| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| unable to add/update same root CA with extended expirin date |
« View previous topic :: View next topic » |
| Author |
Message
|
| freak |
 Posted: Tue Feb 24, 2015 12:48 am Post subject: unable to add/update same root CA with extended expirin date |
 |
|
Novice
Joined: 28 Feb 2010
Posts: 18
|
Hi all,
I am using websphere mq 7.1.0.201110191413 on win2008r2 64 bit.
I have a root CA cert that is expiring and i have difficulities in adding a new root CA cert. Note: this new root CA is the same copy as the expiring root CA cert with an extended expiring date.
In command prompt, i had executed the following command
C:\Program Files (x86)\IBM\WebSphere MQ\gskit8\bin>gsk8capicmd.exe -cert -add -db "D:\file\as01.kdb" -label asa -file "D:\file\newca.cer" -pw password
The following error is displayed in message box
"The program cant start because gsk8km.dll is missing from your computer. Try reinstalling the program to fix this problem."
I had also tried to add using IBM Key Management GUI > Signer Certificates > Add button > select .cer file > input label name (abc), it prompts "The public key of 'abc' is the same as the key of 'currentcalabel' in the target keystore. And when i try to delete the 'currentcalabel' it prompts "Error loading entry 'currentcalabel'.
Clicking on the detail button on the prompt, it shows this error:
Error Code:
23
Stack Trace:
com.ibm.gsk.ikeyman.error.KeyManagerException: java.security.KeyStoreException: java.lang.RuntimeException: Bad record encoding.
at com.ibm.gsk.ikeyman.keystore.EntryBagFactory$BasicKeyStoreBag.makeEntry(EntryBagFactory.java:500)
at com.ibm.gsk.ikeyman.keystore.EntryBagFactory$AbstractKeyStoreBag.getItem(EntryBagFactory.java:392)
at com.ibm.gsk.ikeyman.keystore.EntryBagFactory$CompoundEntryBag.getItem(EntryBagFactory.java:661)
at com.ibm.gsk.ikeyman.keystore.EntryBagFactory$AbstractEntryContainerBag.getItem(EntryBagFactory.java:197)
at com.ibm.gsk.ikeyman.keystore.EntryInterfaceFactory$CompoundEntryInterface.getItem(EntryInterfaceFactory.java:360)
at com.ibm.gsk.ikeyman.keystore.KeyStoreItemFactory$KeyStoreItemImpl.getEntries(KeyStoreItemFactory.java:721)
at com.ibm.gsk.ikeyman.keystore.KeyStoreItemFactory$KeyStoreItemImpl.getCertificates(KeyStoreItemFactory.java:756)
at com.ibm.gsk.ikeyman.keystore.KeyStoreItemFactory$KeyStoreItemImpl.getInfo(KeyStoreItemFactory.java:771)
at com.ibm.gsk.ikeyman.command.Command.fireKeyManagerEventDatabaseChanged(Command.java:136)
at com.ibm.gsk.ikeyman.command.CommandFactory$AbstractDeleteCommand.run(CommandFactory.java:278)
at com.ibm.gsk.ikeyman.command.Command.invoke(Command.java:198)
at com.ibm.gsk.ikeyman.command.gui.KeymanController$Invoker.invoke(KeymanController.java:261)
at com.ibm.gsk.ikeyman.command.gui.KeymanController.actionPerformed(KeymanController.java:94)
at com.ibm.gsk.ikeyman.gui.panels.KeymanPanel.fireActionPerformed(KeymanPanel.java:54)
at com.ibm.gsk.ikeyman.gui.panels.KeymanPanel.actionPerformed(KeymanPanel.java:48)
at com.ibm.gsk.ikeyman.gui.panels.KeymanPanel.fireActionPerformed(KeymanPanel.java:54)
at com.ibm.gsk.ikeyman.gui.panels.KeymanPanel.actionPerformed(KeymanPanel.java:48)
at com.ibm.gsk.ikeyman.gui.panels.ContentsPanel.actionPerformed(ContentsPanel.java:334)
at com.ibm.gsk.ikeyman.gui.panels.KeymanPanel.fireActionPerformed(KeymanPanel.java:54)
at com.ibm.gsk.ikeyman.gui.panels.KeymanPanel.actionPerformed(KeymanPanel.java:48)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2006)
at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2329)
at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:398)
at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:253)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:247)
at java.awt.AWTEventMulticaster.mouseReleased(AWTEventMulticaster.java:283)
at java.awt.Component.processMouseEvent(Component.java:6301)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3278)
