Revisit: Wildcard SSL certificate from P12/PFX file into Domino

Posted by:

The objective of this article is to provide an example on how to  do this with hopefully no discussions and no questions unanswered. Of course this example is based on a particular situation with a special certificate provider but can hopefully be translated to any other situation with other certificate authorities.
Wrote an earlier article, this is an update

Contents
1. Assumptions
2. What do I need
3. OpenSSL
4. Kyrtool
5. Syntax
6. Example
7. Implement the files on the server
8. Check out if it works
9. Important note
10. Conclusion

Assumptions:
Running Windows 64 bits (directory separator = \)
PFX file contains both certificate, intermediate and root certificates 
Domino server running 9.0.1 FP3

What do I need:
1. An exported P12/PFX file from in my case IIS, containing the wildcard certificate private key as well as the certification path to it.

2. OpenSSL:
Homepage: https://www.openssl.org/source/
Easy precompiled: https://slproweb.com/products/Win32OpenSSL.html
The one I used: http://slproweb.com/download/Win64OpenSSL-1_0_2g.exe

3. Kyrtool:
Fixcentral short: http://ibm.co/1SAYX5E
Fixcentral long: http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0

Syntax:
<ossldir> = Where you installed OpenSSL eg. C:\OpenSSL-Win64
<pfxdir> = Where you have placed your pfxfile
<pfxfile> = Name of your pfxfile eg. wildcard_acme_com.pfx
<pfxpassword> = Password to your pfxfile
<pemdir> = Where you have placed your pfxfile
<pemfile> = Name of your pfxfile eg. wildcard_acme_com.pem
<notespgmdir> = Notes or Domino program directory, minimum 9.0.1 FP3
(assumes that notes program directory is in your path, if not execute from program directory)
<kyrdir> = Directory where you want to put your kyrfile
<kyrfile> = Name of your kyrfile eg. wildcard_acme_com.kyr
<kyrpassword> = Password to your kyrfile

Check your pfx file:
<ossldir>\bin\openssl pkcs12 -info -in <pfxdir>\<pfxfile>
use <pfxpassword> when asked (nothing on PEM)

In general:
1. <ossldir>\bin\openssl pkcs12 -in <pfxdir>\<pfxfile> -out <pemdir>\<pemfile> -nodes -chain
use <pfxpassword> when asked (nothing on PEM)
2. <notespgmdir>\kyrtool create -k <kyrdir>\<kyrfile> -p <kyrpassword>
3. <notespgmdir>\kyrtool import all -k <kyrdir>\<kyrfile> -i <pemdir>\<pemfile>
Check in general:
1. <notespgmdir>\kyrtool show certs -k <kyrdir>\<kyrfile> >kyrcerts.txt
2. <notespgmdir>\kyrtool show keys -k <kyrdir>\<kyrfile> >kyrkeys.txt
3. <notespgmdir>\kyrtool show roots -k <kyrdir>\<kyrfile> >kyrroots.txt

Example:
1. C:\OpenSSL-Win64\bin\openssl pkcs12 -in C:\mypfxfiles\wildcard_acme_com.pfx -out C:\mypemfiles\wildcard_acme_com.pem -nodes -chain
use <pfxpassword> when asked
2. C:\IBM\Lotus\Domino\kyrtool create -k C:\mykyrfiles\wildcard_acme_com.kyr -p password
3. C:\IBM\Lotus\Domino\kyrtool import all -k C:\mykyrfiles\wildcard_acme_com.kyr -i C:\mypemfiles\wildcard_acme_com.pem
Check sample:

1. C:\IBM\Lotus\Domino\kyrtool show certs -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrcerts.txt
2. C:\IBM\Lotus\Domino\kyrtool show keys -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrkeys.txt
3. C:\IBM\Lotus\Domino\kyrtool show roots -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrroots.txt

Implement the files on the server
1. Copy kyr file and the associated sth file to the server
2. Add the kyrfile name to your internet sites document or server document depending how your server is configured
3. Modify the cipher part
4. Make sure the SSL port is enabled in the Internet Ports.. section
5. Restart your http task on the server, use sh ta onl and check that http listens to both 80 and 443

Check out if it works
1. Use your browser and connect to your server via https
2. Look at your certificate information
3. Congratulations

Important note:
Following this means that especially the pem file is unprotected, therefore make sure that keep it in a safe place during this and maybe deleting it afterwards. Same goes for kyrfile (you can not delete them but keep them as safe as you can) as they contain private key.

