info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Problem using PKCS7 for password synchronizer
173 views
Skip to first unread message
bjvd
Jul 22, 2009, 11:18:23 AM7/22/09
to
Hi,
I've set up a password synchronizer on a Windows Active Directory
domain controller, using a MQe password store. This works fine, and I
can view the captured passwords with a TDI Assembly Line in which I
set up a JMS Password Connector (or MQe Password Store Connector for
versions before 7.0).
I now want to use the PKCS7 functionality, in order to sign and
encrypt password change messages. So I created with ikeyman two JKS
files: one for the connector, and one for the password synchronizer
MQe client.
So I have configured the PKCS7 stanza in pwsync.props.
But when I start again the proxy, it fails to start because it can not
initialize the PKCS7 module, because "Keystore was tampered with, or
password was incorrect".
But the password is correct, I can open the JKS file with ikeyman
without a problem.
Any input would be valuable, thx!!
/Ben
bjvd
Jul 22, 2009, 11:54:10 AM7/22/09
to
NB: I tried to configure "standard" encryption instead of PKCS7, and
I'm having the same problem: the private key can not be read in the
keystore, "Keystore was tampered with, or password was incorrect".
I'm having the same problem: the private key can not be read in the
keystore, "Keystore was tampered with, or password was incorrect".
Thx for your help!!
/Ben
ave...@gmail.com
Jul 22, 2009, 12:15:23 PM7/22/09
to
The PKCS-7 option for works for me on AD. Below is the relevant part
of the pwsync.props.
Note that the password is not 'in the clear'. You have to generate
the encrypted (obfuscated) password via
c:\IBM\TDI\V7.0\pwd_plugins\bin>encryptPasswd.bat passw0rd
pkcs7=true
pkcs7KeyStoreFilePath=C:\\IBM\\TDI\\V7.0\\pwd_plugins\\etc\
\passwordStore.jks
# the password to this key store is 'passw0rd'
pkcs7KeyStoreFilePassword=0f0fe0e2062f0d66
pkcs7MqeStoreCertificateAlias=passwordstore
pkcs7MqeConnectorCertificateAlias=passwordconnector
bjvd
Jul 22, 2009, 12:37:42 PM7/22/09
to
Thank you very much for the very quick answer!
I had indeed not obfuscated the password. It works fine now.
Thx again, and kind regards,
/Ben
I had indeed not obfuscated the password. It works fine now.
Thx again, and kind regards,
/Ben
rber...@gmail.com
Jun 21, 2012, 1:11:48 PM6/21/12
to
Hello
I get the error while starting proxy when pkcs7=true is specified.
[6/21/12 8:08 PM] {Proxy} ERROR: CTGDKN017E Unable to start the Java Proxy. The Password Store class could not be instantiated.
java.lang.IllegalArgumentException: Private key was not specified.
at com.ibm.security.pkcs7.SignerInfo.sign(SignerInfo.java:1109)
at com.ibm.security.pkcs7.SignerInfo.sign(SignerInfo.java:803)
at com.ibm.security.pkcs7.SignerInfo.<init>(SignerInfo.java:420)
at com.ibm.security.pkcs7.SignedData.addSigner(SignedData.java:1397)
at com.ibm.security.pkcs7.SignedData.<init>(SignedData.java:572)
at com.ibm.security.pkcs7.SignedData.<init>(SignedData.java:462)
at com.ibm.di.security.pkcs7.PKCS7EncryptMessage.encrypt(PKCS7EncryptMessage.java:124)
at com.ibm.di.security.pkcs7.PKCS7EncryptMessage.<init>(PKCS7EncryptMessage.java:94)
at com.ibm.di.plugin.pwstore.jms.JMSPasswordStore.initialize(JMSPasswordStore.java:156)
at com.ibm.di.plugin.proxy.Proxy.validateAndPrepare(Proxy.java:334)
at com.ibm.di.plugin.proxy.Proxy.init(Proxy.java:212)
at com.ibm.di.plugin.proxy.Proxy.main(Proxy.java:159)
Where should I specify this private key?
