WebSphere HTTP Server - IHS ikeyman doesn't have "stash the password to a file" check box

This is Interesting: Free IT Magazines  
Home > Archive > WebSphere HTTP Server > January 2004 > IHS ikeyman doesn't have "stash the password to a file" check box





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author IHS ikeyman doesn't have "stash the password to a file" check box
Debby Olson

2004-01-19, 8:21 am

We are trying to get https to work on our AIX server. We are running AIX
version 4.3.3,
WebSphere Application Server 5.0.2, and IBM Http Server 1.3.24. The
documentation
states that we must run the IBMHttpServer version of ikeyman, create a new
key database
file, and on the password screen, select "Stash the password to a file"
check box.

However, there is no "Stash the password to a file" check box on that screen
and after
creating the new key database file, the Stash password menu item is
disabled. I know
that we must do this to get https to work, but how do we do this? Any help
would be
greatly appreciated.


Debby Olson

2004-01-19, 8:21 am

But we are using the version of ikeyman that was shipped with IHS. We
change directory to /usr/IBMHttpServer/bin and enter ./ikeyman. The
key database type of CMS is not available in the drop-down when creating
a new key database file.

We are running AIX 4.3.3.11, WAS 5.0.2, and IBM HTTP Server 1.3.26.
According to the WAS documentation, the minimum AIX level recommended
is AIX 4.3.3 with mtc pkg 4330-10. Does anyone know if the CMS key
database type is not supported on AIX 4.3.3 or in Java V1.3.1 on AIX 4.3.3?
A co-worker has the same level of WAS and Http Server installed on AIX
5.1 and the CMS key database type of CMS is available when he runs
the Http Server's version of ikeyman.

Any help would be greatly appreciated.


"Justin Kieft" <jkieft@allshare.nl> wrote in message
news:bqi3j4$85ua$1@news.boulder.ibm.com...
quote:

> Stephan Schwarzer wrote:
>
> Thank you for the answer the problem is now solved. Used the wrong version

of iKeyMan.
quote:

>
> I needed to use the /usr/bin/ikeyman.
>
> Thanks!!!
>
> Justin Kieft
>



mark

2004-01-19, 8:21 am

Are you using WAS JDK? If so, did you try to download a standalone JDK
(1.3.X) and try it? With the standalone JDK, I would just set your PATH to
point to the directory where java.exe is (no JAVA_HOME).

There have been conflicting files before with WAS JDK and IHS Ikeyman (when
using WAS JDK) --- usually a different problem. Not saying this is the
case, but best to use standalone to make sure.

Mark


"Debby Olson" <drolson@us.ibm.com> wrote in message
news:bqigpr$aim8$1@news.boulder.ibm.com...
quote:

> But we are using the version of ikeyman that was shipped with IHS. We
> change directory to /usr/IBMHttpServer/bin and enter ./ikeyman. The
> key database type of CMS is not available in the drop-down when creating
> a new key database file.
>
> We are running AIX 4.3.3.11, WAS 5.0.2, and IBM HTTP Server 1.3.26.
> According to the WAS documentation, the minimum AIX level recommended
> is AIX 4.3.3 with mtc pkg 4330-10. Does anyone know if the CMS key
> database type is not supported on AIX 4.3.3 or in Java V1.3.1 on AIX

4.3.3?
quote:

> A co-worker has the same level of WAS and Http Server installed on AIX
> 5.1 and the CMS key database type of CMS is available when he runs
> the Http Server's version of ikeyman.
>
> Any help would be greatly appreciated.
>
>
> "Justin Kieft" <jkieft@allshare.nl> wrote in message
> news:bqi3j4$85ua$1@news.boulder.ibm.com...
WAS.[QUOTE][color=darkred]
version[QUOTE][color=darkred]
> of iKeyMan.
>
>



Debby Olson

2004-01-19, 8:22 am

I believe that we are using the JDK that comes with AIX (Java 1.3.1 for
AIX 4.3.3, not 1.2)". We have the IBM Developer Kit for Java 1.3.1
installed in /usr/java131. Is there a reason you recommend Java 1.2, not
1.3.1?

