Creating an easy to deploy SSL certificate in PEM format

When ordering a secure certificate, most often one has to deal with the following files:

  • certificate key file (aka private key): .key
  • certificate request file: .csr
  • primary certificate file (issued by the CA): .crt
  • certificate chain (aka intermediate certificate, or sf bundle): sf_bundle.crt

As a result, when deploying to a web server, it is necessary to configure 3 files: the key, the cert, and the trust chain. However, a little known fact is that these can be combined in a “pem” file that holds all three. One may even include the trusted root certificate optionally. Here is how:

  • download your certificates (your_domain_name.crt) from your NewPush Customer Portal.
  • paste the entire body of each certificate one by one into one text file in the following order:
    • domain.key
    • domain.crt
    • sf_bundle.crt

    Make sure to include the beginning and end tags on each certificate. The result should look like this:

    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

The number of

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

sections will depend of the length of the certificate trust chain.


Sametime 8.5.1 Deployment

To deploy a Sametime environment with multiple levels of licensing, multiple Sametime servers with each respective license versions needed (Entry, Standard, etc.). The Sametime wiki has a number of useful resources to plan out a complex Sametime deployment:

  • http://www-10.lotus.com/ldd/stwiki.nsf/page.xsp?documentId=6F6353B28F5FB51185257775007AC431&action=openDocument
  • http://www-10.lotus.com/ldd/stwiki.nsf/dx/1.3_Lotus_Sametime_product_family
  • http://www-10.lotus.com/ldd/stwiki.nsf/xpViewCategories.xsp?lookupName=Learning%20Center

And here are some documents that delve into the details:

  • http://www-10.lotus.com/ldd/stwiki.nsf/dx/Chapter_2._Planning_a_Sametime_8.5.1_deployment
  • http://publib.boulder.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=/com.ibm.help.sametime.v851.doc/plan/plan_topol_deploy.html

Domino 8.5 SSL Key Import Into Keyring File

Domino Server SSL Key Import

By default, the SSL key order process in the Domino Administrator assumes that only single domain certificates are used. Hence, when you have a multi domain UCC or a wildcard certificate, it has to be loaded into the keyring (a.k.a. kyr file) outside of the Domino Administrator.

The basic overview of the process is this:

  • Create a kyr (keyring) file to hold the keys.
  • Create a p12 (PKCS#12) file with the certificate that needs to be added to the keyring.
  • Add the p12 (PKCS#12) file to the keyring.
  • Install the new keyring on the Domino Servers (mail, traveler, sametime, Quickr)

Domino Server PKCS#12 key generation and import

Create PKCS#12 from SSL KEY and CRT files

For this step I recommend to be on the Linux or AIX with openssl installed. Assuming that you have the certificate key, the CA issued certificate, and the certificate chains all in the same directory, you can run the following command to generate the p12 file:

openssl pkcs12 -export \
-in certificate-from-CA.crt \
-inkey certificate-key-file.key \
-certfile root-ca-bundle.crt \
-out certificate-in-pkcs12-format.p12

Add PKCS#12 to Domino Server Kyr Keyring File

For this step I recommend to be on the sametime server under Linux or AIX. In theory, this should work, but in practice, I found that the version 7 of the gsk tools doesn’t seem to be able to open kyr files. So you may need to skip ahead to the legacy Windows XP method, unless you can find the gsk5bas package on one of your older install media.

rpm -Uvh ${SAMETIME_CD_PATH}/SametimeEntryServer/GSKit/Linux/gsk7bas-7.0-4.28.i386.rpm
vi /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/security/java.security

Add last provider to list:

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.spi.IBMCMSProvider

remove conflicting jar file:

mv /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext/gskikm.jar /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext/gskikm.removedjar-

set environment:

set JAVA_HOME
JAVA_HOME=/opt/ibm/lotus/notes/latest/linux/ibm-jre/jre export JAVA_HOME

Domino Server Required Utilities for SSL Key Import (legacy Windows XP method)

  • Download and install IKEYMAN.
  • Open the kyr file in gsk5.
  • Import the p12 cert.
  • Save the new kyr file.