Conclusion
Doing this task is not more complicated than any other task that involves certificates using any other platform.

Link to this document: http://www.infoware.eu/?p=7226

 

2

Welcome to Infoware: Mikael Grenfeldt

Posted by:

Today we are pleased to welcome a new employee – Mikael Grenfeldt.

Mikael is highly skilled within IBM's collaboration solutions such as IBM Domino, IBM Notes, IBM Chat, IBM Traveler and he is a well sought after contribution to our seniour team.

On his first day (today) we treated him with extra special goodies to his morning coffee, so we hope this will ensure a good work relationship!

 

1

IBM Connections using Active Directory and Nested Groups

Posted by:

Case:
Customer wants to use nested groups in Access control for Communities, also it should be reflected in I'm a Member when user is looking for their communitys and so on. Connections was 4.5CRx

Google search Links that where tried, but did not work for me (for some reason unknown).
http://www.lbenitez.com/2015/11/how-to-enable-nested-ldap-groups-in-ibm.html
http://www-01.ibm.com/support/docview.wss?uid=swg21321308
http://www-10.lotus.com/ldd/lcforum.nsf/869c7412fe5d56b7852569fa007826e3/4aa9a40d4818785f85257b3b004e3240?OpenDocument
http://www.communardo.de/home/techblog/2014/06/04/nested-groups-ibm-connections/

Found something that worked for me (seems logical looking at the description).
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
coming from thread
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG

Description:
All groups specified user belongs to, including due to group nesting (Notes 10, 19)
eg. (member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)
All members of specified group, including  due to group nesting (Note 10)
eg. (memberOf:1.2.840.113556.1.4.1941:=  cn=Test,ou=East,dc=Domain,dc=com) 
Note 10.
The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes. This is an extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. This reveals group nesting. It is available only on domain controllers with Windows Server 2003 SP2 or Windows Server 2008 (or above).

NOTE: 
All of this is of course done in the context of Deployment Manager.
After doing the changes a full resynch needs to be done with all nodes in the cluster (sometimes also take down node and use synchNode from the node) and restart the node.

Solution is to change my setting in Websphere to reflect this:
nestgroup1
nestgroup2
nestgroup3

Also changed for performance reasons the following (optional):
Reason:
http://www.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.wim.doc/disablingnestedgroupsearches.html
Solution is to change according to instructions

How does it look in the files before and after the change, here are snippets of this:

wimconfig.xml before the change:
      <config:groupConfiguration>
        <config:memberAttributes name="member" objectClass="group" scope="nested"/>
        <config:membershipAttribute name="memberof" scope="nested"/>
      </config:groupConfiguration>

wimconfig.xml after the change:
      <config:groupConfiguration>
        <config:memberAttributes name="member:1.2.840.113556.1.4.1941:" objectClass="group" scope="nested"/>
        <config:membershipAttribute name="memberOf:1.2.840.113556.1.4.1941:" scope="nested"/>
      </config:groupConfiguration>

security.xml before the change (you can not cut and paste any of these because some parameters are unique to your environment):
  <userRegistries xmi:type="security:WIMUserRegistry" xmi:id="WIMUserRegistry_1" serverId="" serverPassword="{xor}" realm="defaultWIMFileBasedRealm" ignoreCase="true" useRegistryServerId="false" primaryAdminId="wasadmin" registryClassName="com.ibm.ws.wim.registry.WIMUserRegistry"/>

security.xml after the change (you can not cut and paste any of these because some parameters are unique to your environment):
  <userRegistries xmi:type="security:WIMUserRegistry" xmi:id="WIMUserRegistry_1" serverId="" serverPassword="{xor}" realm="defaultWIMFileBasedRealm" ignoreCase="true" useRegistryServerId="false" primaryAdminId="wasadmin" registryClassName="com.ibm.ws.wim.registry.WIMUserRegistry">
    <properties xmi:id="VMMURProperty_1" name="com.ibm.ws.wim.registry.grouplevel" value="1"/>
  </userRegistries>

 

Shortcut to this document: http:// http://http://www.infoware.eu/?p=7180
Thats all folks

0

IBM Connections experts available for you

Posted by:

Do you need access to experts with market leading knowledge of IBM Connections? Are you starting up a new Connections project or do you need help with one that is in progress? Could you use the help of a recognized expert to help you solve the issues that are delaying deployment? We can help!