We have the PATH set to include "/usr/java131/jre/bin" and
/usr/java131/bin".
We added a debug line to /usr/opt/ibm/gskkm/bin/gsk5ikm
(which /usr/IBMHttpServer/binikeyman calls) and from what we can tell,
it is using the JDK in /usr/java131. Here is the output from the debug
lines
in /usr/opt/ibm/gskkm/bin/gsk5ikm:

+ UNAME=
+ [ -x /usr/bin/uname ]
+ + awk { print $1 }
+ /usr/bin/uname
UNAME=AIX
+ export UNAME
+ [ X = X/usr/java131 ]
+ [ AIX = SunOS ]
+ USE_JAVA=
+ export USE_JAVA
+ RETURNCODE=
+ export RETURNCODE
+ JAVA_VERSION_1=
+ export JAVA_VERSION_1
+ [ X = X ]
+ [ X = X/usr/java131 ]
+ [ AIX = AIX ]
+ which /usr/java131/sh/java
+ 2>& 1 + + echo 0
RETURNCODE=0
+ [ 0 -eq 1 ]
+ + /usr/java131/sh/java -version
+ 2>& 1
+ head -1
+ awk -F" {
split($2, tmpA, ".");
if (tmpA[1]*100+tmpA[2]*10+tmpA[3] < 120)
print "YES";
else
print "NO";
}
+ sed s/[^"0-9.]*//g
JAVA_VERSION_1=NO
+ [ NO = YES ]
+ JAVA_EXECUTABLE=/usr/java131/sh/java
+ USE_JAVA=true
+ export USE_JAVA
+ JDK_CLASSES=/usr/java131/lib/rt.jar
+ export JDK_CLASSES
+ [ X = X-x ]
+ IKEYMAN_RELEASE=50
+ eval IKEYMAN_TEMP_HOME=$IKEYMAN50_HOME
+ IKEYMAN_TEMP_HOME=
+ [ X = X ]
+ [ AIX = AIX ]
+ eval IKEYMAN50_HOME=/usr/opt/ibm/gskkm
+ IKEYMAN50_HOME=/usr/opt/ibm/gskkm
+ eval export IKEYMAN50_HOME
+ export IKEYMAN50_HOME
+ [ X = X-x ]
+ eval IKEYMAN50_CLASS_DIR=$IKEYMAN50_HOME/classes
+ IKEYMAN50_CLASS_DIR=/usr/opt/ibm/gskkm/classes
+ eval export IKEYMAN50_CLASS_DIR
+ export IKEYMAN50_CLASS_DIR
+ eval IKEYMAN50_CLASSES=$IKEYMAN50_CLASS_DIR/gsk5cls.jar
+ IKEYMAN50_CLASSES=/usr/opt/ibm/gskkm/classes/gsk5cls.jar
+ eval export IKEYMAN50_CLASSES
+ export IKEYMAN50_CLASSES
+ eval SWINGSET_CLASSES=$IKEYMAN50_CLASS_DIR/swingall.jar
+ SWINGSET_CLASSES=/usr/opt/ibm/gskkm/classes/swingall.jar
+ export SWINGSET_CLASSES
+ eval IBMCFWK_CLASSES=$IKEYMAN50_CLASS_DIR/cfwk.zip
+ IBMCFWK_CLASSES=/usr/opt/ibm/gskkm/classes/cfwk.zip
+ export IBMCFWK_CLASSES
+ eval IBMSSLIGHT_CLASSES=$IKEYMAN50_CLASS_DIR/sslight.jar
+ IBMSSLIGHT_CLASSES=/usr/opt/ibm/gskkm/classes/sslight.jar
+ export IBMSSLIGHT_CLASSES
+ [ AIX = SunOS ]
+ eval
CLASSPATH=. :$IKEYMAN50_CLASSES:$IKEYMAN50_CLASS_DIR
:/usr/opt/ibm/gskkm/class
es/swingall.jar:/usr/java131/lib/rt.jar:./:/usr/java131/lib:/usr/java131/lib
/ext/jsse.jar:/usr/java131/lib/ext/jnet.jar:/usr/java131/lib/ext/jcert.jar
+
CLASSPATH=.:/usr/opt/ibm/gskkm/classes/gsk5cls.jar:/usr/opt/ibm/gskkm/classe
s:/usr/opt/ibm/gskkm/classes/swingall.jar:/usr/java131/lib/rt.jar:./:/usr/ja
va131/lib:/usr/java131/lib/ext/jsse.jar:/usr/java131/lib/ext/jnet.jar:/usr/j
