HTTPS 를 사용하는 경우 해당 키파일에 대해서 갱신이 요구됩니다!!
만기 날짜 확인 방법
C:\IBM\HTTPServer\bin>gsk7capicmd -keydb -expiry -db "C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb" -pw WebAS
Validity: Friday, 27 April 2012 00:20:31 AM 대한민국 표준시
패스워드 및 만기일 변경
C:\IBM\HTTPServer\bin>gsk7capicmd -keydb -changepw -db C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb -pw WebAS -new_pw WebAS1 -expire 3650 -stash
변경된 만기일 확인
C:\IBM\HTTPServer\bin>gsk7capicmd -keydb -expiry -db "C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb" -pw WebAS
Validity: Sunday, 17 April 2022 17:47:30 PM 대한민국 표준시
------------ AIX -------
root [/]#find . -name gsk7capicmd -print
./usr/bin/gsk7capicmd
./usr/opt/ibm/gskta/bin/gsk7capicmd
root [/]#cd /usr/bin
root [/usr/bin]#gsk7capicmd -keydb -expiry -db "/IBM/Plugins/config/webserver1/plugin-key.kdb" -pw WebAS
Validity: Friday, 27 April 2012 00:20:31 AM KORST
root [/usr/bin]#gsk7capicmd -keydb -changepw -db /IBM/Plugins/config/webserver2/plugin-key.kdb -pw WebAS -new_pw WebAS1 -expire 3650 -stash
root [/usr/bin]#gsk7capicmd -keydb -expiry -db "/IBM/Plugins/config/webserver2/plugin-key.kdb" -pw WebAS1
Validity: Thursday, 21 April 2022 13:12:40 PM KORST
============================== 원 문 ===================================
Password to the plugin-key.kdb file expires on April 26, 2012 US EDT
Abstract
The password to the plugin-key.kdb file that is shipped with WebSphere Application Server expires on April 26, 2012 US EDT. This file is placed in the [Plugin_Home]/config/{webservername} directory when a web server plug-in is configured on an installed web server.Content
CVE-2012-2162
A majority of users do not reference the affected file at runtime and therefore are not impacted. However, a small minority of users must take action and use certificate management tools to remove the password expiration prior to April 26, 2012 to avoid experiencing this failure.
Versions affected:
All versions of WebSphere Application Server for Distributed, IBM i, and z/OS operating systems (for example, Version 8.0 and earlier) have the potential to be affected.
Problem Description:
CVSS:
The following is the description of the mode of failure which will occur after the plug-in's key store password expiration date, however it ONLY applies to users with affected web servers who have NOT taken the prescribed action.
The WebSphere Application Server web server plug-in (web server plug-in) comes with a plugin-key.kdb file upon installation. The default password of WebAS is set to expire by April 26, 2012 US EDT.
After the password expiration date passes, the next time the web server running the web server plug-in is restarted, or the next time the plugin-cfg.xml is modified, the HTTPS (SSL) connectivity between the web server plug-in and the WebSphere Application Server might fail or revert to a non-SSL function and will not be encrypted.
This has no affect on the connection between the client (browser) and the web server that do not use the plugin-key.kdb for their certificate exchange. Only connections between the web server plug-in and the WebSphere Application Server will have the problem. For systems that use this file for their web server security, corrective action will need to taken as outlined in this Flash.
In some less common configurations, in which HTTP transports have been explicitly disabled, blocked, or removed, the web server plug-in will fail to forward the incoming requests returning an immediate error (HTTP 500 -- Internal Server Error).
Solution:
The following section describes how to correct the expiring password problem if you are running WebSphere Application Server on a distributed operating system. If you are running WebSphere Application Server on a z/OS or IBM i operating system, refer to the FAQ section of this Flash for a description of how to correct the expiring password problem for those environments.
For IBM HTTP Sever Versions 7.0 and 8.0, to determine if the password being used on your system expires on April 26, 2012, launch the HTTP Server iKeyman, and load the plugin-key.kdb file from either of the two previously mentioned directory locations.