Infoware have been working with IBM Connections since 2008 and have consultants with broad and deep knowledge of IBM Connections environments and development. When it comes to deploying new environments, upgrading existing installations, integrating with other systems or systems development our consultants are world class.

We have a portfolio of customer success stories for projects integrating IBM Connections with web content management systems such as EPI Server and IBM Docs with branding, customizations and systems integration.

We are recognized experts at adding extended functionality to IBM Connections environments as well as having specialist skills in user adoption methodologies and systems training.

 


 

Apart from IBM Connections we also offer expertise on IBM Chat, IBM WebSphere Portal, IBM WebSphere and IBM Notes/Domino.

 

Contact us if you are interested in our services or in a partnership.

 

0

Community Templates by DomainPatrol Social

Posted by:

first: Happy Prosperous New Year! We hope you had a couple of relaxing days around Christmas and now are ready for new adventures in 2016!

This is just a short newsflash with two interesting topics we think you'll like:

New release of DomainPatrol Social for IBM Connections. This will put a smile on all of you Community Managers. We have seen for a long time that a key focus for companies today is to seek to minimize the time and effort they waste on creating something that already exist. To stop reinvent the wheel for good, and instead focus on developing new inventions.

The new function we're talking about is Community Templates. This will let you re-use your perfectly good and working Communities over and over again, with modifications if you like. Find the Community you would like to clone, select which parts of it you want to copy and click OK. Simple as that.

The release is ready to ship, so email us right away for more information, quotes, evaluation license or anything else.

And remember, DomainPatrol Social solves the most difficult tasks in IBM Connections concerning contents and users, such as Merge Communities, Move Communities, Move and Merge Blogs, Activities, Files, Wikis etc. We also handle Complete User Management for Files, Blogs, Wikis etc. Merge Profiles or Copy User Access. Take care of your orphan content today.

New project starts, others end. The organization is constantly changing and consequently your needs.

 

2

Error when installing IBM Connections 5.5 with CCM!

Posted by:

Last week I started to install IBM Connections 5.5 in our lab to prepare my self for upcoming customer projects with installation or upgrading customers' sites to Connections 5.5. This first install was done on a single Windows server but I used LDAP from a current Sametime environment (so I can integrate Sametime and Connections later on).

Windows Server Configuration
———————————————-
4 CPU, 16 GB RAM
C:\ 50 GB, D:\ 100 GB

I used IBM Connections Wiki Documentation (http://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.5.0/welcome/welcome_admin.html)  but also the great "step-by-step" document written by IBM Connections Support Engineer Charlie Price (http://alturl.com/a3if4). "Step-by-step" guides can be great but do NOT trust them all the way, ALWAYS read the official wiki/technote documentation from IBM!

I installed the following software on a Windows 2008 R2 Server.
– WAS 8.5.5.7
– IBM HTTP Server 8.5.5.7
– DB2 10.5 FP6
– TDI 7.1.1 FP3
– Installation Manager 1.8.3

After installing all the above, creating WAS cell and profiles, configuring LDAP, creating DB2 databases, populate profiles and configuring IBM HTTP Server,  is it was time to do the actual Connections install. As this test environment will be used to evaluate all the features in version 5.5, I also chose to install IBM Connections Content Manager (CCM). To be able to install CCM you have to specify a folder that contains the correct FileNet installation software. For Windows you need to download these files and add them to the folder:

– 5.2.1-P8CPE-WIN.EXE
– 5.2.1.2-P8CPE-WIN-FP002.EXE
– 5.2.1.2-P8CPE-CLIENT-WIN-FP002.EXE
– IBM_CONTENT_NAVIGATOR-2.0.3.EXE
– IBM_CONTENT_NAVIGATOR-2.0.3.5-FP005.EXE

