DCM-tools
DCM-tools copied to clipboard
ThePrez
dcmimport error
attempting to import a certificate from the IFS.
Get the following;
andy@GALATEA:~$ dcmimport /home/andy/certs/cert.pem Enter DCM keystore password: Sanity check successful checking for conflicting cert to the one with alias cert cert has no alias checking cert at alias cert The following certificates will be processed: Certificate ID 'cert': Issuer: [email protected], CN=formaserve, OU=Formaserve, O=IT, L=London, ST=London, C=UK Subject: [email protected], CN=formaserve, OU=Formaserve, O=IT, L=London, ST=London, C=UK Valid From: 2023-01-23 @ 15:09:12+0000 Valid Until: 2023-02-22 @ 15:09:12+0000 Is CA? false Do you want to import ALL of the above certificates into DCM? [y/N] y API gave error message CPFB006: An error occurred.
server job from getjobid not showing any errors. running 7.3 with latest PTFs
That error message does not describe enough details to know why it failed. Can you try importing the certificate from DCM (IBM Digital Certificate Manager for i) and seeing what error is given from that interface?
This might be a longshot but I had a similar issue but DCM was more specific about the error...I had a CCSID issue with the certificate. Once I fixed it, I had no issues with DCM or the API call.
Hello - I had a similar issue. I was able to import using DCM...just not the dcmimport command (same error as shown above).
Could this be a permission issue on the store's KDB file (or another lacking permission)? The KDB has QSYS with *RW and *PUBLIC has *R. I added the user I am signed in bash with giving *RW but that did not work either. Other ideas?
Would REALLY love to use this tool versus the web DCM since it'll make certificate work on multiple machines much easier and scriptable.
@jkdavew, I'm curious if it's a CCSID-related issue as @phelgren suggested.
To rule out a permissions issue, one could copy the .KDB to a local directory and try. For instance:
cp /QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB .
chown $LOGNAME DEFAULT.KDB
dcmimport --dcm-store=./DEFAULT.KDB mycert.pem
For CCSID-related problems:
- What type of certificate file are you using?
- What is the file CCSID tag? (from a shell, you can run
attr <myfile> ccsid) - How was the certificate file generated/acquired?
I'm also getting this error in 1 of 3 LPARs upon running dcmimport --installed-certs. Is there a way to do a verbose to see where the error is occurring?
I'm also getting this error in 1 of 3 LPARs upon running
dcmimport --installed-certs. Is there a way to do a verbose to see where the error is occurring?
Yep, there's an undocumented -v option. Please try that and send in the results
I'm also getting this error in 1 of 3 LPARs upon running
dcmimport --installed-certs. Is there a way to do a verbose to see where the error is occurring?Yep, there's an undocumented
-voption. Please try that and send in the results
This is what I got
> y
java.io.IOException: API gave error message CPFB006: An error occurred.
at com.github.ibmioss.dcmtools.utils.DcmApiCaller.runProgram(DcmApiCaller.java:266)
at com.github.ibmioss.dcmtools.utils.DcmApiCaller.callQykmImportKeyStore(DcmApiCaller.java:244)
at com.github.ibmioss.dcmtools.CertFileImporter.doImport(CertFileImporter.java:139)
at com.github.ibmioss.dcmtools.DcmImportCmd.main(DcmImportCmd.java:137)
API gave error message CPFB006: An error occurred.
$
I'm not sure what error is coming back from the call to QykmImportKeyStore API, so this may not be the issue. But a change went into Java late last year to create PKCS#12 files encrypted with AES-256 and SHA-256 signatures. The change required DCM to be updated via PTFs earlier this year to support that encryption type. Please take a look at the recommended fixes page to ensure you have the needed DCM related fixes. [https://www.ibm.com/support/pages/ibm-i-74-recommended-fixes-cryptographic-servicesdcmcryptographic-co-processor] SI82940 is the one that adds support for importing certificates from a PKCS#12 file encrypted with AES-256 and SHA-256.
I'm not sure what error is coming back from the call to QykmImportKeyStore API, so this may not be the issue. But a change went into Java late last year to create PKCS#12 files encrypted with AES-256 and SHA-256 signatures. The change required DCM to be updated via PTFs earlier this year to support that encryption type. Please take a look at the recommended fixes page to ensure you have the needed DCM related fixes. [https://www.ibm.com/support/pages/ibm-i-74-recommended-fixes-cryptographic-servicesdcmcryptographic-co-processor] SI82940 is the one that adds support for importing certificates from a PKCS#12 file encrypted with AES-256 and SHA-256.
Thank you for your insight. What you said makes sense. I didn't have control over PTFs and wanted to import the CA's by bulk so I settled for a workaround.
I ended up using dcmexport someFileName.pkcs12 --format=pkcs12, from the LPAR I was successful doing dcmimport --installed-certs on, and imported the pkcs12 file thru DCM on the LPAR I was getting the API gave error message CPFB006: An error occurred.
Might be helpful as a workaround to people who might be stuck on the same issue.
@jkdavew, I'm curious if it's a CCSID-related issue as @phelgren suggested.
To rule out a permissions issue, one could copy the .KDB to a local directory and try. For instance:
cp /QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB . chown $LOGNAME DEFAULT.KDB dcmimport --dcm-store=./DEFAULT.KDB mycert.pemFor CCSID-related problems:
- What type of certificate file are you using?
- What is the file CCSID tag? (from a shell, you can run
attr <myfile> ccsid)- How was the certificate file generated/acquired?
I ran the steps to copy the store, adjust permissions and import but received the same error. The ccsid is 819. The root CA file was generated in the DCM and then acquired via by exporting the issuer certificate from a connected 5250 session in ACS via the padlock icon on the bottom-right.
Doing the dcmimport with the verbose flag specified I got this java.io.IOException: API gave error message CPFB006: An error occurred. at com.github.ibmioss.dcmtools.utils.DcmApiCaller.runProgram(DcmApiCaller.java:266) at com.github.ibmioss.dcmtools.utils.DcmApiCaller.callQykmImportKeyStore(DcmApiCaller.java:244) at com.github.ibmioss.dcmtools.CertFileImporter.doImport(CertFileImporter.java:139) at com.github.ibmioss.dcmtools.DcmImportCmd.main(DcmImportCmd.java:137)
For another example, I generated a new cert with openssl but upon import had the same error. As another step I took that same new openssl certificate and was able to import via the DCM web portal.
The signature algorithm in both is sha256WithRSAEncryption. Could we still be missing PTFs if the import is working in the DCM web tool?
As an alternative approach, I was able to import on the command line by doing a call to QICSS/QYCUDRIVER (which is what the DCM web tool is using). At this point this seems to be my only approach for doing the import besides opening the web DCM tool.