My proxy props file looks like this:
proxyStartExe=C:\\ibm\\tdi\\V7.1_64/pwd_plugins/bin/startProxy.bat
logFile=C:\\ibm\\tdi\\V7.1_64/pwd_plugins/windows/plugin.log
checkRepository=true
javaLogFile=C:\\ibm\\tdi\\V7.1_64/pwd_plugins/windows/proxy.log
debug=true
syncClass=com.ibm.di.plugin.pwstore.jms.JMSPasswordStore
encrypt=false
encryptKeyStoreFilePath=
encryptKeyStoreFilePassword=
encryptKeyStoreCertificate=
pkcs7=true
pkcs7KeyStoreFilePath=C:\\ibm\\tdi\\proxy.jks
jms.clientId=
mqe.file.ini=C:\\IBM\\TDI\\V7.1_32\\MQePWStore_Client\\pwstore_client.ini
mqe.notify.port=41002
jms.broker=<host>:<port>
jms.username=
jms.password=
jms.serverChannel=
jms.qManager=
jms.sslUseFlag=false
jms.sslCipher=SSL_RSA_WITH_RC4_128_MD5
I get the error while starting proxy when pkcs7=true is specified.
[6/21/12 8:08 PM] {Proxy} ERROR: CTGDKN017E Unable to start the Java Proxy. The Password Store class could not be instantiated.
java.lang.IllegalArgumentException: Private key was not specified.
at com.ibm.security.pkcs7.SignerInfo.sign(SignerInfo.java:1109)
at com.ibm.security.pkcs7.SignerInfo.sign(SignerInfo.java:803)
at com.ibm.security.pkcs7.SignerInfo.<init>(SignerInfo.java:420)
at com.ibm.security.pkcs7.SignedData.addSigner(SignedData.java:1397)
at com.ibm.security.pkcs7.SignedData.<init>(SignedData.java:572)
at com.ibm.security.pkcs7.SignedData.<init>(SignedData.java:462)
at com.ibm.di.security.pkcs7.PKCS7EncryptMessage.encrypt(PKCS7EncryptMessage.java:124)
at com.ibm.di.security.pkcs7.PKCS7EncryptMessage.<init>(PKCS7EncryptMessage.java:94)
at com.ibm.di.plugin.pwstore.jms.JMSPasswordStore.initialize(JMSPasswordStore.java:156)
at com.ibm.di.plugin.proxy.Proxy.validateAndPrepare(Proxy.java:334)
at com.ibm.di.plugin.proxy.Proxy.init(Proxy.java:212)
at com.ibm.di.plugin.proxy.Proxy.main(Proxy.java:159)
Where should I specify this private key?
