Thursday Jun 11, 2009

How to generate CSR with SHA1 (Signature Algorithm) with certutil in Web 6.1 SPx

If the security auditor asked you about the SSL certificate which is using MD5 as


Signature Algorithm, (e.g. http://www.kb.cert.org/vuls/id/836068 ) in web server 6.1SPx.


Then you can upgrade to 6.1SP11 which has default to SHA1 in CSR, e.g.


    Signature Algorithm: sha1WithRSAEncryption

If you cannot upgrade to 6.1SP11 now, then you can create a new CSR with SHA1 with certutil -Z option.

e.g. I did an example with -Z below for your reference,

apple:/export/home/iws6.1sp7> ./bin/https/admin/bin/certutil -R -s
"CN=hostname.domain.com,OU=Company,O=Company,L=Anytown,ST=New York,C=US"  -a -o /tmp/testSHA1.csr -k rsa -g 2048 -v 12 -d
/export/home/iws6.1sp7/alias -P https-apple-apple- -Z  SHA1

(Note- you need to change -d and -P to match what you have there in
your site!)

Enter Password or Pin for "NSS Certificate DB": <password to your
web server security DB>

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!

Continue typing until the progress meter is full:

|\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*|

Finished.  Press enter to continue:

Generating key.  This may take a few moments...

apple:/export/home/iws6.1sp7> ls -l /tmp/testSHA1.csr

-rw-rw----   1 root     other       1247 May 26 13:57
/tmp/testSHA1.csr

apple:/export/home/iws6.1sp7> cat /tmp/testSHA1.csr

Certificate request generated by Netscape certutil

....

-----BEGIN NEW CERTIFICATE REQUEST-----

MIICxjCCAa4CAQAwgYAxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl
...............

OesYDTs6R/KTs6R9o/GX/07eAhMO7m+sBQhd4Q29WUu3mkWRqbVzn9CE

-----END NEW CERTIFICATE REQUEST-----

then goto
http://www.ssldirect.com/ssltools/decode/csr/decode_csr_certificate_signing_request.html

to verify if this is SHA1 now,

......

Public Key Information
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Exponent: 65537 (0x10001)

Attributes
None
 

CSR Signature

Signature Algorithm: sha1WithRSAEncryption 
(see it is SHA1 , instead of MD5)

If you do not add the -Z  SHA1 at the end, then it will be

Signature Algorithm: md5WithRSAEncryption  \*\*\* instead

Then you can submit this CSR (with SHA1) to a CA, e.g. Verisign to sign it.

After you install the new SSL certificate, you can see it ok.

e.g. I added the new SSL cert as "new dumpy cert1" below,

apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -d /export/home/iws6.1sp7/alias -P https-apple-apple-
1000year CT,,
myissuer Cu,Cu,Cu
Server-Cert u,u,u
new dumpy cert1 \*\*\* u,u,u

then I can examine the inside of this new SSL cert,

apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -n "new dumpy cert1" -d /export/home/iws6.1sp7/alias -P https-apple-apple-
Certificate:

Data:
Version: 3 (0x2)
Serial Number:
00:a7:a9:fa:ed:f9:50:f7:7d
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption

or

apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -n "new dumpy cert1" -d /export/home/iws6.1sp7/alias -P https-apple-apple- | grep -i SHA
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Fingerprint (SHA1):

see more at

http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html


Tuesday Jul 08, 2008

Forgot SSL Database password in Sun Web server 6.1?

One common question is what to do when you forgot the SSL security database password in Sun Web server 6.1SPx (or your predecessor did not tell you this before he/she left the company, etc.). This is the password you will be asked everytime when you want to start up the SSL enabled web server instance in 6.1SPx,

e.g.

apple:/export/home/iws6.1sp9> https-apple.asia.sun.com/start
Sun ONE Web Server 6.1SP9 B01/11/2008 14:24
Please enter password for "internal" token:   <-- this is the security database password

Sorry, there is not much you can do in this case. You will need to re-initialize the security database with a new password, e.g. see

http://docs.sun.com/source/817-1831-10/agcert.html#wp1004127 (6.1)

then you will need to request a new SSL certificate from the CA and so on, 

see

http://docs.sun.com/source/817-1831-10/agcert.html#wp1004981

A couple options you can do to prevent above situations in the future:

1. use a password.conf, e.g.

see

http://docs.sun.com/source/817-1831-10/agcert.html#wp1004127

"Using password.conf"

then you can see your own password such as

"internal:your_password" in password.conf file in the config subdirectory of the server instance.

2. use web server 7.0 which does not ask this internal token password when you request the SSL cert (generate a CSR) , and other later steps (e.g. install the SSL cert, start up the SSL server).

