This would be an IBM support issue rather than Rocket since you're dealing specifically with IHS. You might want to check with the customer to see if they're currently under maintenance. There's a good chance they are if the IHS install was recent because AFAIK you can't even get the installation files without a support login.
One other thing you might try is using the iKeyman GUI to create the keystore database rather than the command line utility. That's what I always use. You can run it via an X session, or locally on Windows desktop. I typically create and test a keystore locally on my desktop and copy the kdb file to the server when I'm sure it's working correctly. The iKeyman interface is fairly intuitive, and it's easy to designate a default cert with the click of a button. -John -----Original Message----- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 6:23 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server I tried checking for a default certificate and it reports "null". The KDB file has the GSK certs and my cert - that's it, and when I follow the instructions to set up my cert as the default, it gives me a cryptic "I'm sorry Dave, I can't do that" kind of message. This is on a customer's system, and they don't have any good paths to contact Rocket, as their vendor is entirely unresponsive which is why they work with us in the first place, and we're not a var. So I post here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... there've been a number of very good Rocket folks helping out here over the years. (Apologies for anyone I missed.) -K On Tue, Feb 19, 2013 at 6:12 PM, John Hester <jhes...@momtex.com> wrote: > I doubt the unqualified listen has any connection. It sounds like > something's corrupt in the kdb file. If you only have one cert in the > file, you might try removing the SSLServerCert directive altogether. > Normally one cert in the database is marked as the default to use when > none is specified, and if you only have one, that should be it. I > would also create a new kdb file from scratch just to make sure it's clean. > > If it still won't work after that, I'd suggest opening a case with IBM > support if you have a current entitlement. I open cases with them all > the time for issues with new software installations, and they're > always very responsive. > > -John > > -----Original Message----- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Tuesday, February 19, 2013 4:03 PM > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > Yes, I have both the LoadModule and Listen, though my Listen is > unqualified, like this: > > Listen 443 > > The error I'm getting in the logs tells me there is no key for "api" > or " > api.client.com" (I've tried both) despite the fact that gsk7cmd shows > that the certificate absolutely is in there. That's what's vexing; I > can see the certificate, but for some reason Apache cannot. > > You don't suppose the unqualified Listen might have something to do > with it, do you? > > > On Tue, Feb 19, 2013 at 11:19 AM, John Hester <jhes...@momtex.com> > wrote: > > > Kevin, I have both chained and self-signed certs on various servers. > > The example from my workstation is a self-signed cert. Self-signed > > is > > > actually less prone to error because you don't have to worry about > > importing the intermediate certs into the keystore database. The > > only > > > other thing I know to suggest at the moment is verify you're loading > > the IBM ssl module and listening on port 443: > > > > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 > > > > Are you getting any errors in the IHS SSL logs, either at server > > startup or when you attempt to browse to port 443? > > > > -John > > > > -----Original Message----- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin > > King > > Sent: Monday, February 18, 2013 5:04 PM > > To: U2 Users List > > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > > > John (Thompson)... This IHS Apache is definitely a cracked Apache > > with > > > some odd configuration SSL setup in particular is completely > different. > > > > John (Hester), I can see the cert in the key file (through the > > gsk7cmd > > command) but with the name api.client.com it cannot be found. I > > even recreated the cert as "api" (without dots) because I found a > > page that > > > said that the dots could be causing problems, but still no love. It > > seems I've done everything correctly but still it just can't find a > > combination that works. I'm wondering if the problem here is the > > fact > > > that it's a self-signed cert without a chain? Are you using a > > self-signed cert here? > > Do you have other certs in your key file that may represent a chain > > for the self-signed cert? > > > > Thank you gentlemen for the insight. Most appreciated. > > > > -K > > > > On Mon, Feb 18, 2013 at 3:09 PM, John Hester <jhes...@momtex.com> > wrote: > > > > > It sounds like you've done all you need to for basic IHS SSL > > > functionality. As long as api.client.com matches the name you > > > gave the certificate via ikeyman, and you have the KeyFile > > > directive, you > > > > should be OK. There are a lot of other options you can add for > > > optimization and browser compatibility, but I don't think leaving > > > any of those out would break it outright. Here's my working IHS > > > config from the development server on my Windows workstation for > comparison: > > > > > > <VirtualHost *:443> > > > SSLEnable > > > SSLProtocolDisable SSLv2 > > > SSLServerCert is12.momtex.com > > > <Directory "c:/IBM/HTTPServer/htdocs/html"> > > > Options +Includes > > > AddType text/html .shtml > > > AddOutputFilter INCLUDES .shtml > > > </Directory> > > > </VirtualHost> > > > KeyFile "C:/IBM/HTTPServer/key.kdb" > > > SSLDisable > > > > > > -John > > > > > > -----Original Message----- > > > From: u2-users-boun...@listserver.u2ug.org > > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin > > > King > > > Sent: Saturday, February 16, 2013 4:02 PM > > > To: U2 Users List > > > Subject: [U2] AIX 5.3 IBMIHS Web Server > > > > > > Might anyone have any tips or tricks for getting SSL to work on > > > the IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The > > > documentation I've found on the web is byzantine at best and it > > > would be fine if the > > > > > commands actually worked, but I keep getting odd error messages > > > and stalled at every turn. > > > > > > I've upgrade the GSK so that the server will start with SSL > > > enabled, > > > > I > > > > > have a virtual host configured, but I have no clue how to tie a > > > specific certificate to the VirtualHost. Well, let's say I have > > > clues, but nothing is working. Here's the <VirtualHost> stanza I > > > have > > > > > set up in > > > httpd.conf: > > > > > > <VirtualHost *:443> > > > SSLEnable > > > SSLClientAuth None > > > SSLServerCert api.client.com > > > ServerName api.client.com > > > DocumentRoot /usr/www > > > <Directory "/usr/www"> > > > Order Allow,Deny > > > Allow From All > > > </Directory> > > > ErrorLog logs/api_error.log > > > CustomLog logs/api_error.log common </VirtualHost> > > > > > > I've been able to generate a CSR and create a self-signed > > > certificate, > > > > > and it would appear that I've even successfully imported that > > > certificate into my key database, as demonstrated by this command: > > > > > > $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label " > > > api.client.com" -pw "password" > > > > > > ...which produces the following output... > > > > > > Label: api.client.com > > > Key Size: 512 > > > Version: X509 V1 > > > Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: > > > api.client.com CLIENT City, ST, US > > > Subject: api.client.com > > > CLIENT > > > City, ST, US > > > Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: > > > Saturday, > > > > April 17, 2032 7:06:08 PM EDT > > > Fingerprint: ... > > > Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled > > > > > > But even though this certificate is in the keyfile (and yes, I > > > have a KeyFile directive elsewhere in the httpd.conf file pointing > > > to the > > > > client.kdb file) I can't seem to associate it to the virtual host. > > > What am I missing? > > > > > > (And yes, I'm aware this is not specifically a U2 question but I > > > need this to provide web connectivity to a Unidata machine from a > > > Rackspace > > > > > hosted server. So in a way... it sorta is U2 related.) > > > > > > Help? > > > _______________________________________________ > > > U2-Users mailing list > > > U2-Users@listserver.u2ug.org > > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > > _______________________________________________ > > > U2-Users mailing list > > > U2-Users@listserver.u2ug.org > > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > > > > _______________________________________________ > > U2-Users mailing list > > U2-Users@listserver.u2ug.org > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > _______________________________________________ > > U2-Users mailing list > > U2-Users@listserver.u2ug.org > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > > _______________________________________________ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > _______________________________________________ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > _______________________________________________ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users _______________________________________________ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