My proxy props file looks like this:
proxyStartExe=C:\\ibm\\tdi\\V7.1_64/pwd_plugins/bin/startProxy.bat
logFile=C:\\ibm\\tdi\\V7.1_64/pwd_plugins/windows/plugin.log
checkRepository=true
javaLogFile=C:\\ibm\\tdi\\V7.1_64/pwd_plugins/windows/proxy.log
debug=true
syncClass=com.ibm.di.plugin.pwstore.jms.JMSPasswordStore
encrypt=false
encryptKeyStoreFilePath=
encryptKeyStoreFilePassword=
encryptKeyStoreCertificate=
pkcs7=true
pkcs7KeyStoreFilePath=C:\\ibm\\tdi\\proxy.jks
# the password to this key store is 'passw0rd'
pkcs7KeyStoreFilePassword=0f0fe0e2062f0d66
pkcs7MqeStoreCertificateAlias=passwordstore
pkcs7MqeConnectorCertificateAlias=passwordconnector
jmsDriverClass=com.ibm.di.plugin.pwstore.jms.driver.IBMMQe
pkcs7KeyStoreFilePassword=0f0fe0e2062f0d66
pkcs7MqeStoreCertificateAlias=passwordstore
pkcs7MqeConnectorCertificateAlias=passwordconnector
jms.clientId=
mqe.file.ini=C:\\IBM\\TDI\\V7.1_32\\MQePWStore_Client\\pwstore_client.ini
mqe.notify.port=41002
jms.broker=<host>:<port>
jms.username=
jms.password=
jms.serverChannel=
jms.qManager=
jms.sslUseFlag=false
jms.sslCipher=SSL_RSA_WITH_RC4_128_MD5
rber...@gmail.com
Jun 22, 2012, 4:02:45 AM6/22/12
to
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -keydb -create -db c:\ibm\tdi\store.jks -pw passw0rd
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -create -db c:\ibm\tdi\store.jks -pw passw0rd -label passwordstore -dn CN=passwordstore
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -extract -db c:\ibm\tdi\store.jks -pw passw0rd -label passwordstore -target c:\ibm\tdi\store.der -format binary
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -keydb -create -db c:\ibm\tdi\proxy.jks -pw passw0rd
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -create -db c:\ibm\tdi\proxy.jks -pw passw0rd -label passwordconnector -dn CN=passwordconnector
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -add -db c:\ibm\tdi\proxy.jks -pw passw0rd -file c:\ibm\tdi\store.der
pwsync.props contains:
# PKCS7 Configuration:
C:\IBM\TDI\V7.1_PWD_Plugins\pwd_plugins\windows>pwsync_admin_64.exe start_proxy
INFO: : Executing the 'start_proxy' command.
INFO: : Loading properties from file 'C:\ibm\tdi\V7.1_PWD_Plugins\pwd_plugins\w
indows\pwsync.props'.
INFO: : Plugin configuration file loaded.
INFO: : Starting Proxy ...
ERROR: : Cannot start the Proxy: PWPROXY_ERROR_ECONNREFUSED
ERROR: : Operation failed.
Proxy log:
[6/22/12 8:58 AM] {Proxy} ERROR: CTGDKN017E Unable to start the Java Proxy. The Password Store class could not be instantiated.
java.lang.Exception: CTGDIA406E Failed to initialize the PKCS7 encryption module. An exception occurred: java.lang.Exception: CTGDIA405E Could not find certificate with alias 'passwordstore' in key store 'C:\ibm\tdi\proxy.jks'.
at com.ibm.di.security.pkcs7.PKCS7EncryptMessage.<init>(PKCS7EncryptMessage.java:90)
at com.ibm.di.security.pkcs7.PKCS7EncryptMessage.<init>(PKCS7EncryptMessage.java:81)
... 4 more
What is wrong?
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -create -db c:\ibm\tdi\store.jks -pw passw0rd -label passwordstore -dn CN=passwordstore
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -extract -db c:\ibm\tdi\store.jks -pw passw0rd -label passwordstore -target c:\ibm\tdi\store.der -format binary
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -keydb -create -db c:\ibm\tdi\proxy.jks -pw passw0rd
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -create -db c:\ibm\tdi\proxy.jks -pw passw0rd -label passwordconnector -dn CN=passwordconnector
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -add -db c:\ibm\tdi\proxy.jks -pw passw0rd -file c:\ibm\tdi\store.der
pwsync.props contains:
# PKCS7 Configuration:
pkcs7=true
pkcs7KeyStoreFilePath=C:\\ibm\\tdi\\proxy.jks
# the password to this key store is 'passw0rd'
pkcs7KeyStoreFilePassword=0f0fe0e2062f0d66
pkcs7MqeStoreCertificateAlias=passwordstore
pkcs7MqeConnectorCertificateAlias=passwordconnector
C:\IBM\TDI\V7.1_PWD_Plugins\pwd_plugins\bin\encryptPasswd.bat passw0rd
pkcs7KeyStoreFilePath=C:\\ibm\\tdi\\proxy.jks
# the password to this key store is 'passw0rd'
pkcs7KeyStoreFilePassword=0f0fe0e2062f0d66
pkcs7MqeStoreCertificateAlias=passwordstore
pkcs7MqeConnectorCertificateAlias=passwordconnector
C:\IBM\TDI\V7.1_PWD_Plugins\pwd_plugins\windows>pwsync_admin_64.exe start_proxy
INFO: : Executing the 'start_proxy' command.
