SSL Configuration for IBM Campaign – Part-I

SSL provides secure connections by:

• Allowing an application to authenticate the identity of another application
• Using a private key to encrypt and decrypt data transferred over the SSL connection

URLs that connect using SSL start with HTTPS instead of HTTP. When processes communicate with each other, the process of making a request acts as the client and the process responding to a request acts as the server. For a complete security, SSL should be implemented for all forms of communication with IBM EMM products.

In Unica, campaign architecture involves two ways of SSL communication as mentioned below:

1. The browser will act as client and Application server will act as a server
2. Application server act as client and campaign listener will act as the server

To have the SSL communication successful, the certificates need to be exchanged between WebSphere and campaign listener. Here are the steps you can follow to configure the SSL v10.1 and later releases. As Gsk8 is introduced from this release, there are some changes in configuring SSL from the prior version.

High-Level Steps:

A. Generate Campaign certificates with IBM GSKIT Certificate 
B. Generate JAVA Certificates
C. Exchange IBM Campaign GSKIT Certificates with JAVA Certificates:
D. Configure SSL Certificates in Websphere and Weblogic application Server:
E. Configure settings in CAMPAIGN_HOME/conf/config.xml
F. Configure SSL Certificates in WebSphere Application Server (Please refer document: SSL_Configuration for IBM Campaign Part-II)

Step A: How to Generate SSL certificates with IBM GSK8:
1. Create and initialize a new key database
Navigate to C: Program FilesIBMgsk8bin and execute the below-mentioned command. Post execution of the command certificate file will be generated as shown in Image 1.1:
gsk8capicmd_64 -keydb -create -populate -db Campaign.kdb -pw password -stash

2. Generate a self-signed certificate and store it in the key database. Navigate to C: Program FilesIBMgsk8bin and execute the below-mentioned command. Make sure to use organization-specific details in required places:gsk8capicmd_64 -cert -create -db Campaign.kdb -dn “CN=userid,O=,C=” -expire 3650 -pw password -size 1024  -label username -default_cert yes
This command will add the self-signed certificate to the existing kdb file. Note the size and timestamp change in the image 1.2 (below)

​3. For the clients to trust a certificate, its public part needs to be distributed to the clients and stored in their key databases.

Extract the public part to a file using the following command:
Navigate to C: Program FilesIBMgsk8bin and execute the below-mentioned command:
gsk8capicmd_64 -cert -extract -db Campaign.kdb -stashed -label username -target Campaigncert.arm
Note: You can observe Campaigncert.arm file generated in Image 1.3

​Step B: How to Generate JAVA Certificates:
1. Generate Platform Identity Certificate.
Navigate to C:IBMv10jrebin generate the below mentioned command:
keytool -genkey -alias PlatformClientIdentity -keyalg RSA -keystore PlatformClientIdentity.jks -keypass password -validity 3650 -dname “CN=userid” -storepass password
Note: This command will generate the PlatformClientIdentity.jks file. Refer to the image 2.1

​2. Export the certificate from PlatformClientIdentity keystore into a file, say PlatformCertificate.cer
keytool -export -keystore PlatformClientIdentity.jks -storepass password -alias PlatformClientIdentity -file PlatformCertificate.cer
Result of the command: Certificate stored in file , refer image 2.2

​3. Import the certificate you exported into Platform Trust Key (PlatformTrust.jks)

Navigate to C: IBMv10jrebin and execute the below-mentioned command:

keytool -import -alias PlatformClientIdentity -file PlatformCertificate.cer -keystore PlatformTrust.jks -storepass passwordOwner: CN=useridIssuer: CN=useridSerial number: 33f3123dValid from: 9/29/18 9:58 PM until: 9/26/28 9:58 PMCertificate fingerprints:MD5:  5B:35:45:59:E3:76:69:70:8C:95:91:06:9C:46:53:00SHA1: 8A:A1:F2:B4:B8:57:BF:56:0E:30:E0:12:D0:CB:48:8F:FD:32:80:7CSHA256: 8B:E1:D5:AA:11:28:48:46:F2:C9:D8:0B:4E:A3:A9:36:F5:55:CD:0D:96:D8:78:64:82:7F:BE:F2:D2:93:A6:3CSignature algorithm name: SHA256withRSAVersion: 3Extensions:#1: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 35 38 f1 3d c2 6e 18 7e  7c e1 dd d0 08 b9 77 ec  58...n........w.0010: 40 65 d4 2b                                        .e..]]Trust this certificate? [no]:  yes

PlatformTrust.jks is updated with PlatformCertificate.cer, refer Image 2.3

​Step C: Exchange Certificates In between Campaign and platform

1. Navigate to C: IBMv10jrebin and execute below-mentioned commands:

   keytool -import -file "C:Program FilesIBMgsk8binCampaigncert.arm" -alias listenerkey2 -keystore  "C:IBMv10jrebinPlatformClientIdentity.jks"Enter keystore password: <password>Owner: CN=useridIssuer: CN=useridSerial number: 4456064c49f85fdcValid from: 9/28/18 9:41 PM until: 9/26/28 9:41 PMCertificate fingerprints:MD5:  09:5E:B0:86:9B:25:36:94:F0:31:BC:E0:C0:3F:54:61SHA1: 5C:62:74:24:D7:E8:FE:A3:29:81:0B:48:CF:6F:11:73:8B:8A:87:E6SHA256: C7:03:F6:25:00:7F:F4:32:4B:0C:F4:57:43:E4:D2:10:06:B7:5D:DB:F1:4E:CD:91:6D:6A:7D:68:29:4B:B2:DASignature algorithm name: SHA1withRSAVersion: 3Extensions:#1: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 1e 55 72 b6 f8 95 c9 04  98 96 7f 4a c5 56 6d fb  .Ur........J.Vm.0010: 73 c8 db 40                                        s...]]#2: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 1e 55 72 b6 f8 95 c9 04  98 96 7f 4a c5 56 6d fb  .Ur........J.Vm.0010: 73 c8 db 40                                        s...]]Trust this certificate? [no]:  yes