After answering all the Connections Installation Wizard questions and settings, I could finally click on the "Install" button 🙂
But unfortunately the installation ended with an error message…. 🙁

The IBM Installation Manager logs indicated that the Connections Installation Wizard where unable to finish some of its "post-install task". After a closer look in the IM logs I could see that the installation wizard where trying to uninstall Connections. OK, I then opened the install.log in the Connections install folder, in my case D:\IBM\Connections. This log contains information about all WAS configuration and Connections application installations that is done during installing Connections. I soon found this in the log:

Create CCM data directory: [D:\IBM\Connections\data\shared\ccm]
Replace place holders in template file [D:\IBM\Connections\lib\filenet\ce_silent_install_windows.txt] to new file [D:\IBM\Connections\tmp\ce_silent_install_windows.txt].
RUN: "D:\Download\CCM\FileNet\5.2.1-P8CPE-WIN.EXE" -i silent -f "D:\IBM\Connections\tmp\ce_silent_install_windows.txt"

D:\IBM\Connections>"D:\Download\CCM\FileNet\5.2.1-P8CPE-WIN.EXE" -i silent -f "D:\IBM\Connections\tmp\ce_silent_install_windows.txt"
Exit code: 0
RUN: "D:\Download\CCM\FileNet\5.2.1.2-P8CPE-WIN-FP002.EXE" -i silent -f "D:\IBM\Connections\tmp\ce_silent_install_windows.txt"

D:\IBM\Connections>"D:\Download\CCM\FileNet\5.2.1.2-P8CPE-WIN-FP002.EXE" -i silent -f "D:\IBM\Connections\tmp\ce_silent_install_windows.txt"
Exit code: -1
ERROR:  FileNet [ce] installer [5.2.1.2-P8CPE-WIN-FP002.EXE] failed, exit code [-1]:
Traceback (most recent call last):
File "D:\IBM\Connections\lib\ccm.py", line 318, in do_install
self.install_filenet_software()
File "D:\IBM\Connections\lib\ccm.py", line 371, in install_filenet_software
self.install_fn_component(c)
File "D:\IBM\Connections\lib\ccm.py", line 413, in install_fn_component
raise Exception("FileNet [%s] installer [%s] failed, exit code [%s]:" % (comp, binary, result))
Exception: FileNet [ce] installer [5.2.1.2-P8CPE-WIN-FP002.EXE] failed, exit code [-1]:
LotusConnections Component [CCM] install is FAILED

The installation continued after this,  installing all the other applications, the "only" failed installation was the CCM application. OK, So now I started to troubleshoot this error. Was the 5.2.1.2-P8CPE-WIN-FP002.EXE file corrupt? I downloaded a new one and tried to install Connections again but I got the same error message. I then checked the VMware resources, had I enough CPU or RAM? Yes. How about free disk space for the temp folder? CCM needs at least 6 GB otherwise the installation will fail. No that wasn't it. I tried to install Connections once more, this time I made a copy of the D:\IBM\Connections\FileNet folder under installation so I could investigate all the files created in this folder during installation. This as the Connections Installation Wizard deletes this folder when it fails to make a successful installation of IBM Connections. It's hard to troubleshot if logs and other files are deleted by the installation… 🙂

So what did I find in the FileNet folder? In the log file ce_install_log_5.2.1.2.txt I found the following error:


