks -srcstoretype JKS
-deststoretype PKCS12 -destkeystore server-keystore.pkcs12
Enter destination keystore password: storepass
Re-enter new password: storepass
Enter source keystore password: storepass
Entry for alias s1as successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Enter destination keystore password: storepass
Re-enter new password: storepass
Enter source keystore password: storepass
Entry for alias s1as successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Now import them into NSS database
$${server-install-dir}/bin/pk12util -i
server-keystore.pkcs12 -d ${server-instance-dir}/config
Enter Password or Pin for "NSS Certificate DB": nsspass
Enter password for PKCS12 file: storepass
pk12util: PKCS12 IMPORT SUCCESSFUL
Enter Password or Pin for "NSS Certificate DB": nsspass
Enter password for PKCS12 file: storepass
pk12util: PKCS12 IMPORT SUCCESSFUL
Verify if the certificate was imported
$${server-install-dir}/bin/certutil
-L -d .
CN=Server,OU=JWS,O=SUN,ST=Some-State,C=AU u,u,u
CN=Server,OU=JWS,O=SUN,ST=Some-State,C=AU u,u,u
Then we may have to set trust flags using the following command
$${server-install-dir}/bin/certutil -M -t "CTu,u,u"
....
For migrating Apache server(OpenSSL) certificate, we can use openssl utility to export it to a PKCS#12 file
$ openssl pkcs12 -export -out <output-pkcs-file> -in <openssl-server-crt-file> -inkey <openssl-server-key-file> -nodes -name <alias>
And import it into SJS Web Server NSS database using pk12util utility
$ ${server-install-dir}/bin/pk12util -i <exported-pkcs12-file> -d ${server-instance-dir}/config
$ openssl pkcs12 -export -out <output-pkcs-file> -in <openssl-server-crt-file> -inkey <openssl-server-key-file> -nodes -name <alias>
And import it into SJS Web Server NSS database using pk12util utility
$ ${server-install-dir}/bin/pk12util -i <exported-pkcs12-file> -d ${server-instance-dir}/config
References
For more readability, the commands I used are shown in brown and the output is shown in green.
Sun Java System Web Server 7.0 Technology Preview 3 is released and is FREE download it from here.
Posted by meena ( Sep 29 2006, 11:52:17 AM IST ) Permalink Comments [3]
Trackback URL: http://blogs.sun.com/meena/entry/migrating_jks_keystore_entries_to
Post a Comment:
Posted by 192.18.43.249 on November 29, 2006 at 12:01 AM IST #
Posted by Meena on December 01, 2006 at 11:58 AM IST #
Migrating htpasswd-style user authentication from Apache to SJS Web Server 7.0
Posted by 192.18.17.3 on December 02, 2006 at 01:55 PM IST #