A majority of users do not reference the affected file at runtime and therefore are not impacted. However, a small minority of users must take action and use certificate management tools to remove the password expiration prior to April 26, 2012 to avoid experiencing this failure.
Versions affected:
All versions of WebSphere Application Server for Distributed, IBM i, and z/OS operating systems (for example, Version 8.0 and earlier) have the potential to be affected.
- Note: Versions 6.0 and earlier are no longer in service. The purchase of
a support extension might be required, if additional assistance is needed,
unless you are otherwise entitled to support.
Problem Description:
CVSS:
- CVSS:
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74900 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
The following is the description of the mode of failure which will occur after the plug-in's key store password expiration date, however it ONLY applies to users with affected web servers who have NOT taken the prescribed action.
The WebSphere Application Server web server plug-in (web server plug-in) comes with a plugin-key.kdb file upon installation. The default password of WebAS is set to expire by April 26, 2012 US EDT.
- Note: This is a separate issue, with different
assessment required, from the previously posted flash titled "WebSphere
Plugin personal certificate expiration issue", posted on February
6, 2012.
After the password expiration date passes, the next time the web server running the web server plug-in is restarted, or the next time the plugin-cfg.xml is modified, the HTTPS (SSL) connectivity between the web server plug-in and the WebSphere Application Server might fail or revert to a non-SSL function and will not be encrypted.
This has no affect on the connection between the client (browser) and the web server that do not use the plugin-key.kdb for their certificate exchange. Only connections between the web server plug-in and the WebSphere Application Server will have the problem. For systems that use this file for their web server security, corrective action will need to taken as outlined in this Flash.
In some less common configurations, in which HTTP transports have been explicitly disabled, blocked, or removed, the web server plug-in will fail to forward the incoming requests returning an immediate error (HTTP 500 -- Internal Server Error).
Solution:
The following section describes how to correct the expiring password problem if you are running WebSphere Application Server on a distributed operating system. If you are running WebSphere Application Server on a z/OS or IBM i operating system, refer to the FAQ section of this Flash for a description of how to correct the expiring password problem for those environments.
For IBM HTTP Sever Versions 7.0 and 8.0, to determine if the password being used on your system expires on April 26, 2012, launch the HTTP Server iKeyman, and load the plugin-key.kdb file from either of the two previously mentioned directory locations.
..... skip....
=================================================================
For IBM HTTP Server Versions 6.0 or 6.1, issue the gsk7capicmd command to determine if the password being used on your system expires on April 26, 2012. This command is located in your [gsk_root]/bin directory.
gsk7capicmd -keydb -expiry -db "C:\temp\plugin-key.kdb" -pw WebAS
The resulting output indicates the expiration date for the password: For example, the following output indicates that the password expires on April 26, 2012 at 11:20:31 AM EDT:
Validity: Thursday, 26 April 2012 11:20:31 AM Eastern Daylight Time
Issue a gsk7 command, similar to the following command, to change the password that is expiring:
gsk7capicmd -keydb -changepw -pw xxxx -new_pw yyyy -stash -db plugin
-key.kdb
If you want to the new password to expire after a specific number of days, add -expire to the gsk7capicmd command line and specify the number of days for which you want the new password to be valid.
Note 1: IMPORTANT: Setting the -expire parameter to 0 means that the password associated with the key database does not expire.
Note 2: GSKit versions prior to 7.0.3.17 do not recognize the -expire parameter. If you are using one of these prior GSKit versions, you must upgrade to the latest GSKit 7.0.4.x version.
Note 3: There is a behavior difference between GSKit 7.0.3.x and 7.0.4.x when using these commands. Leaving the -expire off when using GSKit 7.0.4 results in a password that never expires. Leaving the -expire off when using GSKit versions prior to 7.0.3.17 results in a password expiring in one year. Leaving the -expire off when using GSKit versions equal to and later than 7.0.3.17 results in a password that never expires.
