search

ThePrez / DCM-tools

Command-line tools for working with Digital Certificate Manager (DCM) on IBM i
Apache License 2.0
22 stars 5 forks source link

dcmimport error #38

Open AndyYouens opened 1 year ago

AndyYouens commented 1 year ago

attempting to import a certificate from the IFS.

Get the following;

andy@GALATEA:~$ dcmimport /home/andy/certs/cert.pem Enter DCM keystore password: Sanity check successful checking for conflicting cert to the one with alias cert cert has no alias checking cert at alias cert The following certificates will be processed: Certificate ID 'cert': Issuer: OID.1.2.840.113549.1.9.1=andy@bac.co.uk, CN=formaserve, OU=Formaserve, O=IT, L=London, ST=London, C=UK Subject: OID.1.2.840.113549.1.9.1=andy@bac.co.uk, CN=formaserve, OU=Formaserve, O=IT, L=London, ST=London, C=UK Valid From: 2023-01-23 @ 15:09:12+0000 Valid Until: 2023-02-22 @ 15:09:12+0000 Is CA? false Do you want to import ALL of the above certificates into DCM? [y/N] y API gave error message CPFB006: An error occurred.

server job from getjobid not showing any errors. running 7.3 with latest PTFs

tlhaze commented 1 year ago

That error message does not describe enough details to know why it failed. Can you try importing the certificate from DCM (IBM Digital Certificate Manager for i) and seeing what error is given from that interface?

AndyYouens commented 1 year ago

Nope, DCM doesnt like it either :-( I'll try with another cert.

mauroatwork commented 1 year ago

having the same issue

phelgren commented 1 year ago

This might be a longshot but I had a similar issue but DCM was more specific about the error...I had a CCSID issue with the certificate. Once I fixed it, I had no issues with DCM or the API call.

jkdavew commented 1 year ago

Hello - I had a similar issue. I was able to import using DCM...just not the dcmimport command (same error as shown above).

Could this be a permission issue on the store's KDB file (or another lacking permission)? The KDB has QSYS with RW and PUBLIC has R. I added the user I am signed in bash with giving RW but that did not work either. Other ideas?

Would REALLY love to use this tool versus the web DCM since it'll make certificate work on multiple machines much easier and scriptable.

ThePrez commented 1 year ago

@jkdavew, I'm curious if it's a CCSID-related issue as @phelgren suggested.

To rule out a permissions issue, one could copy the .KDB to a local directory and try. For instance:

cp /QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB .
chown $LOGNAME DEFAULT.KDB
dcmimport --dcm-store=./DEFAULT.KDB mycert.pem

For CCSID-related problems:

russelau commented 1 year ago

I'm also getting this error in 1 of 3 LPARs upon running dcmimport --installed-certs. Is there a way to do a verbose to see where the error is occurring?

ThePrez commented 1 year ago

I'm also getting this error in 1 of 3 LPARs upon running dcmimport --installed-certs. Is there a way to do a verbose to see where the error is occurring?

Yep, there's an undocumented -v option. Please try that and send in the results

russelau commented 1 year ago

I'm also getting this error in 1 of 3 LPARs upon running dcmimport --installed-certs. Is there a way to do a verbose to see where the error is occurring?

Yep, there's an undocumented -v option. Please try that and send in the results

This is what I got

> y                                                                                                      
  java.io.IOException: API gave error message CPFB006: An error occurred.                                
          at com.github.ibmioss.dcmtools.utils.DcmApiCaller.runProgram(DcmApiCaller.java:266)            
          at com.github.ibmioss.dcmtools.utils.DcmApiCaller.callQykmImportKeyStore(DcmApiCaller.java:244)
          at com.github.ibmioss.dcmtools.CertFileImporter.doImport(CertFileImporter.java:139)            
          at com.github.ibmioss.dcmtools.DcmImportCmd.main(DcmImportCmd.java:137)                        

  API gave error message CPFB006: An error occurred.                                                     
  $
tlhaze commented 1 year ago

I'm not sure what error is coming back from the call to QykmImportKeyStore API, so this may not be the issue. But a change went into Java late last year to create PKCS#12 files encrypted with AES-256 and SHA-256 signatures. The change required DCM to be updated via PTFs earlier this year to support that encryption type. Please take a look at the recommended fixes page to ensure you have the needed DCM related fixes. [https://www.ibm.com/support/pages/ibm-i-74-recommended-fixes-cryptographic-servicesdcmcryptographic-co-processor] SI82940 is the one that adds support for importing certificates from a PKCS#12 file encrypted with AES-256 and SHA-256.

russelau commented 1 year ago

I'm not sure what error is coming back from the call to QykmImportKeyStore API, so this may not be the issue. But a change went into Java late last year to create PKCS#12 files encrypted with AES-256 and SHA-256 signatures. The change required DCM to be updated via PTFs earlier this year to support that encryption type. Please take a look at the recommended fixes page to ensure you have the needed DCM related fixes. [https://www.ibm.com/support/pages/ibm-i-74-recommended-fixes-cryptographic-servicesdcmcryptographic-co-processor] SI82940 is the one that adds support for importing certificates from a PKCS#12 file encrypted with AES-256 and SHA-256.

Thank you for your insight. What you said makes sense. I didn't have control over PTFs and wanted to import the CA's by bulk so I settled for a workaround.

I ended up using dcmexport someFileName.pkcs12 --format=pkcs12, from the LPAR I was successful doing dcmimport --installed-certs on, and imported the pkcs12 file thru DCM on the LPAR I was getting the API gave error message CPFB006: An error occurred.

Might be helpful as a workaround to people who might be stuck on the same issue.

jkdavew commented 1 year ago

@jkdavew, I'm curious if it's a CCSID-related issue as @phelgren suggested.

To rule out a permissions issue, one could copy the .KDB to a local directory and try. For instance:

cp /QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB .
chown $LOGNAME DEFAULT.KDB
dcmimport --dcm-store=./DEFAULT.KDB mycert.pem

For CCSID-related problems:

  • What type of certificate file are you using?
  • What is the file CCSID tag? (from a shell, you can run attr <myfile> ccsid)
  • How was the certificate file generated/acquired?

I ran the steps to copy the store, adjust permissions and import but received the same error. The ccsid is 819. The root CA file was generated in the DCM and then acquired via by exporting the issuer certificate from a connected 5250 session in ACS via the padlock icon on the bottom-right.

Doing the dcmimport with the verbose flag specified I got this java.io.IOException: API gave error message CPFB006: An error occurred. at com.github.ibmioss.dcmtools.utils.DcmApiCaller.runProgram(DcmApiCaller.java:266) at com.github.ibmioss.dcmtools.utils.DcmApiCaller.callQykmImportKeyStore(DcmApiCaller.java:244) at com.github.ibmioss.dcmtools.CertFileImporter.doImport(CertFileImporter.java:139) at com.github.ibmioss.dcmtools.DcmImportCmd.main(DcmImportCmd.java:137)

For another example, I generated a new cert with openssl but upon import had the same error. As another step I took that same new openssl certificate and was able to import via the DCM web portal.

The signature algorithm in both is sha256WithRSAEncryption. Could we still be missing PTFs if the import is working in the DCM web tool?

As an alternative approach, I was able to import on the command line by doing a call to QICSS/QYCUDRIVER (which is what the DCM web tool is using). At this point this seems to be my only approach for doing the import besides opening the web DCM tool.