(Important : Jyri has helped to point out in the comments to this posting that

"

option #2 is only so because WS 7.0 allows you to have an empty password for the cert 

database if that's what you want. It's not that it can somehow bypass the password if

one is set. If you do set the password on WS 7.0 (which may or may not be important to

do, depending on the deployment scenario) and later forget it, you'll still have to start

all over again with new keys; certificates.

") 

e.g. No password asked when I requested the SSL cert.

7.0 photo

After I installed the SSL cert.,

no password asked when I start up the SSL web server instance,

apple:/export/home/iws7.0u3> https-apple.asia.sun.com/bin/startserv
Sun Java System Web Server 7.0U3 B06/16/2008 12:00
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from [Sun Microsystems Inc.]
info: HTTP3072: http-listener-1: https://apple.asia.sun.com:7032 ready to accept requests
info: CORE3274: successful server startup

So, this is another good reason to upgrade to web 7.0







Friday Jun 27, 2008

How to copy over a SSL server cert from web 6.1 SPx to new web 7.0x

When you migrate from web 6.1x to web 7.0x, the migration tool will help migrate your SSL server cert. too.


Just in case this SSL migration failed and you need to do something quick to get it working again in the new web 7.0x.


Then you can try below:


 e.g. in my env, I tested below ok ,

apple:/export/home/iws7.0u2/https-newconfig2/config> ls -lrt
total 332
-rw-------   1 root     other       2887 May 28 15:34 server.policy
-rw-------   1 root     other      32768 May 28 15:34 secmod.db
-rw-------   1 root     other       1442 May 28 15:34 obj.conf
-rw-------   1 root     other       9153 May 28 15:34 mime.types
-rw-------   1 root     other        150 May 28 15:34 magnus.conf
-rw-------   1 root     other        466 May 28 15:34 login.conf
-rw-------   1 root     other        160 May 28 15:34 keyfile
-rw-------   1 root     other      32768 May 28 15:34 key3.db
-rw-------   1 root     other        400 May 28 15:34 default.acl
-rw-------   1 root     other      14732 May 28 15:34 default-web.xml
-rw-------   1 root     other       1527 May 28 15:34 certmap.conf
-rw-------   1 root     other      65536 May 28 15:34 cert8.db
-rw-------   1 root     other       2111 May 28 15:34 server.xml

before I copied the 6.1SPx cert/key DBs over , I like to save a copy of orig. cert/key DB first and then stop web 7 first,
then copy over.

  527  cp key3.db key3.db.org
  528  cp cert8.db cert8.db.org

then stop the web 7 server,

then copy over the

apple:/export/home/iws6.1sp9/alias> cp https-apple.asia.sun.com-apple-cert8.db /export/home/iws7.0u2/https-newconfig2/config/cert8.db
apple:/export/home/iws6.1sp9/alias> cp https-apple.asia.sun.com-apple-key3.db /export/home/iws7.0u2/https-newconfig2/config/key3.db

then check if copy over ok,

apple:/export/home/iws7.0u2/https-newconfig2/config> cksum key3.db key3.db.org
2044823871      32768   key3.db
1868267322      32768   key3.db.org
apple:/export/home/iws7.0u2/https-newconfig2/config> cksum cert8.db cert8.db.org
1966527964      65536   cert8.db
1043770452      65536   cert8.db.org


then restart admin server of web 7.0x, and pretty much follow any Admin GUI suggestions to make the change .

e.g. go to admin GUI- you will see the warning that config has changed,

e.g. Instance Configuration Modified  - then click the upper right hand side to
Deploy config and pull changes from server (so it will update config-store and instance too with new changes, i.e.
the cert and key DB files here)
then follow any from Admin GUI warnings and do other needed, e.g.

then Instance(s) Require Restart
apple.asia.sun.com: ADMIN3594: Configuration changes require a server restart.

then the change in key and cert db will be populated into config store.

then you will be asked to "Set Configuration Token Passwords
 " (if you have not yet done so)
before you can view the newly copied over SSL certs inside the   

then you will see the new SSL cert imported in ok.

then  you can go to enable SSL in the listen socket,
e.g. Admin GUI -

"
General
Name: http-listener-1
SSL: Enabled (to turn on SSL with newly copied over 6.1SPx SSL cert)
Certificate:    
RSA Certificates: (then choose .e.g. Server-Cert)

    then deploy config and deploy config change , then can restart it ok with SSL

e.g. https://apple.asia.sun.com:7028/ will work SSL now.



 The other way is to do it at certificate level with pk12util import and export
, see Sun internal doc. ID74681 at sunsolve site,


Sun[TM] ONE Web Server: How to Use Certutil and pk12util to list and export certs


by Gregory Bedigian


Hope this helps cu to migrate SSL cert.