Note 4: GSKit Versions 7.0.3.9 and earlier do not recognize the -new_pw parameter. Instead, you will be prompted for the new password and then asked to confirm the new password.
Frequently asked questions (FAQs):
Q: What happens if I do nothing?
A: You might not notice anything on April 26, 2012, but after the web server is restarted or it loads a new copy of the plugin-cfg.xml due to propagation, the web server plug-in will fail to initialize the HTTPS transports. The plug-in will rely on HTTP (non-ssl) transports to communicate to the WebSphere Application Server, and the plug-in log will contain error messages similar to the following messages:
Q: Can I use the same password?
A: You can not supply the existing password and tell it to change it to that same one. You must specify a new password.
Q: What if I find the password problem within my plug-in from WebSphere Application Server Version 4.0.x?
A: The plug-in from WebSphere Application Server Version 4.0 used GSKit Version 5. You can use the gsk5ikm GUI to change the password or use the gsk5cmd to alter the password. If it's more convenient, you can backup and copy the kdb file to a GSKit 7.0.4 environment and use the tools there to change the password.
Q: How do I correct the password problem if I am running on z/OS?
A: You can use the z/OS gskkyman utility. To use this utility to display the expiration date, issue a command similar to the following command:
gskkyman -dk -k plugin-key.kdb To fix the expiration date, you must complete the following steps, which includes changing the password:
gskkyman -s -k plugin-key.kdb
A: IBM i provides a utility called Digital Certificate Manager. This tool can be used to change the password, but it does not provide a means to view the expire value.
To view the password expiration value, copy the plugin-key.kdb file to a distributed environment, such as Microsoft Windows, and use either iKeyman or gsk7capicmd utilities previously described in this Flash.
To change the password, complete one of the following actions.
If you are running on IBM i V5R4, complete the following steps:
For IBM HTTP Server Versions 6.0 or 6.1, issue the gsk7capicmd command to determine if the password being used on your system expires on April 26, 2012. This command is located in your [gsk_root]/bin directory.
gsk7capicmd -keydb -expiry -db "C:\temp\plugin-key.kdb" -pw WebAS
The resulting output indicates the expiration date for the password: For example, the following output indicates that the password expires on April 26, 2012 at 11:20:31 AM EDT:
Validity: Thursday, 26 April 2012 11:20:31 AM Eastern Daylight Time
Issue a gsk7 command, similar to the following command, to change the password that is expiring:
gsk7capicmd -keydb -changepw -pw xxxx -new_pw yyyy -stash -db plugin
-key.kdb
If you want to the new password to expire after a specific number of days, add -expire to the gsk7capicmd command line and specify the number of days for which you want the new password to be valid.
Note 1: IMPORTANT: Setting the -expire parameter to 0 means that the password associated with the key database does not expire.
Note 2: GSKit versions prior to 7.0.3.17 do not recognize the -expire parameter. If you are using one of these prior GSKit versions, you must upgrade to the latest GSKit 7.0.4.x version.
- Fix Pack 17 for IHS V6.1 (V6.1.0.17) and Fix Pack
27 for IHS V6.0.2 (V6.0.2.27) can upgrade the GSKit to V7.0.4.14
http://www.ibm.com/support/docview.wss?uid=swg27008517#61017
http://www.ibm.com/support/docview.wss?uid=swg27007033#60227
Or the customer can upgrade their system wide GSKit from the link in the following page.
http://www.ibm.com/support/docview.wss?uid=swg24026884
Note 3: There is a behavior difference between GSKit 7.0.3.x and 7.0.4.x when using these commands. Leaving the -expire off when using GSKit 7.0.4 results in a password that never expires. Leaving the -expire off when using GSKit versions prior to 7.0.3.17 results in a password expiring in one year. Leaving the -expire off when using GSKit versions equal to and later than 7.0.3.17 results in a password that never expires.
