Tuesday Jul 08, 2008
One common question is what to do when you forgot the SSL security database password in Sun Web server 6.1SPx (or your predecessor did not tell you this before he/she left the company, etc.). This is the password you will be asked everytime when you want to start up the SSL enabled web server instance in 6.1SPx,
e.g.
apple:/export/home/iws6.1sp9> https-apple.asia.sun.com/start
Sun ONE Web Server 6.1SP9 B01/11/2008 14:24
Please enter password for "internal" token: <-- this is the security database password
Sorry, there is not much you can do in this case. You will need to re-initialize the security database with a new password, e.g. see
http://docs.sun.com/source/817-1831-10/agcert.html#wp1004127 (6.1)
then you will need to request a new SSL certificate from the CA and so on,
see
http://docs.sun.com/source/817-1831-10/agcert.html#wp1004981
A couple options you can do to prevent above situations in the future:
1. use a password.conf, e.g.
see
http://docs.sun.com/source/817-1831-10/agcert.html#wp1004127
"Using password.conf"
then you can see your own password such as
"internal:your_password" in password.conf file in the config subdirectory of the server instance.
2. use web server 7.0 which does not ask this internal token password when you request the SSL cert (generate a CSR) , and other later steps (e.g. install the SSL cert, start up the SSL server).
(Important : Jyri has helped to point out in the comments to this posting that
"
option #2 is only so because WS 7.0 allows you to have an empty password for the cert
database if that's what you want. It's not that it can somehow bypass the password if
one is set. If you do set the password on WS 7.0 (which may or may not be important to
do, depending on the deployment scenario) and later forget it, you'll still have to start
all over again with new keys; certificates.
")
e.g. No password asked when I requested the SSL cert.
After I installed the SSL cert.,
no password asked when I start up the SSL web server instance,
apple:/export/home/iws7.0u3> https-apple.asia.sun.com/bin/startserv
Sun Java System Web Server 7.0U3 B06/16/2008 12:00
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from [Sun Microsystems Inc.]
info: HTTP3072: http-listener-1: https://apple.asia.sun.com:7032 ready to accept requests
info: CORE3274: successful server startup
So, this is another good reason to upgrade to web 7.0
Friday Jun 27, 2008
When you migrate from web 6.1x to web 7.0x, the migration tool will help migrate your SSL server cert. too.
Just in case this SSL migration failed and you need to do something quick to get it working again in the new web 7.0x.
Then you can try below:
e.g. in my env, I tested below ok ,
apple:/export/home/iws7.0u2/https-newconfig2/config> ls -lrt
total 332
-rw------- 1 root other 2887 May 28 15:34 server.policy
-rw------- 1 root other 32768 May 28 15:34 secmod.db
-rw------- 1 root other 1442 May 28 15:34 obj.conf
-rw------- 1 root other 9153 May 28 15:34 mime.types
-rw------- 1 root other 150 May 28 15:34 magnus.conf
-rw------- 1 root other 466 May 28 15:34 login.conf
-rw------- 1 root other 160 May 28 15:34 keyfile
-rw------- 1 root other 32768 May 28 15:34 key3.db
-rw------- 1 root other 400 May 28 15:34 default.acl
-rw------- 1 root other 14732 May 28 15:34 default-web.xml
-rw------- 1 root other 1527 May 28 15:34 certmap.conf
-rw------- 1 root other 65536 May 28 15:34 cert8.db
-rw------- 1 root other 2111 May 28 15:34 server.xml
before I copied the 6.1SPx cert/key DBs over , I like to save a copy of orig. cert/key DB first and then stop web 7 first,
then copy over.
527 cp key3.db key3.db.org
528 cp cert8.db cert8.db.org
then stop the web 7 server,
then copy over the
apple:/export/home/iws6.1sp9/alias> cp https-apple.asia.sun.com-apple-cert8.db /export/home/iws7.0u2/https-newconfig2/config/cert8.db
apple:/export/home/iws6.1sp9/alias> cp https-apple.asia.sun.com-apple-key3.db /export/home/iws7.0u2/https-newconfig2/config/key3.db
then check if copy over ok,
apple:/export/home/iws7.0u2/https-newconfig2/config> cksum key3.db key3.db.org
2044823871 32768 key3.db
1868267322 32768 key3.db.org
apple:/export/home/iws7.0u2/https-newconfig2/config> cksum cert8.db cert8.db.org
1966527964 65536 cert8.db
1043770452 65536 cert8.db.org
then restart admin server of web 7.0x, and pretty much follow any Admin GUI suggestions to make the change .
e.g. go to admin GUI- you will see the warning that config has changed,
e.g. Instance Configuration Modified - then click the upper right hand side to
Deploy config and pull changes from server (so it will update config-store and instance too with new changes, i.e.
the cert and key DB files here)
then follow any from Admin GUI warnings and do other needed, e.g.
then Instance(s) Require Restart
apple.asia.sun.com: ADMIN3594: Configuration changes require a server restart.
then the change in key and cert db will be populated into config store.
then you will be asked to "Set Configuration Token Passwords
" (if you have not yet done so)
before you can view the newly copied over SSL certs inside the
then you will see the new SSL cert imported in ok.
then you can go to enable SSL in the listen socket,
e.g. Admin GUI -
"
General
Name: http-listener-1
SSL: Enabled (to turn on SSL with newly copied over 6.1SPx SSL cert)
Certificate:
RSA Certificates: (then choose .e.g. Server-Cert)
then deploy config and deploy config change , then can restart it ok with SSL
e.g. https://apple.asia.sun.com:7028/ will work SSL now.
The other way is to do it at certificate level with pk12util import and export
, see Sun internal doc. ID74681 at sunsolve site,
Sun[TM] ONE Web Server: How to Use Certutil and pk12util to list and export certs
by Gregory Bedigian
Hope this helps cu to migrate SSL cert.
You can also use above as a way to backup and later restore SSL cert. in case of disk failure, file corruption, etc.
|
|
|
|
You should mention that option #2 is only so becau...
Yes, thanks for the comments from Jyri. I added it...