so jan 24 20:05:08:104 Error while building the EAR file in the installer
Status: FATAL ERROR
Additional Notes: FATAL ERROR – sö jan 24 20:05:10:818 [ERROR]
BUILD FAILED
D:\IBM\Connections\FileNet\ContentEngine\lib\mergeears.xml:99: The following error occurred while executing this line:
D:\IBM\Connections\FileNet\ContentEngine\lib\mergeears.xml:135: The following error occurred while executing this line:
D:\IBM\Connections\FileNet\ContentEngine\lib\mergeears.xml:202: Unparseable date: "01/24/2016 08:05 em"
at org.apache.tools.ant.taskdefs.Touch.checkConfiguration(Touch.java:256)
at org.apache.tools.ant.taskdefs.Touch.execute(Touch.java:280)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
at org.apache.tools.ant.Task.perform(Task.java:348)
at org.apache.tools.ant.Target.execute(Target.java:435)
at org.apache.tools.ant.Target.performTasks(Target.java:456)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1393)
at org.apache.tools.ant.helper.SingleCheckExecutor.executeTargets(SingleCheckExecutor.java:38)
at org.apache.tools.ant.Project.executeTargets(Project.java:1248)
at org.apache.tools.ant.taskdefs.Ant.execute(Ant.java:440)
at org.apache.tools.ant.taskdefs.CallTarget.execute(CallTarget.java:105)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
at org.apache.tools.ant.Task.perform(Task.java:348)
at org.apache.tools.ant.Target.execute(Target.java:435)
at org.apache.tools.ant.Target.performTasks(Target.java:456)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1393)
at org.apache.tools.ant.helper.SingleCheckExecutor.executeTargets(SingleCheckExecutor.java:38)
at org.apache.tools.ant.Project.executeTargets(Project.java:1248)
at org.apache.tools.ant.taskdefs.Ant.execute(Ant.java:440)
at org.apache.tools.ant.taskdefs.CallTarget.execute(CallTarget.java:105)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
at org.apache.tools.ant.Task.perform(Task.java:348)
at org.apache.tools.ant.Target.execute(Target.java:435)
at org.apache.tools.ant.Target.performTasks(Target.java:456)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1393)
at org.apache.tools.ant.Project.executeTarget(Project.java:1364)
at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1248)
at org.apache.tools.ant.Main.runBuild(Main.java:851)
at org.apache.tools.ant.Main.startAnt(Main.java:235)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:280)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:109)
Caused by: java.text.ParseException: Unparseable date: "01/24/2016 08:05 em"
at java.text.DateFormat.parse(DateFormat.java:369)
at org.apache.tools.ant.taskdefs.Touch.checkConfiguration(Touch.java:249)
… 44 more

Total time: 9 seconds


So I opened the mergeears.xml file and looked at the row 202. Hmm, something with dates??? OK, lets ask Google about "mergeears.xml:202: Unparseable date". The first hit I got was this one.
http://www-01.ibm.com/support/docview.wss?uid=swg1PJ43439 from december 15, 2015. "CPE FIX PACK INSTALLER FAILS WHEN USING FINNISH(FINLAND) ON WINDOWS". Aha! So that was the cause. Well I am not using Finnish but as I am sitting in Stockholm, Sweden my Windows Server is using Swedish as date format and location (for system locale I use English US). So it appears there is a bug in the 5.2.1.2-P8CPE-WIN-FP002.EXE fixpack, that will make the installation fail if the date format and location on the operating system is something other than English…

"… The 5.2.1.2-CPE installer fails with a fatal Unparseable date
error when Region and Language is set to Finnish(Finland) on
Windows.  It's probable that this is a general installer issue
that will fail for any Region and Language that has a different
date format.

The problem is fixed in the ant script, which should now work
for any non English locales also Resolved by 5.2.1.3-P8CPE-FP003 and higher."

The workaround for this is to always use English as date format and location during installation of IBM Connections. After the installation is done you can change date format and location to the one that you prefer. 🙂

So did it work? Yes, I changed date format and location to English, tried to install IBM Connections again and now the installation finished SUCCESSFULLY with that lovely little green icon!

3

I’m featured IBM Champion on the new IBM Social Business User Community site

Posted by:

Are you interested in the IBM Social Business user community? Then this site is a place for you.

Here you can read about events from both IBM and independent user groups, webcasts, twitter feeds, blogs and testemonials.

A place to get together, share ideas and talk about what’s new in social.

And if that is not enough, right now I'm featured IBM Champion on the site as well.

So why wait, click here now.

0

Merry Christmas & Happy New Year from Infoware

Posted by:

It's soon Christmas and we all look forward to holidays with lots of relaxing days with friends and families. We would like to take this opportunity to thank all our customers, partners, resellers and friends for a fantastic year!

To all of you from all of us we wish you a very warm, friendly, delicious, happy Christmas and a prosperous, sparkling New Year!

See you all again in 2016!

Instead of Christmas gifts we have this year made a donation to the scientists at The Swedish Cancer Society, where they are trying to find a cure for cancer.

 

0
Page 6 of 19 «...45678...»