INFO: : Loading properties from file 'C:\ibm\tdi\V7.1_PWD_Plugins\pwd_plugins\w
indows\pwsync.props'.
INFO: : Plugin configuration file loaded.
INFO: : Starting Proxy ...
ERROR: : Cannot start the Proxy: PWPROXY_ERROR_ECONNREFUSED
ERROR: : Operation failed.
Proxy log:
[6/22/12 8:58 AM] {Proxy} ERROR: CTGDKN017E Unable to start the Java Proxy. The Password Store class could not be instantiated.
java.lang.Exception: CTGDIA406E Failed to initialize the PKCS7 encryption module. An exception occurred: java.lang.Exception: CTGDIA405E Could not find certificate with alias 'passwordstore' in key store 'C:\ibm\tdi\proxy.jks'.
at com.ibm.di.security.pkcs7.PKCS7EncryptMessage.<init>(PKCS7EncryptMessage.java:90)
at com.ibm.di.plugin.pwstore.jms.JMSPasswordStore.initialize(JMSPasswordStore.java:156)
at com.ibm.di.plugin.proxy.Proxy.validateAndPrepare(Proxy.java:334)
at com.ibm.di.plugin.proxy.Proxy.init(Proxy.java:212)
at com.ibm.di.plugin.proxy.Proxy.main(Proxy.java:159)
Caused by: java.lang.Exception: CTGDIA405E Could not find certificate with alias 'passwordstore' in key store 'C:\ibm\tdi\proxy.jks'.
at com.ibm.di.plugin.proxy.Proxy.validateAndPrepare(Proxy.java:334)
at com.ibm.di.plugin.proxy.Proxy.init(Proxy.java:212)
at com.ibm.di.plugin.proxy.Proxy.main(Proxy.java:159)
at com.ibm.di.security.pkcs7.PKCS7EncryptMessage.<init>(PKCS7EncryptMessage.java:81)
... 4 more
What is wrong?
rber...@gmail.com
Jun 22, 2012, 4:16:42 AM6/22/12
to
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -keydb -create -db c:\ibm\tdi\store.jks -pw passw0rd
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -create -db c:\ibm\tdi\store.jks -pw passw0rd -label passwordstore -dn CN=passwordstore
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -extract -db c:\ibm\tdi\store.jks -pw passw0rd -label passwordstore -target c:\ibm\tdi\store.der -format binary
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -keydb -create -db c:\ibm\tdi\proxy.jks -pw passw0rd
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -create -db c:\ibm\tdi\proxy.jks -pw passw0rd -label passwordconnector -dn CN=passwordconnector
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -add -db c:\ibm\tdi\proxy.jks -pw passw0rd -file c:\ibm\tdi\store.der -label passwordstore
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -create -db c:\ibm\tdi\store.jks -pw passw0rd -label passwordstore -dn CN=passwordstore
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -extract -db c:\ibm\tdi\store.jks -pw passw0rd -label passwordstore -target c:\ibm\tdi\store.der -format binary
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -keydb -create -db c:\ibm\tdi\proxy.jks -pw passw0rd
C:\IBM\TDI\V7.1\jvm\jre\bin\ikeycmd -cert -create -db c:\ibm\tdi\proxy.jks -pw passw0rd -label passwordconnector -dn CN=passwordconnector
pwsync.props contains:
# PKCS7 Configuration:
pkcs7=true
pkcs7KeyStoreFilePath=C:\\ibm\\tdi\\proxy.jks
# the password to this key store is 'passw0rd'
pkcs7KeyStoreFilePassword=0f0fe0e2062f0d66
pkcs7MqeStoreCertificateAlias=passwordstore
pkcs7MqeConnectorCertificateAlias=passwordconnector
pkcs7KeyStoreFilePath=C:\\ibm\\tdi\\proxy.jks
# the password to this key store is 'passw0rd'
pkcs7KeyStoreFilePassword=0f0fe0e2062f0d66
pkcs7MqeStoreCertificateAlias=passwordstore
pkcs7MqeConnectorCertificateAlias=passwordconnector
C:\IBM\TDI\V7.1_PWD_Plugins\pwd_plugins\bin\encryptPasswd.bat passw0rd
0f0fe0e2062f0d66
C:\IBM\TDI\V7.1_PWD_Plugins\pwd_plugins\windows>pwsync_admin_64.exe start_proxy
INFO: : Executing the 'start_proxy' command.