ava131/lib/ext/jcert.jar
+ export CLASSPATH
+ eval IKEYMAN50_VERBOSE=true
+ IKEYMAN50_VERBOSE=true
+ eval export IKEYMAN50_VERBOSE
+ export IKEYMAN50_VERBOSE
+ JRE_FLAGS=
+ export JRE_FLAGS
+ JAVA_FLAGS=
+ export JAVA_FLAGS
+ USER_PRE_CLASSPATH=
+ export USER_PRE_CLASSPATH
+ ARGS=
+ export ARGS
+ [ 0 -gt 0 ]
+ [ X = X-x ]
+ JRE_FLAGS=-classpath
..:/usr/opt/ibm/gskkm/classes/gsk5cls.jar:/usr/opt/ibm/gskkm/classes:/usr/opt
/ibm/gskkm/classes/swingall.jar:/usr/java131/lib/rt.jar:./:/usr/java131/lib:
/usr/java131/lib/ext/jsse.jar:/usr/java131/lib/ext/jnet.jar:/usr/java131/lib
/ext/jcert.jar -cp /usr/opt/ibm/gskkm/classes/cfwk.zip
+ export JRE_FLAGS
+ JAVA_FLAGS=-classpath
/usr/opt/ibm/gskkm/classes/cfwk.zip::.:/usr/opt/ibm/gskkm/classes/gsk5cls.ja
r:/usr/opt/ibm/gskkm/classes:/usr/opt/ibm/gskkm/classes/swingall.jar:/usr/ja
va131/lib/rt.jar:./:/usr/java131/lib:/usr/java131/lib/ext/jsse.jar:/usr/java
131/lib/ext/jnet.jar:/usr/java131/lib/ext/jcert.jar
+ export JAVA_FLAGS
+ [ AIX = SunOS ]
+ eval LIBPATH=$IKEYMAN50_HOME/lib:
+ LIBPATH=/usr/opt/ibm/gskkm/lib:
+ export LIBPATH
+ [ AIX = AIX ]
+ eval LD_LIBRARY_PATH=$IKEYMAN50_HOME/lib:
+ LD_LIBRARY_PATH=/usr/opt/ibm/gskkm/lib:
+ eval export LD_LIBRARY_PATH
+ export LD_LIBRARY_PATH
+ eval IKEYMAN_TEMP_VERBOSE=-Dkeyman.verbose=$IKEYMAN50_VERBOSE
+ IKEYMAN_TEMP_VERBOSE=-Dkeyman.verbose=true
+ eval
IKEYMAN_TEMP_MOUSE_RETARGET=-Dkeyman.fix.jfc.mouse.retarget=$IKEYMAN50_FIX_J
FC_MOUSE_RETARGET
+ IKEYMAN_TEMP_MOUSE_RETARGET=-Dkeyman.fix.jfc.mouse.retarget=
+ IKEYMAN_TEMP_JAVA_INPUT=-classpath
/usr/opt/ibm/gskkm/classes/cfwk.zip::.:/usr/opt/ibm/gskkm/classes/gsk5cls.ja
r:/usr/opt/ibm/gskkm/classes:/usr/opt/ibm/gskkm/classes/swingall.jar:/usr/ja
va131/lib/rt.jar:./:/usr/java131/lib:/usr/java131/lib/ext/jsse.jar:/usr/java
131/lib/ext/jnet.jar:/usr/java131/lib/ext/jcert.jar -Dkeyman.verbose=true
-Dkeyman.fix.jfc.mouse.retarget= com.ibm.gsk.ikeyman.Ikeyman
+ [ true = true ]
+ /usr/java131/sh/java -classpath
/usr/opt/ibm/gskkm/classes/cfwk.zip::.:/usr/opt/ibm/gskkm/classes/gsk5cls.ja
r:/usr/opt/ibm/gskkm/classes:/usr/opt/ibm/gskkm/classes/swingall.jar:/usr/ja
va131/lib/rt.jar:./:/usr/java131/lib:/usr/java131/lib/ext/jsse.jar:/usr/java
131/lib/ext/jnet.jar:/usr/java131/lib/ext/jcert.jar -Dkeyman.verbose=true -D
keyman.fix.jfc.mouse.retarget= com.ibm.gsk.ikeyman.Ikeyman

So, we are completely mystified as to why this does not work for us and what
we can do to fix it. Any help, please???????????????????????