You can also use above as a way to backup and later restore SSL cert. in case of disk failure, file corruption, etc.



Monday Jun 02, 2008

why no core dump in my Sun SSL-enabled web server 6.1/7.0 after a crash ?

Sometimes, we like to capture the core dump file for Sun web server 6.1 or 7.0 after a crash for analysis. However, even after we did the needed OS settings, e.g. ulimit -c unlimited , etc.  we still cannot see the core dump file after a crash.

This article assumes you have checked OS settings and using SSL in the web instance, e.g.

apple:/export/home/iws6.1sp9/https-apple.asia.sun.com> ulimit -a
core file size (blocks)     unlimited
data seg size (kbytes)      unlimited
file size (blocks)          unlimited
open files                  256
pipe size (512 bytes)       10
stack size (kbytes)         8192
cpu time (seconds)          unlimited
max user processes          29995
virtual memory (kbytes)     unlimited

(O.S. setting above looks ok to dump core)

It is useful to check a crash on a small running program, e.g.

sleep 60000 &
(then you can see the pid of the above background job)

then you can try to get a core dump by

kill -SEGV <pid of above sleep background job>

If it dumps out the core for above sleep job ok, then means your OS setting is ok.

However, you still cannot see the core out of our Sun web server 6.1/7.0 with SSL enabled, then read on.

If this is SSL enabled web instance, then the other possible reason is due to our security design to protect the core image (by default , not to dump out cores when it is SSL enabled).

To enable core dump in this case, you need to set SSL_DUMP=1,

e.g.

before I added this SSL_DUMP=1 into start script, I used plimit to check its process limits.

apple:/export/home/iws6.1sp9/https-apple.asia.sun.com> ptree 14501
14501 ./webservd-wdog -r /export/home/iws6.1sp9 -d /export/home/iws6.1sp9/https
  14502 webservd -r /export/home/iws6.1sp9 -d /export/home/iws6.1sp9/https-appl
    14503 webservd -r /export/home/iws6.1sp9 -d /export/home/iws6.1sp9/https-ap

apple:/export/home/iws6.1sp9/https-apple.asia.sun.com> plimit 14503
14503:  webservd -r /export/home/iws6.1sp9 -d /export/home/iws6.1sp9/https-app
   resource              current         maximum
  time(seconds)         unlimited       unlimited
  file(blocks)          unlimited       unlimited
  data(kbytes)          unlimited       unlimited
  stack(kbytes)         8192            unlimited
  coredump(blocks)      0               0  \*\*\* see no core allowed
  nofiles(descriptors)  1024            1024
  vmemory(kbytes)       unlimited       unlimited

(there will be no core from above !)
(plimit is a good tool to see what is allowed in this process.)

Then please try to set "SSL_DUMP=1; export SSL_DUMP" into the start script of the web instance,

e.g.

#
# Copyright (c) 2003 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

SSL_DUMP=1
export SSL_DUMP


# Detect the Path and OS.
default_path="/bin:/usr/bin"
if [ -z "$PATH" ]
.......

then restart,

apple:/export/home/iws6.1sp9/https-apple.asia.sun.com> cat logs/pid
14576
apple:/export/home/iws6.1sp9/https-apple.asia.sun.com> ptree 14576
14576 ./webservd-wdog -r /export/home/iws6.1sp9 -d /export/home/iws6.1sp9/https
  14577 webservd -r /export/home/iws6.1sp9 -d /export/home/iws6.1sp9/https-appl
    14578 webservd -r /export/home/iws6.1sp9 -d /export/home/iws6.1sp9/https-ap

to see the process coredump filesize allowed:

apple:/export/home/iws6.1sp9/https-apple.asia.sun.com> plimit 14578
14578:  webservd -r /export/home/iws6.1sp9 -d /export/home/iws6.1sp9/https-app
   resource              current         maximum
  time(seconds)         unlimited       unlimited
  file(blocks)          unlimited       unlimited
  data(kbytes)          unlimited       unlimited
  stack(kbytes)         8192            unlimited
  coredump(blocks)      unlimited       unlimited  \*\*\* now it is allowed to dump core after crash
  nofiles(descriptors)  1024            1024
  vmemory(kbytes)       unlimited       unlimited

then a test,

apple:/export/home/iws6.1sp9/https-apple.asia.sun.com/config> kill -SEGV 14578
apple:/export/home/iws6.1sp9/https-apple.asia.sun.com/config> ls -lrt
total 94166

-rw-------   1 root     other    48130312 May 28 10:50 core.webservd.14578

see it ok now.

You can also use plimit to check out other process limits for other troubleshooting, e.g.
nofiles(descriptors)  not enough, etc. I think you can also set up new process limits with plimit .
Please refer to plimit man page.

Walter

About

Wing-Yip Walter Lee

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today