Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

error msg: [crit] SSL0104S: GSK could not initialize, Invalid password for keyfile.

2,628 views
Skip to first unread message

mgr...@au1.ibm.com

unread,
Jul 27, 2007, 8:59:34 PM7/27/07
to
Hi,

I'm trying to set up IBM HTTP Server on WinXP as a localhost for testing to work with IBM Intranet Password via w3PHP scripts.

I'm used iKEYMAN to create the key management database, and was told to use ldapstash from the command line to generate the password as iKEYMAN had an issue with password files (generated an "invalid version" error).

However I still get the following error in my error.log on start up...

[crit] SSL0104S: GSK could not initialize, Invalid password for keyfile.

I've been documenting my whole setup in an IBM Intranet wiki, for IBMer's they can find it here...

https://w3.webahead.ibm.com/w3ki/display/ibmwarped/Home

Any help on this would be great, its a show stopper for me at the moment.

Regards
Michael Gruber

Eric Covener

unread,
Jul 27, 2007, 10:47:46 PM7/27/07
to
mgr...@au1.ibm.com wrote:
> Hi,
>
> I'm trying to set up IBM HTTP Server on WinXP as a localhost for testing to work with IBM Intranet Password via w3PHP scripts.
>
> I'm used iKEYMAN to create the key management database, and was told to use ldapstash from the command line to generate the password as iKEYMAN had an issue with password files (generated an "invalid version" error).


KDB passwords are created exclusively by telling ikeyman to "stash the
password to a file". The stash files created by IHS/bin/sslstash and
IHS/bin/ldapstash aren't a substitute.

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.ihs.doc/info/ihs/ihs/welc_ikeymangui.html

mgr...@au1.ibm.com

unread,
Jul 28, 2007, 9:16:40 AM7/28/07
to
Hi,

Below are the instructions I used to create my key management database and file. Below that are extracts from my httpd.conf and ldap.file.

Below all that is the error msg I get when I use the iKEYMAN files (created by the procedure below)...


Create key management database:

1. Start IBM Key Management Utility from Windows to continue.

2. Click Key Database File menu item then, click New sub-menu item to continue.

3. Click Key Database Type drop down list then; Click CMS to continue.

4. Click OK to continue.

5. Enter a password into Password and Confirm Password fields then, select Stash the password to a file? check box then, click OK to continue.

6. Click OK to complete.


Create self-signed certificate

1. Start IBM Key Management Utility from Windows to continue.

2. Click Key Database File menu item then, click Open sub-menu item to continue.

3. Click Key Database Type drop down list then, click CMS to continue.

4. Click OK to continue.

5. Enter the password in Password field then, click OK to continue.

6. Click Create menu item then, click New Self-Signed Certificate sub-menu item to continue.

7. Enter name of key in Key Label field (used to identify the key in the key database) then, enter name of website in Common Name field (the URL for which the key is for. For this tutorial the site is http://localhost for a production site it would be something like www.ibm.com instead) then, enter name of organization using the key in Organization field then, enter information in Organization Unit Locality, State/Province, Zipcode field if you wish then, select country from Country or region drop down list then, enter the name of days the key will be valid for in Validity Period field then, click OK to continue.

8. Close IBM Key Management Utility to complete.


In my httpd.conf I have...


<Directory "C:/Program Files/IBM/HTTPServer/htdocs/en_US">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI Multiviews
#
# Note that "MultiViews" must be named explicitly ? "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#options
# for more information.
#
Options All
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
RewriteEngine on
RewriteCond %{SERVER_PORT} =80
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI}
Satisfy all
LDAPConfigFile "C:/Program Files/IBM/HTTPServer/conf/ldap.prop"
AuthName w3
AuthType basic
require valid-user
</Directory>

#LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule ibm_ldap_module modules/IBMModuleLDAP.dll
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
KeyFile "C:/Program Files/IBM/HTTPServer/key.kdb"
# Listen: Allows you to bind Apache to specific IP addresses and
# ports. See also the <VirtualHost> directive.


When I start the server I get the following error in the CMD window (no error log is created)...

[error] mod_ibm_ldap: Invalid version in stash file 'C:/Program Files/IBM/HTTPServer/key.sth'
Syntax error on line 312 of C:/Program Files/IBM/HTTPServer/conf/httpd.conf:
unable to recover keyfile password from stash file
Note the errors or messages above, and press the <ESC> key to exit


Line 312 of my httpd.conf is...

LDAPConfigFile "C:/Program Files/IBM/HTTPServer/conf/ldap.prop"


and in my ldap.prop file the only things I edited were...

ldap.key.fileName=C:/Program Files/IBM/HTTPServer/key.kdb

ldap.key.file.password.stashFile=C:/Program Files/IBM/HTTPServer/key.sth


I think I've mixed up my keyfiles i.e I think I'm referring to the wrong files in my ldap.prop file(?)

