DCM-tools
DCM-tools copied to clipboard
ThePrez
Delete issue
I had a cert called "test" and ran
dcmremovecert --dcm-store=system --label=test
It asked for the DCIM password and then wiped every cert. Does anyone else have this issue?
The renamecert also wipes out all certs.
dcmrenamecert --dcm-store=system --old-label-test --new-label=test2
Removal: The certificate with label 'test' has been removed.
On the DCIM, *SYSTEM Store under View Certificate--Server or Client - totally empty
I've observed that there are now certs called: xxxxxxxprivatekey in the CA portion after deletion. For example testprivatekey because my cert label was "test"
Oof! That's not good. Hopefully you had those backed up. A few questions for the state of the file after the malfunctioning dcmrenamecert/dcmremovecert call:
- Is your .KDB file a 0-byte file, or is it a valid keystore file, just empty?
- Do you have a
.backupfile created, by chance? (from the looks of it, we delete the backups)
Also, was the program output sensible (it should show, added a cert, removed a cert, for instance), or did the program output say it deleted all the certs?
Thanks for the response. To be clear, it clears every cert in the *SYSTEM store in the Server/Client Certificate area. It does not touch any of the CA Certificates. It's not zero bytes and is still a functional keystore. I do not see any .backup files residing in the same path as the *SYSTEM KDB file.
The output looked like this:
demremovecert--dcm-store=system--label=test
Enter DCM keystore password: The following changes were made on the DCM keystore: Removal: The certificate with ID 'censored_sha2_2020' has been removed Removal: The certificate with ID 'censored-hk-sha2-2020' has been removed Removal: The certificate with ID 'censored-hk-sha2-2020_2' has been removed Removal: The certificate with ID 'test' has been removed SUCCESS!!!
And all these certs are removed but I notice there are now certs in the CA trust store called testprivatekey censored_sha2_2020privatekey etc
Got it. Thanks for the info! That helps. I can try to recreate on a different system than I did original bringup.
Does (edit: dcmexport) work properly for you? (you can inspect the resulting file by using the "Key Management" GUI of ACS)
Yes, I was able to successfully export the entire dcim with the dcmexport tool. That's going to be a great feature to have. Perfect for backups.
And yes I can see the keys, even the CA certs in the resulting output file, so I know that's working okay. dcmview works perfectly too.
Great. Thank you. I think what may be happening is that your Java version is using a newer encryption standard than DCM recognizes when it imports the changes back in (based on a short conversation I had with @tlhaze ). I assume you don't have JAVA_HOME set and are getting the default Java 8?
yes, you are correct. We don't have any *JOB or *SYS ENVVARs set for JAVA_HOME.
via QSH:
java-version java version 1.8.0_311" Java (TM) SE Runtime Environment (build 8.0.7.0 pap6480sr7-20211025_01 (SR7) ) IBM J9 VM (build 2.9, JRE 1.8.0 0S/400 ppc64-64-Bit Compressed References 20211022_15212 (JIT enabled, AOT enabled) Open J9 6abb372 OMR b898db9 IBM 2f2c48b) JCL 20210930_01 based on Oracle jdk8u311-b11
Thanks for looking into this for me. I think this tool is going to be a massive time saver.
this may be addressed in the in-flight PR #28, as I am rewriting the function to use the IBM-provded JSSE provider to work with the KDB files. With my latest testing, it seems to be working well except any "privatekey" entries are deleted after invocation. Still investigating that...
That's great news. If there is any testing you'd like me to do, just let me know.thanks!
I merged in my WIP and cut a pre-release v0.2.0. Please try it out and see if it works any better for you
yum install https://github.com/ThePrez/DCM-tools/releases/download/v0.2.0/dcmtools-0.2.0-0.ibmi7.2.ppc64.rpm
(you are likely to still see some issues with it, like the deletion of private key entries. It may be a system/DCM issue. I've opened a support ticket with IBM)
Thanks! I downloaded and installed 0.2.0. I created a test cert in the *SYSTEM store and attempted a delete and it looked like this:
dcmremovecert -dcm-store=system--label=test
Enter DCM keystore password: The following changes were made on the DCM keystore: Removal: The certificate with ID 'testprivatekey' has been removed Removal: The certificate with ID 'test' has been removed SUCCESS! ! !
It didn't touch my other certificate this time.
I have another issue with this 0.2.0 version. dcmchangepw is deleting certs:
dcmchangepw --dcm-store=system Enter DCM keystore password: Enter output file password: SUCCESS!!!
I had two certs in the DCIM prior to running the command. Afterward, only one existed but I saw the missing one was moved to the CA trust store rather than the Server/Client Cert area.
It seems there are still some issues with deletions on 0.2.0. Any ideas why the change password process would alter the certs?
An issue was identified with QykmImportKeystore API which is used as part of this solution. After Java manages the certificates and stores them back into a PKCS12 file, the content is in an order that the QykmImportKeystore API was not expecting. The underlying code for that API has been updated to better handle PKCS12 files with keys and certifcates in different orders than originally stored. The PTF numbers that resolve this issue are as follows. IBM i 7.3 = SI79678. IBM i 7.4 = SI79679