Domino Server SSL Key Management References

  • http://www.redbooks.ibm.com/redpapers/pdfs/redp0046.pdf
  • http://www.turtleweb.com/turtleblog.nsf/dx/11022009232215GDAVGR.htm?opendocument&comments
  • http://www.deadspace.de/?p=294
  • ftp://ftp.software.ibm.com/software/webserver/appserv/library/v61/ihs/GSK7c_SSL_Ikm_Guide.pdf
  • https://support.quovadisglobal.com/KB/a93/how-do-i-install-my-digital-certificate-into-lotus-notes.aspx
  • http://replay.waybackmachine.org/20081121002554/http://www.justinclarke.com/archives/2005/08/sending_smime_e.html
  • http://www.eulerhermes.com/en/documents/secure-email/ehcica_howto_import_lotus_notes_en.pdf/ehcica_howto_import_lotus_notes_en.pdf
  • http://publib.boulder.ibm.com/infocenter/sametime/v8r0/index.jsp?topic=/com.ibm.help.sametime.802.doc/Entry/st_adm_security_ssl_ikey_lin_t.html

For more information about Domino Server solutions, visit our collaboration section.


Verifying SSL Certificates

Problem

You have a few SSL cert files on your server, but you are not sure which one is the newest, or the right cert to use.

Solution

Look at the contents of a CSR


openssl req -noout -text -in [domain_name].csr

Where [domain_name].csr is the name of the CSR file.

Look at the contents of a certificate


openssl x509 -noout -text -in [domain_name].crt

Look at the MD5 fingerprint of a certificate


openssl x509 -fingerprint -noout -in [domain_name].crt

Check the private key, the CSR, and the signed cert

To check that the private key, the CSR, and the signed cert belong to the same set, you need to compare the MD5 outputs:

openssl rsa -noout -modulus -in [domain_name].key |openssl md5
openssl req -noout -modulus -in [domain_name].csr |openssl md5
openssl x509 -noout -modulus -in [domain_name].crt |openssl md5


SMTP Server Testing with Authentication

Problem

You need to test manually an SMTP server that requires authentication.

Solution

The text you need to enter into a DOS or Unix command line is in typewriter typeface. Responses from the server are shown in italic.
telnet smtp-server.smtpdomain.com 25
Trying xxx.xxx.xxx.xxx…
Connected to smtp-server.smtpdomain.com.
Escape character is ‘^]’.
220 smtp-server.smtpdomain.com plus some other optional server greeting text

helo localhost
250 smtp-server.smtpdomain.com
auth login
You now need to enter your email and then your password encoded in BASE64. Do encode your password use the HCI Data Encoder
mail from: [email protected]
250 Sender accepted.
rcpt to: [email protected]
250 OK
data
354 End your message with a period.
Subject: test email

test content
.

250 Accepted message …
quit
221 Good bye.
Connection closed by foreign host.


Java Shopping Cart and eCommerce Solutions

Java Shopping Cart Hosting

The need to host a shopping cart comes up on a regular basis. There are literally hundreds of very good solutions out there. Here is a list of carts that satisfy the following criteria:
– configurable
– customizable
– embeddable
– has a flexible API
– compatible with IBM DB2
– scalable
– reliable

With these requirements, Java EE is a good technology to settle on, hence the need to find Java Shopping Cart Hosting.

Java Shopping Cart Hosting – Ready to Go Solutions

The following products have been identified as viable solutions for Java Shopping Cart Hosting deployments:

  • http://www-01.ibm.com/software/genservers/commerce/express/
  • http://www.softslate.com/
  • http://ofbiz.apache.org/
  • http://www.shopizer.com/
  • http://www.jadasite.com/
  • http://www.openedit.org/
  • http://www.konakart.com/
  • http://www.avetti.com/
  • http://allbinary.appspot.com/Weblisket.jsp

Java Shopping Cart Hosting – Tutorials

There are also a couple good tutorials we found that would walk you through how to create a shopping cart from scratch to embed into an existing application:

  • http://www.ibm.com/developerworks/library/j-ajax1/
  • http://www.tech-freaks.in/Java-Programming/JSP-Servlets/shopping-cart.html

Any of the above is supported in our Managed Hosting environment for a successful Java Shopping Cart Hosting deployment.


Migrating Data Between DB2 Servers

DB2 Support for Data Migration

When it is time to upgrade from DB2 on Intel to DB2 on Power for example, taking a backup/restore approach isn’t possible as DB2’s backups are platform dependent. The solution is to use a DB2 command called db2move.

Basics of db2move

db2move allows to export data from DB2 at different levels of granularity. It also has a very simple syntax to allow exporting all of the data and structure of a database.

Exmaple of db2move


su - db2inst1
mkdir /tmp/db2export
cd /tmp/db2export
db2move sample export

Where db2inst1 is the db2 instance owner, /tmp/db2export is where the DB2 data and structures are being exported, and sample is the database name.