at java.awt.Component.processEvent(Component.java:6066)
at java.awt.Container.processEvent(Container.java:2052)
at java.awt.Component.dispatchEventImpl(Component.java:4664)
at java.awt.Container.dispatchEventImpl(Container.java:2110)
at java.awt.Component.dispatchEvent(Component.java:4494)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4588)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4249)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4179)
at java.awt.Container.dispatchEventImpl(Container.java:2096)
at java.awt.Window.dispatchEventImpl(Window.java:2490)
at java.awt.Component.dispatchEvent(Component.java:4494)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:652)
at java.awt.EventQueue.access$000(EventQueue.java:95)
at java.awt.EventQueue$1.run(EventQueue.java:613)
at java.awt.EventQueue$1.run(EventQueue.java)
at java.security.AccessController.doPrivileged(AccessController.java:224)
at com.ibm.oti.security.CheckedAccessControlContext.securityCheck(CheckedAccessControlContext.java:30)
at com.ibm.oti.security.CheckedAccessControlContext.securityCheck(CheckedAccessControlContext.java:34)
at sun.misc.JavaSecurityAccessWrapper.doIntersectionPrivilege(JavaSecurityAccessWrapper.java:34)
at java.awt.EventQueue$2.run(EventQueue.java:626)
at java.awt.EventQueue$2.run(EventQueue.java:624)
at java.security.AccessController.doPrivileged(AccessController.java:224)
at com.ibm.oti.security.CheckedAccessControlContext.securityCheck(CheckedAccessControlContext.java:30)
at sun.misc.JavaSecurityAccessWrapper.doIntersectionPrivilege(JavaSecurityAccessWrapper.java:29)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:623)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:280)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:195)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:185)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:180)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:172)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:133)
Caused by: java.security.KeyStoreException: java.lang.RuntimeException: Bad record encoding.
at com.ibm.security.cmskeystore.CMSKeyStoreSpi.engineGetEntry(CMSKeyStoreSpi.java:1389)
at java.security.KeyStore.getEntry(KeyStore.java:441)
at com.ibm.gsk.ikeyman.keystore.EntryBagFactory$BasicKeyStoreBag.makeEntry(EntryBagFactory.java:487)
... 58 more
Caused by: java.lang.RuntimeException: Bad record encoding.
at com.ibm.security.cmskeystore.RecordEncodingFactory$RecordEncodingImpl.isTrusted(RecordEncodingFactory.java:257)
at com.ibm.security.cmskeystore.CMSKeyStoreSpi.engineGetEntry(CMSKeyStoreSpi.java:1382)
... 60 more
Had read thru the fixes for websphere mq 7.1 and there is any fixes for this.
If i were to delete the existing root CA and add in the new root CA, everything works.
I believe MQ should allow me to add on the new root CA without requiring me to delete the existing root CA.
Just wonder if anyone had encountered the same issue for this?b |
|
| Back to top |
|
 |
| zpat |
| Posted: Tue Feb 24, 2015 12:55 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I would be surprised if it allowed two certs for the same root.
Doesn't make much sense to me to allow what you want. It's got to match a cert - not a range of them.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Feb 24, 2015 8:44 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Won't work. Even if the root CA has exactly the same DN, it's serial # is different and it's signed hash is likely to be different, as such it would not be recognized as being part of the chain.
Think if the top changes, everything it signed needs to change as well.
You either have to resign everything and re-import the public cert, or redo all the certs. In view of the effort you might just as well do the latter. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
