ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere DataPower » sharedcert: directory

Post new topic  Reply to topic
 sharedcert: directory « View previous topic :: View next topic » 
Author Message
George Carey
PostPosted: Mon Jul 23, 2012 2:19 pm    Post subject: sharedcert: directory Reply with quote

Knight

Joined: 29 Jan 2007
Posts: 500
Location: DC

Simple straight forward question:

Can the certs in the 'sharedcert:' directory on the XI50 device be copied off to external device for backup or other purposes??

That is it! If so, how?

Hoping for a better response than to my last question posed.

GTC
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding")
Back to top
View user's profile Send private message Visit poster's website AIM Address
rekarm01
PostPosted: Wed Jul 25, 2012 1:13 am    Post subject: Re: sharedcert: directory Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 1415

George Carey wrote:
Can the certs in the 'sharedcert:' directory on the XI50 device be copied off to external device for backup or other purposes??

Yes.
Back to top
View user's profile Send private message
George Carey
PostPosted: Wed Jul 25, 2012 1:13 pm    Post subject: really! Reply with quote

Knight

Joined: 29 Jan 2007
Posts: 500
Location: DC

I wish it were so!

IBM support says one cannot!

If you say one can then can you describe how?

GTC
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding")
Back to top
View user's profile Send private message Visit poster's website AIM Address
mqjeff
PostPosted: Wed Jul 25, 2012 1:26 pm    Post subject: Re: really! Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

George Carey wrote:
I wish it were so!

IBM support says one cannot!

If you say one can then can you describe how?

GTC


His "yes" was a link...

Quote:

Exporting keys and certificates

Use the Export Crypto Objects tab of the Crypto Tools screen to export key and certificate objects.
Back to top
View user's profile Send private message
George Carey
PostPosted: Wed Jul 25, 2012 3:30 pm    Post subject: HSM Reply with quote

Knight

Joined: 29 Jan 2007
Posts: 500
Location: DC

Missed the link, link.

Ok, from that doco:

Quote:
On the source appliance, |the appliance from which the private key is copied, you can export |keys. You can export private keys on only HSM-equipped DataPower® appliances. Private keys exported from Type 9235 appliances cannot |be imported on to a Type 7199 appliance. Likewise, private keys exported |from Type 7199 appliances cannot be imported on to a Type 9235 appliance.


If I exported keys with a 9235 (can only do it once!) would one not expect to be able to import it onto another 9235 subsequently. How?!

Also docu says that you can only export privates key if you have an HSM device ... so if one can export these keys one would assume one has an HSM. Unless exporting is different from the one time externalizing of the key set, namely priv key, ss-priv key, and csr into the temporary directory.

These externalized files are text files saying 'Begin Private Key ... End Private key' and 'Begin Certificate... End Certificate', Certificate works fine but the private keys gives a 'format is not known' error!' Can it be converted to a known format to be used(e.g. pem, der, etc.)??? That is the question/issue!

P.S. the certs were initially CSRs and converted by CA to Certs.
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding")
Back to top
View user's profile Send private message Visit poster's website AIM Address
rekarm01
PostPosted: Thu Jul 26, 2012 2:02 am    Post subject: Re: HSM Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 1415

Maybe it's not so simple and straightforward a question. How to export public certificates and how to export private keys are two different questions.

DataPower offers the option to export keys, CSRs, and certificates, when generating them, and HSM-equipped appliances also offer the option to mark private keys exportable at a later time, as explained here. Any files are exported to the temporary directory, and will not survive the next reboot.

For HSM-equipped appliances, DataPower can later export Crypto Key objects, which contain a private key (encrypted with an HSM key-wrapping-key), and import them to a similar HSM-equipped appliance, as explained here.

Any DataPower appliance can later export Crypto Certificate objects, which contain a public certificate, and import them to any other appliance. The exported file should look something like:

Code:
<?xml version="1.0" encoding="utf-8"?>
<crypto-export version="1">
  <certificate version="1">MIIFqT ... WZSA==</certificate>
</crypto-export>

The contents of the <certificate> element is a Base64-encoded DER certificate, and can also be copy-pasted directly into a file, for backup or other purposes.

George Carey wrote:
These externalized files are text files saying 'Begin Private Key ... End Private key' and 'Begin Certificate... End Certificate', Certificate works fine but the private keys gives a 'format is not known' error!'

Private keys are not directly viewable. They need to be accessed through a Crypto Key object, which needs to provide the password used to encrypt the private key.

George Carey wrote:
P.S. the certs were initially CSRs and converted by CA to Certs.

All certificates were initially CSRs, (except for self-signed certificates).
Back to top
View user's profile Send private message
George Carey
PostPosted: Thu Jul 26, 2012 9:13 am    Post subject: Terms Reply with quote

Knight

Joined: 29 Jan 2007
Posts: 500
Location: DC

Different understanding of terms/definitions is the root of all confusion.