For more DB2 Support hints, please visit our DB2 category.


Planning for Storage, Server, and Network Infrastructure

Questions to ask when planning storage and server infrastructure

Storage Requirements

  • What our their current storage environment? (What technology do we use? NetApp, EMC, HP, Hitachi, Compellant?)
  • What is our current amount of usable storage?
  • What is our current data in GB / TB? How much of that data is deemed critical as opposed to 2nd tier, or even archivable?
  • What growth increase are we seeing from year to year? (25%? 30%? 40%? More?)
  • Is this our largest variable IT cost within our overall budget?

Server Infrastructure

  • How many servers do we have within our overall Infrastructure environment?
  • What percentage is comprised of Power, Linux or “Wintel”?
  • Do we have a vendor standard? (HP, Dell, IBM?)
  • What is our overall server utilization (7%? 10%? 20%? 50%? More?)
  • Do we utilize virtualization in our server infrastructure environment?
  • If so, what percentage of our environment is virtualized?
  • What version / type of virtualization do we use?
  • Are we looking to do a server consolidation project to help us save on additional software maintenance and energy costs?

Network Infrastructure

  • Do we have (primarily) our own data center or do we store all of our equipment at a co-location / managed services location? (and if so, whom?)
  • What is our current network environment (Cisco? Avaya?)
  • Do we standardize on a vendor?
  • How old / new is their network environment?
  • What kind of connectivity do they have? (T1? T3? DS?)

Security Solutions

  • Do we have a set standard for our security environment?
  • Do we do quarterly security assessments? (PCI and/or FFIEC Assessments?) (Who do we use?)
  • Are there areas we need to improve?

Software Maintenance

Do we have a goto partner we standardize on for software and hardware maintenance contracts?

Projects

  • What are there next three primary projects?
  • What is our IT budget?
  • What is our Calendar year? Jan – Dec? July – June? Etc.

For more information about planning for storage, servers, and network infrastructure, look at our data warehouse pages.


NetApp downgrade firmware

Downgrading firmware on a NetApp SAN

If you have just reclaimed a shelf from a NetApp SAN that you would like to use with an older head, you will notice that the drives are not recognized. This is due the the fact that DataOntap upgrades the drives automatically when you plug them in to an updated shelf, but it won’t downgrade or even recognize correctly drives that come from an higher level revision.

Downgrading drives while keeping the contents is actually impossible.

Actually downgrating the firmware on NetApp SAN drives

Chances are that you don’t really need to downgrade the firmware on the drives, and you can just skip to the next section.

If you are sure you need to downgrade the drives, here are the basic steps:

  • Get a linux box, with a qlogic HBA, and cables that can attach to the shelf that has the drives to downgrade
  • Make sure only the drives that you want to downgrade are in the shelf
  • Make sure the proper disk qualification package is on the filer (if not, download the Disk Qualification Package as a zip file from: http://now.netapp.com/NOW/download/tools/diskqual/ and extract it to the /etc directory of the NetApp)
  • Download all current disk firmware from http://now.netapp.com/NOW/download/tools/diskfw/
  • Get the right firmware for your disk (the new you just downloaded, or an old one, if you need to downgrade) — the old firmware is already on the root volume of the netapp
  • Use the proper firmware upgrade tool from your manufacturer to flash the firmware from the Linux box

Wiping labels on NetApp SAN drives

If you simply can’t get the old filer head to recognize the drives that had new labels, the only viable solution to get the drives to work is to reconnect the shelf to the old filer head that was running a newer firmware.

Erasing labels on NetApp SAN drives

  • Boot into maintenance mode (CTRL+C at boot and then Option 5)
  • list the drives: label summary
  • erase the labels: label wipe 4.23 where 4.23 is the drive number to wipe
  • exit maintenance mode: halt

Chances are that this will still not allow the older filer to see the drives properly. The next step always works: zero the drives.

Zeroing spares on NetApp filer

  • Boot into maintenance mode (CTRL+C at boot and then Option 5)
  • list the drives: label summary
  • force the drives to become spares: label makespare 4.23 where 4.23 is the drive number
  • exit maintenance mode and boot:
    > halt
    ok boot
  • zero the spare drives: drive zero spares
  • remove the shelf or the drives from the new filer, and you can now put them back into the old filer, as they will be recognized just fine.

For more information about our SAN support, look at NetApp SAN.