2012년 9월 16일 일요일

WebSphere Plugin 의 key 파일 관련 이슈


For IBM HTTP Server Versions 6.0 or 6.1, issue the gsk7capicmd command to determine if the password being used on your system expires on April 26, 2012. This command is located in your [gsk_root]/bin directory.

gsk7capicmd -keydb -expiry -db "C:\temp\plugin-key.kdb" -pw WebAS

The resulting output indicates the expiration date for the password: For example, the following output indicates that the password expires on April 26, 2012 at 11:20:31 AM EDT:

Validity: Thursday, 26 April 2012 11:20:31 AM Eastern Daylight Time

Issue a gsk7 command, similar to the following command, to change the password that is expiring:

gsk7capicmd -keydb -changepw -pw xxxx -new_pw yyyy -stash -db plugin
-key.kdb 

If you want to the new password to expire after a specific number of days, add -expire to the gsk7capicmd command line and specify the number of days for which you want the new password to be valid.

Note 1: IMPORTANT: Setting the -expire parameter to 0 means that the password associated with the key database does not expire.

Note 2: GSKit versions prior to 7.0.3.17 do not recognize the -expire parameter. If you are using one of these prior GSKit versions, you must upgrade to the latest GSKit 7.0.4.x version.


Note 3: There is a behavior difference between GSKit 7.0.3.x and 7.0.4.x when using these commands. Leaving the -expire off when using GSKit 7.0.4 results in a password that never expires. Leaving the -expire off when using GSKit versions prior to 7.0.3.17 results in a password expiring in one year. Leaving the -expire off when using GSKit versions equal to and later than 7.0.3.17 results in a password that never expires.

Note 4: GSKit Versions 7.0.3.9 and earlier do not recognize the -new_pw parameter. Instead, you will be prompted for the new password and then asked to confirm the new password.


Frequently asked questions (FAQs):

Q: What happens if I do nothing?
A: You might not notice anything on April 26, 2012, but after the web server is restarted or it loads a new copy of the plugin-cfg.xml due to propagation, the web server plug-in will fail to initialize the HTTPS transports. The plug-in will rely on HTTP (non-ssl) transports to communicate to the WebSphere Application Server, and the plug-in log will contain error messages similar to the following messages:

  • ERROR: lib_security: initializeSecurity: Failed to initialize GSK environment 
    ERROR: ws_transport: transportInitializeSecurity: Failed to initialize security


Q: Can I use the same password?
A: You can not supply the existing password and tell it to change it to that same one. You must specify a new password.

Q: What if I find the password problem within my plug-in from WebSphere Application Server Version 4.0.x?
A: The plug-in from WebSphere Application Server Version 4.0 used GSKit Version 5. You can use the gsk5ikm GUI to change the password or use the gsk5cmd to alter the password. If it's more convenient, you can backup and copy the kdb file to a GSKit 7.0.4 environment and use the tools there to change the password.

Q: How do I correct the password problem if I am running on z/OS?
A: You can use the z/OS gskkyman utility. To use this utility to display the expiration date, issue a command similar to the following command:

gskkyman -dk -k plugin-key.kdb To fix the expiration date, you must complete the following steps, which includes changing the password:

  1. Navigate to the location of the plugin-key.kdb file.
  2. Enter gskkyman.
  3. From the menu provided, choose option "3 - Change database password".
  4. Prompt: "Enter key database name (press ENTER to return to menu):" (Enter plugin-key.kdb).
  5. Prompt: "Enter database password (press ENTER to return to menu):" (Enter WebAS).
  6. Prompt: "Enter new database password (press ENTER to return to menu):" (Enter your new password).
  7. Prompt: "Re-enter database password:" (Re-enter the password).
  8. Prompt: "Enter password expiration in days (press ENTER for no expiration):" (decide if you want this password to expire).

After the password is set, use the following command to stash the new password to a file for the plugin to utilize the updated kdb file.

gskkyman -s -k plugin-key.kdb 


Q: How do I correct the password problem if I am running on IBM i?
A: IBM i provides a utility called Digital Certificate Manager. This tool can be used to change the password, but it does not provide a means to view the expire value.

To view the password expiration value, copy the plugin-key.kdb file to a distributed environment, such as Microsoft Windows, and use either iKeyman or gsk7capicmd utilities previously described in this Flash.

To change the password, complete one of the following actions.

If you are running on IBM i V5R4, complete the following steps:

  1. Start the HTTP Admin server if it is not already running:

    STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) 
  2. In the browser, enter the following:

    machine:2001 (enter credentials)
  3. Click Digital Certificate Manager.
  4. Click Select a certificate store.
  5. Select Other system certificate store, and then click Continue.
  6. Enter the path to the plugin-key.kdb file in the Certificate store path and file name: field.
  7. Click Reset password.
  8. Enter the new password, confirm the new password, and then take the default options.

    - Automatic login
    - Password does not expire
  9. Click Continue.
The operation is successful if you see the message "The password has been reset." If you are running on IBM i V6R1or V7R1, complete the following steps:
  1. Start the HTTP Admin server if it is not already running:

    STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) 
  2. In the browser, enter the following:

    machine:2001 (enter credentials)
  3. Expand IBM i management and click Internet Configurations.
  4. Click Digital Certificate Manager.
  5. Click Select a certificate store.
  6. Select Other System Certificate Store, and then click Continue.
  7. Enter the path to the plugin-key.kdb file in the Certificate store path and file name: field.
  8. Click Reset password.
  9. Enter the new password, confirm the new password, and then take the default options:

    - Automatic login
    - Password does not expire
  10. Click Continue.
The operation is successful if you see the message "The password has been reset." 



--------------------원문 

WebSphere Plugin 의 key 파일이 4월 27일 만기된다고 합니다. 
(모든 plugin kdb 파일은 아님)

   1.만기 날짜 확인 방법
C:\IBM\HTTPServer\bin>gsk7capicmd -keydb -expiry -db "C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb" -pw WebAS

   2.패스워드 및 만기일 변경
C:\IBM\HTTPServer\bin>gsk7capicmd -keydb -changepw -db C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb -pw WebAS -new_pw WebAS1 -expire 3650 -stash

   3.변경된 만기일 확인
C:\IBM\HTTPServer\bin>gsk7capicmd -keydb -expiry -db "C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb" -pw WebAS


------------ AIX -------
root [/]#find . -name gsk7capicmd -print
./usr/bin/gsk7capicmd
./usr/opt/ibm/gskta/bin/gsk7capicmd
root [/]#cd /usr/bin

root [/usr/bin]#gsk7capicmd -keydb -expiry -db "/IBM/Plugins/config/webserver1/plugin-key.kdb" -pw WebAS
Validity:  Friday, 27 April 2012 00:20:31 AM KORST

root [/usr/bin]#gsk7capicmd -keydb -changepw -db /IBM/Plugins/config/webserver1/plugin-key.kdb -pw WebAS -new_pw WebAS1 -expire 3650 -stash

root [/usr/bin]#gsk7capicmd -keydb -expiry -db "/IBM/Plugins/config/webserver1/plugin-key.kdb" -pw WebAS1                                  
Validity:  Thursday, 21 April 2022 13:12:40 PM KORST

댓글 없음:

댓글 쓰기