    

 

Result of the command execution is certificate is added to Keystore, refer Image 3.1

2. Navigate to C: IBMv10jrebin and execute the below-mentioned command:

keytool -import -file "C:Program FilesIBMgsk8binCampaigncert.arm" -alias listenerkey2 -keystore "C:IBMv10jrebinPlatformTrust.jks"Enter keystore password: <password>Owner: CN=ndhabaleIssuer: CN=ndhabaleSerial number: 4456064c49f85fdcValid from: 9/28/18 9:41 PM until: 9/26/28 9:41 PMCertificate fingerprints:MD5:  09:5E:B0:86:9B:25:36:94:F0:31:BC:E0:C0:3F:54:61SHA1: 5C:62:74:24:D7:E8:FE:A3:29:81:0B:48:CF:6F:11:73:8B:8A:87:E6SHA256: C7:03:F6:25:00:7F:F4:32:4B:0C:F4:57:43:E4:D2:10:06:B7:5D:DB:F1:4E:CD:91:6D:6A:7D:68:29:4B:B2:DASignature algorithm name: SHA1withRSAVersion: 3Extensions:#1: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 1e 55 72 b6 f8 95 c9 04  98 96 7f 4a c5 56 6d fb  .Ur........J.Vm.0010: 73 c8 db 40                                        s...]]#2: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 1e 55 72 b6 f8 95 c9 04  98 96 7f 4a c5 56 6d fb  .Ur........J.Vm.0010: 73 c8 db 40                                        s...]]Trust this certificate? [no]:  yes

 

Result of the command execution is certificate got added to Keystore

Navigate to C:Program FilesIBMgsk8bin execute below mentioned command:

1. gsk8capicmd_64 -cert -add -db Campaign.kdb -stashed -label PlatformClientIdentity -file “C:IBMv10jrebinPlatformCertificate.cer”

Result of command execution is to add PlatformCertificate in Campaign.kdb, refer image 3.3

​Step D: Import JAVA Certificate and Campaign GSKIT Certificate in Application Server Java Trust Keystore.

1. Import the PlatformCertificate.cer certificate in Application Server Java Trust Keystore.

C:IBMv10jrebin>keytool -import -file "C:IBMv10jrebinPlatformCertificate.cer" -alias platformkey2 -keystore "%WAS_HOME%AppServerjavajrelibsecuritycacerts"Enter keystore password:Owner: CN=useridIssuer: CN=useridSerial number: 33f3123dValid from: 9/29/18 9:58 PM until: 9/26/28 9:58 PMCertificate fingerprints:MD5:  5B:35:45:59:E3:76:69:70:8C:95:91:06:9C:46:53:00SHA1: 8A:A1:F2:B4:B8:57:BF:56:0E:30:E0:12:D0:CB:48:8F:FD:32:80:7CSHA256: 8B:E1:D5:AA:11:28:48:46:F2:C9:D8:0B:4E:A3:A9:36:F5:55:CD:0D:96:D8:78:64:82:7F:BE:F2:D2:93:A6:3CSignature algorithm name: SHA256withRSAVersion: 3Extensions:#1: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 35 38 f1 3d c2 6e 18 7e  7c e1 dd d0 08 b9 77 ec  58...n........w.0010: 40 65 d4 2b                                        .e..]]Trust this certificate? [no]:  yes

 

Result of the command execution is certificate is added to Keystore, refer image 4.1.

​2. Import the Campaign GSK8 certificate in Java Trust Keystore of Application Server Java Trust Keystore.

C:IBMv10jrebin>keytool -import -file "C:Program FilesIBMgsk8binCampaigncert.arm" -alias CampaignListener1 -keystore "C:Program Files (x86)IBMWebSphereAppServerjavajrelibsecuritycacerts"Enter keystore password: Owner: CN=useridIssuer: CN=useridSerial number: 4456064c49f85fdcValid from: 9/28/18 9:41 PM until: 9/26/28 9:41 PMCertificate fingerprints:MD5:  09:5E:B0:86:9B:25:36:94:F0:31:BC:E0:C0:3F:54:61SHA1: 5C:62:74:24:D7:E8:FE:A3:29:81:0B:48:CF:6F:11:73:8B:8A:87:E6SHA256: C7:03:F6:25:00:7F:F4:32:4B:0C:F4:57:43:E4:D2:10:06:B7:5D:DB:F1:4E:CD:91:6D:6A:7D:68:29:4B:B2:DASignature algorithm name: SHA1withRSAVersion: 3Extensions:#1: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 1e 55 72 b6 f8 95 c9 04  98 96 7f 4a c5 56 6d fb  .Ur........J.Vm.0010: 73 c8 db 40                                        s...]]#2: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 1e 55 72 b6 f8 95 c9 04  98 96 7f 4a c5 56 6d fb  .Ur........J.Vm.0010: 73 c8 db 40                                        s...]]Trust this certificate? [no]:  yes

 

Result of the command execution is certificate is  added to Keystore, refer image 4.2

E: Configure settings in CAMPAIGN_HOME/conf/config.xml:
Update campaign to use SSL configuration as below:
1. Open Campaign/conf/config.xml
2. Set “unicaServerSSLFile” = campaign.kdb
Set “unicaServerSSLFilePwd” = stash Password file generated while executing generate Key database command. (>/opt/IBM/MarketingSoftware10/Campaign/bin/Campaign.sth)
3. Save the changes
To know further steps- Click here for Part II of the blog