Note 4: GSKit Versions 7.0.3.9 and earlier do not recognize the -new_pw parameter. Instead, you will be prompted for the new password and then asked to confirm the new password.
Frequently asked questions (FAQs):
Q: What happens if I do nothing?
A: You might not notice anything on April 26, 2012, but after the web server is restarted or it loads a new copy of the plugin-cfg.xml due to propagation, the web server plug-in will fail to initialize the HTTPS transports. The plug-in will rely on HTTP (non-ssl) transports to communicate to the WebSphere Application Server, and the plug-in log will contain error messages similar to the following messages:
- ERROR: lib_security: initializeSecurity: Failed to initialize GSK
environment
ERROR: ws_transport: transportInitializeSecurity: Failed to initialize security
Q: Can I use the same password?
A: You can not supply the existing password and tell it to change it to that same one. You must specify a new password.
Q: What if I find the password problem within my plug-in from WebSphere Application Server Version 4.0.x?
A: The plug-in from WebSphere Application Server Version 4.0 used GSKit Version 5. You can use the gsk5ikm GUI to change the password or use the gsk5cmd to alter the password. If it's more convenient, you can backup and copy the kdb file to a GSKit 7.0.4 environment and use the tools there to change the password.
Q: How do I correct the password problem if I am running on z/OS?
A: You can use the z/OS gskkyman utility. To use this utility to display the expiration date, issue a command similar to the following command:
gskkyman -dk -k plugin-key.kdb To fix the expiration date, you must complete the following steps, which includes changing the password:
- Navigate to the location of the plugin-key.kdb file.
- Enter gskkyman.
- From the menu provided, choose option "3 - Change database
password".
- Prompt: "Enter key database name (press ENTER to return to menu):" (Enter
plugin-key.kdb).
- Prompt: "Enter database password (press ENTER to return to menu):" (Enter
WebAS).
- Prompt: "Enter new database password (press ENTER to return to menu):"
(Enter your new password).
- Prompt: "Re-enter database password:" (Re-enter the password).
- Prompt: "Enter password expiration in days (press
ENTER for no expiration):" (decide if you want this password to expire).
gskkyman -s -k plugin-key.kdb
A: IBM i provides a utility called Digital Certificate Manager. This tool can be used to change the password, but it does not provide a means to view the expire value.
To view the password expiration value, copy the plugin-key.kdb file to a distributed environment, such as Microsoft Windows, and use either iKeyman or gsk7capicmd utilities previously described in this Flash.
To change the password, complete one of the following actions.
If you are running on IBM i V5R4, complete the following steps:
- Start the HTTP Admin server if it is not already
running:
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
- In the browser, enter the following:
machine:2001 (enter credentials)
- Click Digital Certificate Manager.
- Click Select a certificate store.
- Select Other system certificate store, and then click
Continue.
- Enter the path to the plugin-key.kdb file in the Certificate store path
and file name: field.
- Click Reset password.
- Enter the new password, confirm the new password, and then take the default
options.
- Automatic login
- Password does not expire
- Click Continue.
- Start the HTTP Admin server if it is not already
running:
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
- In the browser, enter the following:
machine:2001 (enter credentials)
- Expand IBM i management and click Internet Configurations.
- Click Digital Certificate Manager.
- Click Select a certificate store.
- Select Other System Certificate Store, and then click Continue.
- Enter the path to the plugin-key.kdb file in the Certificate store path
and file name: field.
- Click Reset password.
- Enter the new password, confirm the new password, and then take the default
options:
- Automatic login
- Password does not expire
- Click Continue.
| Change History | |
| 3/23/2012 | Flash published |
| 4/13/2012 | FAQ's added |
| 4/16/2012 | Added information to alert customers that only HTTP transports will be used if SSL stops working. Added additional content for z/OS and iSeries within FAQ. |
댓글 없음:
댓글 쓰기