Tuesday Jul 08, 2008

Forgot SSL Database password in Sun Web server 6.1?

One common question is what to do when you forgot the SSL security database password in Sun Web server 6.1SPx (or your predecessor did not tell you this before he/she left the company, etc.). This is the password you will be asked everytime when you want to start up the SSL enabled web server instance in 6.1SPx,

e.g.

apple:/export/home/iws6.1sp9> https-apple.asia.sun.com/start
Sun ONE Web Server 6.1SP9 B01/11/2008 14:24
Please enter password for "internal" token:   <-- this is the security database password

Sorry, there is not much you can do in this case. You will need to re-initialize the security database with a new password, e.g. see

http://docs.sun.com/source/817-1831-10/agcert.html#wp1004127 (6.1)

then you will need to request a new SSL certificate from the CA and so on, 

see

http://docs.sun.com/source/817-1831-10/agcert.html#wp1004981

A couple options you can do to prevent above situations in the future:

1. use a password.conf, e.g.

see

http://docs.sun.com/source/817-1831-10/agcert.html#wp1004127

"Using password.conf"

then you can see your own password such as

"internal:your_password" in password.conf file in the config subdirectory of the server instance.

2. use web server 7.0 which does not ask this internal token password when you request the SSL cert (generate a CSR) , and other later steps (e.g. install the SSL cert, start up the SSL server).

(Important : Jyri has helped to point out in the comments to this posting that

"

option #2 is only so because WS 7.0 allows you to have an empty password for the cert 

database if that's what you want. It's not that it can somehow bypass the password if

one is set. If you do set the password on WS 7.0 (which may or may not be important to

do, depending on the deployment scenario) and later forget it, you'll still have to start

all over again with new keys; certificates.

") 

e.g. No password asked when I requested the SSL cert.

7.0 photo

After I installed the SSL cert.,

no password asked when I start up the SSL web server instance,

apple:/export/home/iws7.0u3> https-apple.asia.sun.com/bin/startserv
Sun Java System Web Server 7.0U3 B06/16/2008 12:00
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from [Sun Microsystems Inc.]
info: HTTP3072: http-listener-1: https://apple.asia.sun.com:7032 ready to accept requests
info: CORE3274: successful server startup

So, this is another good reason to upgrade to web 7.0







Friday Jun 27, 2008

How to copy over a SSL server cert from web 6.1 SPx to new web 7.0x

When you migrate from web 6.1x to web 7.0x, the migration tool will help migrate your SSL server cert. too.


Just in case this SSL migration failed and you need to do something quick to get it working again in the new web 7.0x.


Then you can try below:


 e.g. in my env, I tested below ok ,

apple:/export/home/iws7.0u2/https-newconfig2/config> ls -lrt
total 332
-rw-------   1 root     other       2887 May 28 15:34 server.policy
-rw-------   1 root     other      32768 May 28 15:34 secmod.db
-rw-------   1 root     other       1442 May 28 15:34 obj.conf
-rw-------   1 root     other       9153 May 28 15:34 mime.types
-rw-------   1 root     other        150 May 28 15:34 magnus.conf
-rw-------   1 root     other        466 May 28 15:34 login.conf
-rw-------   1 root     other        160 May 28 15:34 keyfile
-rw-------   1 root     other      32768 May 28 15:34 key3.db
-rw-------   1 root     other        400 May 28 15:34 default.acl
-rw-------   1 root     other      14732 May 28 15:34 default-web.xml
-rw-------   1 root     other       1527 May 28 15:34 certmap.conf
-rw-------   1 root     other      65536 May 28 15:34 cert8.db
-rw-------   1 root     other       2111 May 28 15:34 server.xml

before I copied the 6.1SPx cert/key DBs over , I like to save a copy of orig. cert/key DB first and then stop web 7 first,
then copy over.

  527  cp key3.db key3.db.org
  528  cp cert8.db cert8.db.org

then stop the web 7 server,

then copy over the

apple:/export/home/iws6.1sp9/alias> cp https-apple.asia.sun.com-apple-cert8.db /export/home/iws7.0u2/https-newconfig2/config/cert8.db
apple:/export/home/iws6.1sp9/alias> cp https-apple.asia.sun.com-apple-key3.db /export/home/iws7.0u2/https-newconfig2/config/key3.db

then check if copy over ok,

apple:/export/home/iws7.0u2/https-newconfig2/config> cksum key3.db key3.db.org
2044823871      32768   key3.db
1868267322      32768   key3.db.org
apple:/export/home/iws7.0u2/https-newconfig2/config> cksum cert8.db cert8.db.org
1966527964      65536   cert8.db
1043770452      65536   cert8.db.org


then restart admin server of web 7.0x, and pretty much follow any Admin GUI suggestions to make the change .

e.g. go to admin GUI- you will see the warning that config has changed,

e.g. Instance Configuration Modified  - then click the upper right hand side to
Deploy config and pull changes from server (so it will update config-store and instance too with new changes, i.e.
the cert and key DB files here)
then follow any from Admin GUI warnings and do other needed, e.g.

then Instance(s) Require Restart
apple.asia.sun.com: ADMIN3594: Configuration changes require a server restart.

then the change in key and cert db will be populated into config store.

then you will be asked to "Set Configuration Token Passwords
 " (if you have not yet done so)
before you can view the newly copied over SSL certs inside the   

then you will see the new SSL cert imported in ok.

then  you can go to enable SSL in the listen socket,
e.g. Admin GUI -

"
General
Name: http-listener-1
SSL: Enabled (to turn on SSL with newly copied over 6.1SPx SSL cert)
Certificate:    
RSA Certificates: (then choose .e.g. Server-Cert)

    then deploy config and deploy config change , then can restart it ok with SSL

e.g. https://apple.asia.sun.com:7028/ will work SSL now.



 The other way is to do it at certificate level with pk12util import and export
, see Sun internal doc. ID74681 at sunsolve site,


Sun[TM] ONE Web Server: How to Use Certutil and pk12util to list and export certs


by Gregory Bedigian


Hope this helps cu to migrate SSL cert.


You can also use above as a way to backup and later restore SSL cert. in case of disk failure, file corruption, etc.



About

Wing-Yip Walter Lee

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today