INFO: : Loading properties from file 'C:\ibm\tdi\V7.1_PWD_Plugins\pwd_plugins\w
indows\pwsync.props'.
INFO: : Plugin configuration file loaded.
INFO: : Starting Proxy ...
ERROR: : Cannot start the Proxy: PWPROXY_ERROR_ECONNREFUSED
ERROR: : Operation failed.
Proxy log:
java.lang.IllegalArgumentException: Private key was not specified.
at com.ibm.security.pkcs7.SignerInfo.sign(SignerInfo.java:1109)
at com.ibm.security.pkcs7.SignerInfo.sign(SignerInfo.java:803)
at com.ibm.security.pkcs7.SignerInfo.<init>(SignerInfo.java:420)
at com.ibm.security.pkcs7.SignedData.addSigner(SignedData.java:1397)
at com.ibm.security.pkcs7.SignedData.<init>(SignedData.java:572)
at com.ibm.security.pkcs7.SignedData.<init>(SignedData.java:462)
at com.ibm.di.security.pkcs7.PKCS7EncryptMessage.encrypt(PKCS7EncryptMessage.java:124)
at com.ibm.di.security.pkcs7.PKCS7EncryptMessage.<init>(PKCS7EncryptMessage.java:94)
at com.ibm.di.plugin.pwstore.jms.JMSPasswordStore.initialize(JMSPasswordStore.java:156)
at com.ibm.di.plugin.proxy.Proxy.validateAndPrepare(Proxy.java:334)
at com.ibm.di.plugin.proxy.Proxy.init(Proxy.java:212)
at com.ibm.di.plugin.proxy.Proxy.main(Proxy.java:159)
What is wrong? "Private key was not specified." Where should I specify private key?
at com.ibm.security.pkcs7.SignerInfo.sign(SignerInfo.java:1109)
at com.ibm.security.pkcs7.SignerInfo.sign(SignerInfo.java:803)
at com.ibm.security.pkcs7.SignerInfo.<init>(SignerInfo.java:420)
at com.ibm.security.pkcs7.SignedData.addSigner(SignedData.java:1397)
at com.ibm.security.pkcs7.SignedData.<init>(SignedData.java:572)
at com.ibm.security.pkcs7.SignedData.<init>(SignedData.java:462)
at com.ibm.di.security.pkcs7.PKCS7EncryptMessage.encrypt(PKCS7EncryptMessage.java:124)
at com.ibm.di.security.pkcs7.PKCS7EncryptMessage.<init>(PKCS7EncryptMessage.java:94)
at com.ibm.di.plugin.pwstore.jms.JMSPasswordStore.initialize(JMSPasswordStore.java:156)
at com.ibm.di.plugin.proxy.Proxy.validateAndPrepare(Proxy.java:334)
at com.ibm.di.plugin.proxy.Proxy.init(Proxy.java:212)
at com.ibm.di.plugin.proxy.Proxy.main(Proxy.java:159)
rber...@gmail.com
Jun 28, 2012, 3:20:51 AM6/28/12
to
Anybody using PKCS7 for password connector encryption?
0 new messages