SSL issue - Web reports

system · November 19, 2012, 1:18pm

(imported topic written by SystemAdmin)

To get enable SSL support for my web reports, I have follow the instructions as described in the technote, Setup for SSL on Tivoli Endpoint Manager Web Reports, (http://www-01.ibm.com/support/docview.wss?uid=swg21505848)

But, it is impossbile to get to work properly, even I succed to configure SSL for my SUA reports, (Software Usage Analysis.

In my case, I reques a Certificate from a Certificate Authority, which in my case is GoDaddy. The company does not issue the certificate in PKCS12 format, but in a CRT format.

Does anyone have work around to get convert the certificate into PKCS12 format?

When I check the following links, there is examples of how to convert the certificat format:

Link:

The Most Common OpenSSL Commands

Convert the CRT format to pfx/p12

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

To get the CACert.crt, I downloaded it from Link:

Go Daddy Certificate Chain

https://certs.godaddy.com/anonymous/repository.seam

Convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

But, how do I convert the keyfile.pem described in the technote to the .key format?

There is somthing about different key-formats at this page, Link:

Key Formats PKCS#8 and PKCS#12 and Migration

system · November 19, 2012, 1:46pm

(imported comment written by SystemAdmin)

The web reports works at the port 52312 unencrypted, but as soon as the SSL is turn on, the web reports pages does not show up.

I have also checked out a critical error in system event log, Link:

Windows 2008 Error: A fatal error occurred when attempting to access the SSL server credential private key

with solution at this page: Link:

The solution - Granting the Network Service Read permission on the certificate

but either that does not seem to work

system · November 19, 2012, 6:38pm

(imported comment written by cstoneba)

I found the SSL installation steps very confusing too, but I got ours to work with these steps. Hopefully they’ll help

Generate new CSR value using openssl

a. a. openssl req -nodes -newkey rsa:2048 -keyout your.key -out your.csr

Order SSL cert from provider
Download PKCS7 Format from SSL provider (p7s file)
openssl pkcs7 -print_certs -in name.p7s -out your.pem
openssl pkcs12 -export -in your.pem -inkey your.key -out out.p12
openssl pkcs12 -in out.p12 -out name.pem -nodes –clcerts
Place PEM file in D:\SSL of WR server
To enable SSL on WebReports

a. On the TEM web reports server, browse to HKLM\Software\BigFix\EnterpriseClient\Settings\Client

i. WebReports_HTTPServer_UseSSLFlag

Set “value” to “1” to enable SSL

ii. _WebReports_HTTPServer_PortNumber

Set “value” to “443”

iii. _WebReports_HTTPServer_PortNumber

Set “value” to full patch name to PEM file

Restart service “BES Web Reports Server”
Try to connect to https://url_of_bigfix_wr

system · November 20, 2012, 1:43am

(imported comment written by SystemAdmin)

Thanks!

The problem is not the process - It looks easy straigth ahead when you have read the instructions dozen of times…

The problem is that GoDaddy does not give the customeres any possibility to choose correct format of the certificate

The only format they provide is .crt wich is a kind of a.12 format, but not excatly the same

So where is the bridge over to .P12 format when the OpenSSL commands require the use privatekey.key format of the privat key

And when you figure out there is a lot ways to convert the privatekey.pem to privatekey.key because its different standards it become very interesting…

And even more interesting when the web report does not tells you anything what is wrong, it does not write to the logs, the system log is empty…

The only thing you get is an empty page without any information what is wrong

But, the same .pem certificate works with SUA reports where you upload two files, the certificate and the private key as seperate files…

system · November 21, 2012, 1:25am

(imported comment written by SystemAdmin)

The following commands should allow you to convert a GoDaddy .crt certificate into PEM format:

openssl x509 -in input.crt -out input.der -outform DER

openssl x509 -in input.der -inform DER -out output.pem -outform PEM

(source: http://support.godaddy.com/groups/usability-methods/forum/topic/pem-ssl-creation-instructions/ )

The KeyFile will need to be converted to PEM format separately, and then appended to the certificate in the output.pem file. The following StackOverflow article may be helpful in getting the key into the right format:

Once you have a single file with the certificate followed by the private key, both in PEM format, the instructions under “Web Reports HTTPS Registry Settings” at http://www-01.ibm.com/support/docview.wss?uid=swg21505848 should work.

Hope this helps!

system · November 21, 2012, 4:33pm

(imported comment written by SystemAdmin)

Thanks a lot!

But, the challenge is how to convert the keyfile.pem to become keyfile.key ???

I have found an artickle about Link:

Key Formats PKCS#8 and PKCS#12 and Migration

But wich one should I use, PKCS#8 and PKCS#12, and wich one of the recommended commands would work in these case?

system · December 10, 2012, 12:25am

(imported comment written by SystemAdmin)

To get the web reports to work with SSL-certificates delivered by GoDaddy there is an solutions that would works on a Windows 2008 R2 server.

Compared to the technote,

Setup for SSL on Tivoli Endpoint Manager Web Reports

it is different at some crucial point. Because when I follow the technote I got an obscure error message that tells:

Sun, 09 Dec 2012 03:44:19 -0800 – 1296 – Opening socket with IP address: ::

Sun, 09 Dec 2012 03:44:19 -0800 – 1296 – Can’t listen on address

::

: system library; system lib; system lib (class SSL_CTX_use_certificate_chain_file_Failed)

Sun, 09 Dec 2012 03:44:19 -0800 – 1296 – No sockets were configured. Aborting.

When I check with the OpenSSL-documentation,

SSL_CTX_use_certificate(3)

, I recognized that it maybe was expecting information about the CA-certificate. After some resaerch and testing I have found a way of Requesting a Certificate from a GoDaddy:

Create a valid config file.

Follow the example in the tech note, with one exception:

Change the the name of the default key file from keyfile.pem to “privatekey.key” to create a certificate with a private key

2.Remove the password from the private key

Run the OpenSSL commnand as described in the tech note to remove the password

openssl rsa -in privatekey.key -out nopwdkey.key

Upload the .csr file to GoDaddy Certificate Authority (CA), or rekey your existing certificate

GoDaddy will then issue you a signed (browser-trusted) certificate for your server in CRT-format.

Download the CRT-formatted file for your site

DO NOT import it in to any Microsoft default certificate handling facilities.

Downloaded the appropiate CA certificate in CRT-format

GoDaddy repository

Create a PKCS#12 (.pfx .p12)) certificate that include both a private key and the CA certificate

Run the following OpenSSL command, (source:

The Most Common OpenSSL Commands

):

openssl pkcs12 -export -out cert.pfx -inkey privatekey.key -in yoursitecertificate.crt -certfile GoDaddyCACert.crt

Convert the certificate from PKCS#12 file (.pfx .p12) to PEM-format:

Run the following OpenSSL command, (source: Link:

The Most Common OpenSSL Commands

:

openssl pkcs12 -in cert.pfx -out cert.pem -nodes

Save the PEM-file

This certificate should now include public certificate, CA certificate and the private key

Store this file on your server

Refer to it when setting up your Web Reports Registry Keys

Follow the tech note instructions about registry settings

NB! Make sure the name the name of the PEM certificate is included in the path to the certificate