Regards
Michael Gruber

mgr...@au1.ibm.com

unread,
Jul 28, 2007, 10:04:13 AM7/28/07
to
Hi,

I think I fixed my problem, I get no CMD window errors and my error log is...

[Sat Jul 28 23:56:47 2007] [notice] IBM_HTTP_Server/6.1 Apache/2.0.47 configured -- resuming normal operations
[Sat Jul 28 23:56:47 2007] [notice] Server built: Apr 20 2006 07:40:55
[Sat Jul 28 23:56:47 2007] [notice] Parent: Created child process 4880
[Sat Jul 28 23:56:49 2007] [notice] Child 4880: Child process is running
[Sat Jul 28 23:56:49 2007] [notice] Child 4880: Acquired the start mutex.
[Sat Jul 28 23:56:49 2007] [notice] Child 4880: Starting 250 worker threads.

What I did was...

1) use /httpserver/bin/ldapstash.exe and created "ldapstashkey.sth" (using the same password I used to create my iKEYMAN key management database; then

2) Change my ldap.prop file and replaced...

ldap.key.file.password.stashFile=C:/Program Files/IBM/HTTPServer/key.sth

with

ldap.key.file.password.stashFile=C:/Program Files/IBM/HTTPServer/ldapstashkey.sth

(the keyfile I created with ldapstash.exe

Tell me this is correct?

I then tried out the w3PHP scripts and it prompted me for my IBM Intranet password and worked fine.

However when I tried the login demo - I got a blank page - but I think thats a script issue not a server issue.

Regards
Michael Gruber

Eric Covener

unread,
Jul 29, 2007, 4:40:25 PM7/29/07
to
mgr...@au1.ibm.com wrote:
> Hi,
>
> Below are the instructions I used to create my key management database and file. Below that are extracts from my httpd.conf and ldap.file.

For what purpose? For SSL to the frontend or a set of keys to use with
mod_ibm_ldap to talk to an ldaps:// LDAP server?


> Create key management database:
> Create self-signed certificate

> [error] mod_ibm_ldap: Invalid version in stash file 'C:/Program Files/IBM/HTTPServer/key.sth'
> Syntax error on line 312 of C:/Program Files/IBM/HTTPServer/conf/httpd.conf:
> unable to recover keyfile password from stash file
> Note the errors or messages above, and press the <ESC> key to exit

> and in my ldap.prop file the only things I edited were...


>
> ldap.key.fileName=C:/Program Files/IBM/HTTPServer/key.kdb
>
> ldap.key.file.password.stashFile=C:/Program Files/IBM/HTTPServer/key.sth


For some bizarre reason, mod_ibm_ldap wants you to use ldapstash.exe to
stash your password to a file instead of allowing the native Ikeyman
stash file to be used.


When you use ldapstash to create something, don't name it *.sth

Your problem may be you're blowing away the gskit/ikeyman .sth file w/
ldapstash.exe, but your IBMSSL config wants the gskit/ikeyman version.

Eric Covener

unread,
Jul 29, 2007, 4:41:57 PM7/29/07
to
mgr...@au1.ibm.com wrote:
> Hi,
>
> I think I fixed my problem, I get no CMD window errors and my error log is...
>
> [Sat Jul 28 23:56:47 2007] [notice] IBM_HTTP_Server/6.1 Apache/2.0.47 configured -- resuming normal operations
> [Sat Jul 28 23:56:47 2007] [notice] Server built: Apr 20 2006 07:40:55
> [Sat Jul 28 23:56:47 2007] [notice] Parent: Created child process 4880
> [Sat Jul 28 23:56:49 2007] [notice] Child 4880: Child process is running
> [Sat Jul 28 23:56:49 2007] [notice] Child 4880: Acquired the start mutex.
> [Sat Jul 28 23:56:49 2007] [notice] Child 4880: Starting 250 worker threads.
>
> What I did was...
>
> 1) use /httpserver/bin/ldapstash.exe and created "ldapstashkey.sth" (using the same password I used to create my iKEYMAN key management database; then
>
> 2) Change my ldap.prop file and replaced...
>
> ldap.key.file.password.stashFile=C:/Program Files/IBM/HTTPServer/key.sth
>
> with
>
> ldap.key.file.password.stashFile=C:/Program Files/IBM/HTTPServer/ldapstashkey.sth
>
> (the keyfile I created with ldapstash.exe
>
> Tell me this is correct?


Oops, I should have read ahead. This is basically what I just replied to
your previous message. This is correct and doesn't clobber the
gskit/ikeyman "stash" file.

0 new messages