"Aaron W Morris" <aaronmorris@mindspring.com> wrote in message
news:bqk1hf$2bls$1@news.boulder.ibm.com...
quote:

>
>
> Debby Olson wrote:
>
4.3.3?[QUOTE][color=darkred]
>
>
> Use the JDK that comes with AIX (Java 1.2 for AIX 4.3.3,1.30 for AIX
> 5.x, I believe). Otherwise, you have to setup the Java security
> providers with the JDK (which I have never had work, btw).
>
> I even sent a bug report to IBM asking why they didn't just setup the
> normal providers by default, and they basically responded with RTFM and
> it's not their problem. Typical IBM.
>
> --
> Aaron W Morris <aaronmorris@mindspring.com> (decep)
>
>



Sunit Patke

2004-01-19, 8:22 am

Please use the ikeyman that is installed with gsk (global security kit). gsk
is
installed with IHS and is a required component to use SSL.

On solaris this is installed in /opt/ibm/gskN (where N = version of gsk 4 or
5).

Sunit


"Debby Olson" <drolson@us.ibm.com> wrote in message
news:bqigpr$aim8$1@news.boulder.ibm.com...
quote:

> But we are using the version of ikeyman that was shipped with IHS. We
> change directory to /usr/IBMHttpServer/bin and enter ./ikeyman. The
> key database type of CMS is not available in the drop-down when creating
> a new key database file.
>
> We are running AIX 4.3.3.11, WAS 5.0.2, and IBM HTTP Server 1.3.26.
> According to the WAS documentation, the minimum AIX level recommended
> is AIX 4.3.3 with mtc pkg 4330-10. Does anyone know if the CMS key
> database type is not supported on AIX 4.3.3 or in Java V1.3.1 on AIX

4.3.3?
quote:

> A co-worker has the same level of WAS and Http Server installed on AIX
> 5.1 and the CMS key database type of CMS is available when he runs
> the Http Server's version of ikeyman.
>
> Any help would be greatly appreciated.
>
>
> "Justin Kieft" <jkieft@allshare.nl> wrote in message
> news:bqi3j4$85ua$1@news.boulder.ibm.com...
WAS.[QUOTE][color=darkred]
version[QUOTE][color=darkred]
> of iKeyMan.
>
>



Debby Olson

2004-01-19, 8:22 am

As a final note on this subject, we tried the suggestions put forward by
several people including the following:

- Unsetting JAVA_HOME and addigng /usr/java131/bin and
/usr/java131/jre/bin to the PATH.
- Setting JAVA_HOME=/usr/jdk_base (this was recommended in
the IBM WebSphere V5.0 Security Redbook, section 10.10.1.
- Unsetting JAVA_HOME and adding /usr/jdk_base to PATH.

None of these options worked. One of the suggestions (from Aaron Morris)
was to use Java 1.2.2 or Java 1.3.0; he had problems using Java 1.3.1 with
ikeyman. Our system administrator did not want to regress to either of
those
2 levels, so we did not try that option.

Instead, our work-around was to use an AIX 5.1 system with WebSphere 5.0.2
(owned by another group in our area). We used the IHS ikeyman on that
system
to create the key database, stash the password, and create a self-signed
certificate
and then moved the files over to our AIX 4.3.3 system.

After doing that, we now have https enabled between the Web Client and the
IBM
Http Server. The bottom line is that there is a problem with Java 1.3.1 on
AIX 4.3.3
that affects the IHS ikeyman and does not allow creating CMS key databases.
We don't know what the problem is, but it sure has been frustrating and very
disappointing that it did not work as documented and there is no known fix.


"Sunit Patke" <nospam.patke@nospam.com> wrote in message
news:bqnqc4$7f4u$1@news.boulder.ibm.com...
quote:

> Please use the ikeyman that is installed with gsk (global security kit).

gsk
quote:

> is
> installed with IHS and is a required component to use SSL.
>
> On solaris this is installed in /opt/ibm/gskN (where N = version of gsk 4

or
quote:

> 5).
>
> Sunit
>
>
> "Debby Olson" <drolson@us.ibm.com> wrote in message
> news:bqigpr$aim8$1@news.boulder.ibm.com...
> 4.3.3?
option[QUOTE][color=darkred]
database[QUOTE][color=darkred]
shipped[QUOTE][color=darkred]
> WAS.
> version
>
>



Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com