The typical understanding one(I at least) has for key is the following
along with other terms and definitions for PKI infrastructures objects I have.

A Key=(private key) the public never should see it
public key=(asymetric key counter part to the private key)
Keys=(public or private) in useage KEY typically means private-key
CSR=(public key + other ID info)
Cert=(CSR) signed by a CA
SSCert=(CSR) signed by self
Certs=(public keys) signed by self or a CA

Signed=(encrypting an object or part of an object by a private key)

HSM or not if the Crypto Tools screen gives the options to:

Export Private Key on or off and one selects on and the files created are:

myname.privkey.pem, myname.sscert.pem, myname.csr.pem and they are all
base64 Hex coded text files that can be cut and pasted to an external text
file, then one would think this externalized private key could be used subsequently on another 9235 if it came from a 9235. Just as the Certs can be. Otherwise what is the point of allowing the key(private-key) to be externalized??

GTC
P.S. Thanks for your feedback, also I have read your linked sections but my question remains.
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding")
Back to top
View user's profile Send private message Visit poster's website AIM Address
mqjeff
PostPosted: Thu Jul 26, 2012 9:36 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

I don't think it's a confusion of terms, I think it's a confusion of intent.

What are you intending to do with this "key" after you have exported it?

Use it as the full and primary identify of some entity other than the DP box that you exported it from ?

Then you need the private key, and the password to the private key stash. And you should rigourously control how and by whome the files exported are moved, transported, stored, and handled.

Use it to assert and validate the identity of the DP box you exported it from?

Then you only need the public cert.
Back to top
View user's profile Send private message
George Carey
PostPosted: Thu Jul 26, 2012 11:53 am    Post subject: A key backup Reply with quote

Knight

Joined: 29 Jan 2007
Posts: 500
Location: DC

Basic reasons.
1.) To reuse on same DP box if is was inadvertently deleted - just put it back on from your external location. Which is not a formal keystore. Just a backup location.
2.) So not to have to pay for multiple Certs. If all your DPs perform the same task like a digital signature and one does not need a Cert for each DP but just one for the site. Only need to pay for one not N. Can put the same Key pairs on all DPS.

Can't do either if you can't bring the Private Key back to a DP box and use as a private key.

Again, why is the 'Export private key on off' option there ?

Looking for answer to straight forward question again. Can the externalized private key (the Base64 Hex text file) be used as a private key or not on a DataPower (same or others)?
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding")
Back to top
View user's profile Send private message Visit poster's website AIM Address
fjb_saper
PostPosted: Thu Jul 26, 2012 12:04 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

I believe the whole point of the story here is that you would not want to move a private key by itself, but you would want to move the keystore (/kryptoobject) containing the private key and the corresponding signed cert.... Now that may lead to the need of a format translation like say from jks to pkcs12 etc... Should be possible with krypto tools or open ssl.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
George Carey
PostPosted: Thu Jul 26, 2012 4:26 pm    Post subject: seems to work Reply with quote

Knight

Joined: 29 Jan 2007
Posts: 500
Location: DC

It may be a matter of getting the encryption password for private key.

I have tried several cases using a private key and sscert from a DataPower Crypto Tool key generation screen. The Crypto Identification Credentials built from the generated Key(private-key) and corresponding Cert(sscert) work just fine. Copying them off two different ways, opening on DP and cut and pasting to external disk file and doing a right-click on filename and then doing a save-target as also works just fine.
By which I mean when copying them back and creating a new Crypto Id-Cred they work fine, no barking about the 'key format is not known' or 'Key password may not be correct' error. It looks like a proper 'password' may be the issue ...(s@#&?t).

My next question likely to be ... can the private key be exported more then once if one has an HSM? This may not help either. Will be doing some reading.
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding")
Back to top
View user's profile Send private message Visit poster's website AIM Address
rekarm01
PostPosted: Thu Jul 26, 2012 5:06 pm    Post subject: Re: Terms Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 1415

George Carey wrote:
... if the Crypto Tools [Generate Key] screen gives the options to:
Export Private Key on or off and one selects on and the files created are:
myname.privkey.pem, myname.sscert.pem, myname.csr.pem and they are all base64 Hex coded text files ...

Yes, any other DataPower appliance can import the exported myname.privkey.pem file, as-is, and use it as a private key. But if a Crypto Key object wrapper fails to use the correct password to decrypt the imported private key, then it would encounter a "File is not in a known format" error.
Back to top
View user's profile Send private message
George Carey
PostPosted: Fri Jul 27, 2012 8:50 am    Post subject: Issue Fixed Reply with quote

Knight

Joined: 29 Jan 2007
Posts: 500
Location: DC

Yup, got the correct password and all is working.

Thanks for the feedback all.


GTC
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding")
Back to top
View user's profile Send private message Visit poster's website AIM Address
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere DataPower » sharedcert: directory
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.