| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Ugly GSKit bug wipes out your certs |
« View previous topic :: View next topic » |
| Author |
Message
|
| T.Rob |
 Posted: Wed Mar 25, 2015 10:04 am Post subject: Ugly GSKit bug wipes out your certs |
 |
|
Acolyte
Joined: 16 Oct 2001
Posts: 56
Location: Charlotte, NC
|
Recently while working on my CA-Signed Cert Management tutorial I discovered a bug in GSKit that can cause it to wipe out the keystore and all certs within it. IBM has taken this as a high-priority defect and is working on a fix. In the meantime I'm providing a description of the problem so that you can take pains to avoid it. In any case, it's a good idea to take a copy of the KDB before doing major work on it.
Recreate the problem:
Start with a populated KDB. Generally if you forget the syntax of the runmqakm command you can just type what you know and it produces an appropriate usage dialog. In the case of the "convert" command, giving it a partial command string wiped out the kdb! The issue is recreated below.
The "-populate" parm fills the KDB with all the signer certs that IBM provides so the file sizes of 88 bytes after the command are impossible if the keystore is intact. Now imagine that instead of executing the command on a newly populated keystore you did this to one containing CA-signed personal certificates, perhaps ones that you'd paid good money for. The use cases for this command are when you have a KDB and need the JKS, for example to use when the Java components in your MFT agent, IIB Workflow, WAS, etc. share certs with a C-code component on the same server. A lesser use case but still inconvenient is converting between a KDB and a JKS for your personal use as a developer or admin, or with monitoring and instrumentation.
| Code: |
[mqm@rhel6base ssl]$ runmqakm -keydb -create -populate -db key.kdb -pw passw0rd -stash
[mqm@rhel6base ssl]$ runmqakm -keydb -convert -db key.kdb -stashed
CTGSK3046W The key file "key.kdb" could not be imported.
-Command usage-
-db Required
-pw | -stashed Optional
-old_format | -type Optional <cms | kdb | pkcs12 | p12>
-new_db | -target Optional
-new_pw Optional
-new_format Optional <cms | kdb | pkcs12 | p12>
-preserve | -populate Optional
-expire Optional
-strong Optional
-stash Optional
[mqm@rhel6base ssl]$ ll
total 16
-rw-------. 1 mqm mqm 88 Mar 6 16:31 k3387814256774611.crl
-rw-------. 1 mqm mqm 88 Mar 6 16:31 k3387814256774611.rdb
-rw-------. 1 mqm mqm 88 Mar 6 16:31 k3387814256774611.tmp |
I'm expecting to hear back from IBM as to details of the fix. I plan to post those here, on the Listserv and on my blog. If you'd like a notification when this info is available, watch this thread or use the "Subscribe" button in the right Navigation column at https://t-rob.net.
_________________
-- T.Rob
Voice/SMS 704-443-TROB (8762)
https://t-rob.net
https://linkedin.com/in/tdotrob
@tdotrob on Twitter |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Mar 25, 2015 10:31 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Does it exhibit the same behavior if you don't specify either -stashed or -pw ? |
|
| Back to top |
|
|
| T.Rob |
| Posted: Wed Mar 25, 2015 11:39 am Post subject: |
|
|
Acolyte
Joined: 16 Oct 2001
Posts: 56
Location: Charlotte, NC
|
| mqjeff wrote: |
| Does it exhibit the same behavior if you don't specify either -stashed or -pw ? |
No. The command is apparently syntactically correct since the default output files have the same name as the input. If you supply -pw the KDB is converted to a new KDB of the same name and the stash file is deleted. If you leave both -pw and -stashed off, you are prompted for a password.
| Code: |
[mqm@rhel6base Desktop]$ runmqakm -keydb -create -populate -db key.kdb -pw passw0rd -stash
[mqm@rhel6base Desktop]$ ll
total 132
-rw-------. 1 mqm mqm 88 Mar 25 15:33 key.crl
-rw-------. 1 mqm mqm 120088 Mar 25 15:33 key.kdb
-rw-------. 1 mqm mqm 88 Mar 25 15:33 key.rdb
-rw-------. 1 mqm mqm 129 Mar 25 15:33 key.sth
[mqm@rhel6base Desktop]$ runmqakm -keydb -convert -db key.kdb -pw passw0rd
[mqm@rhel6base Desktop]$ ll
total 128
-rw-------. 1 mqm mqm 88 Mar 25 15:33 key.crl
-rw-------. 1 mqm mqm 120088 Mar 25 15:33 key.kdb
-rw-------. 1 mqm mqm 88 Mar 25 15:33 key.rdb
[mqm@rhel6base Desktop]$ rm key*
[mqm@rhel6base Desktop]$ ll
total 0
[mqm@rhel6base Desktop]$ runmqakm -keydb -create -populate -db key.kdb -pw passw0rd -stash
[mqm@rhel6base Desktop]$ runmqakm -keydb -convert -db key.kdb
Source database password :
[mqm@rhel6base Desktop]$ ll
total 128
-rw-------. 1 mqm mqm 88 Mar 25 15:35 key.crl
-rw-------. 1 mqm mqm 120088 Mar 25 15:35 key.kdb
-rw-------. 1 mqm mqm 88 Mar 25 15:35 key.rdb
[mqm@rhel6base Desktop]$
|
_________________
-- T.Rob
Voice/SMS 704-443-TROB (8762)
https://t-rob.net
https://linkedin.com/in/tdotrob
@tdotrob on Twitter |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Mar 25, 2015 11:54 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
so it's only when trying to use the -stashed to access the kdb, which you are otherwise doing nothing with, that it deletes the kdb.
interesting |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Mar 25, 2015 1:34 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Interesting, no problem either for me.
When I want the syntax I ALWAYS add -? at the end. This makes sure that the command does not yet try to execute...
So no problem with the -? added... a good work around I think...
@8.0.0.2 without the -? it created a bunch of files starting with k.... something for crl, rdb, tmp, but left the original mydb.* files intact (in particular mydb.kdb) and only the crl, rdb, tmp have a length of 88 which they had before... so yes the stash file is gone... but the kdb is there with the original size...
This might be particular to the fact that your keydb has the default name key.kdb. None of my key db files has that name. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
