Get client keystore and public SSL certificate using REST API

In IBM® Db2® Event Store, you can use REST APIs to return the client keystore file, the client keystore password and the public SSL certificate.

About this task

IBM Db2 Event Store uses SSL authentication by default. The SSL authentication in Db2 Event Store requires all external traffic to provide the public SSL certificate, which is recognized by the engine's SSL certificate key database. Db2 Event Store, through the REST server, uses REST APIs to return the client keystore file, the client keystore password and the public SSL certificate. Using the ConfigurationReader in Db2 Event Store, the client can pick up the client keystore and keystore password information, provided by the REST APIs, to establish the SSL connection with the engine.

Note: If you have replaced the default SSL certificate with your own SSL certificate, the REST API will not return the client keystore password by default. You can allow the REST API to return the user-provided SSL certificate by issuing the command explicitly. For more information, refer to User-provided SSL certificate.

Procedure

  1. Obtain the client keystore and keystore password
    1. Download the jq binary
      wget -O jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64

chmod +x jq

mv jq /usr/local/bin/
    2. Get the client keystore file and client keystore password with the REST API.
  2. For Db2 Event Store in an IBM Cloud Pak for Data deployment, you will have to provide the target deployment ID:
    Note: For information on how to find the target deployment ID, refer to Identifying the deployment ID of Db2 Event Store in a IBM Cloud Pak for Data deployment.
    1. Define the target deployment ID. For example, DEPLOYMENT_ID=db2eventstore-1557417655:
      DEPLOYMENT_ID=<target deployment ID>
    2. Set the NAMESPACE variable that Db2 Event Store was installed in. The default is zen. If you created a different namespace name (also called OpenShift project) for Db2 Event Store use that installation, and use that name instead of zen.
      NAMESPACE=zen
    3. Get the REST_SERVER_ENDPOINT by running the following command:
      REST_SERVER_ENDPOINT=`oc get route ${NAMESPACE}-cpd -n ${NAMESPACE} -o jsonpath={.spec.host}`
    4. Validate that the REST_SERVER_ENDPOINT command worked by entering the following command:
      echo $REST_SERVER_ENDPOINT
      The output should look like:
      zen-cpd-zen.apps.stroud-eventstore-2.cp.fyre.ibm.com
    5. Get the bearerToken but replace the admin:password with a valid user ID and password for that user ID, such as evenstoreuser:eventstorepassw0rd. For example:
      bearerToken=`curl -k -X GET https://${REST_SERVER_ENDPOINT}/v1/preauth/validateAuth -u admin:password | jq -r '.accessToken'`
    6. Validate that the bearerToken command worked by entering the following command:
      echo $bearerToken
      The output should look like:
      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6IkFkbWluIiwicGVybWlzc2lvbnMiOlsiYWRtaW5pc3RyYXRvciIsImNhbl9wcm92aXNpb24iXSwiZ3JvdXBzIjpbMTAwMDBdLCJzdWIiOiJhZG1pbiIsImlzcyI6IktOT1hTU08iLCJhdWQiOiJEU1giLCJ1aWQiOiIxMDAwMzMwOTk5IiwiYXV0aGVudGljYXRvciI6ImRlZmF1bHQiLCJpYXQiOjE2MjI1ODM4MzQsImV4cCI6MTYyMjYyNjk5OH0.Zt097GDn7S7ylimjiAKHuSq_N8VLHLCp9B1HZ0C1nmxBptrPc0We6xq9BZMe9SObfVTxuTetNF1cB2NCvNVzSQxIfAVqEkorJp7By8ijcbQkFWWvnLWwhYv2TzJh3iFpwvCqnyJBZkhnGIIljlVi3KfJz32mBK1JhqLqyzJfsgJAGNHp9idJjZjlRMdwS5JDXF6N9Pt1IlTa3GZ2pweWMO6NyBGyKQTAl239g6Zaxhy7JxrlOUbjZWRJzzogVVggllwD-DZ9EMyi9NUtw4yKjUTsD98wH2vbv3OQW_HHP5laGwUaV68bwxXRaFFIsUuJ57CULBC2PN-FqR-qvIZ2Ew
    7. Get the clientkeystore password by running:
      echo $(curl -k -i -X GET -H "authorization: Bearer $bearerToken" "https://${REST_SERVER_ENDPOINT}/icp4data-databases/${DEPLOYMENT_ID}/zen/com/ibm/event/api/v1/oltp/keystore_password" | tail -1)
      Note: If the default SSL certificate is replaced by a user-supplied SSL certificate, the REST API will not return the client keystore password.
      The output of the clientkeystore command should look like:
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                               Dload  Upload   Total   Spent    Left  Speed
100    12  100    12    0     0    461      0 --:--:-- --:--:-- --:--:--   461
wcm8nc4xY2QH
      The clientstore password is the last line of the output, in this example it is wcm8nc4xY2QH.
    8. Get the clientkeystore file by running:
      curl -k -X GET -H "authorization: Bearer $bearerToken" "https://${REST_SERVER_ENDPOINT}/icp4data-databases/${DEPLOYMENT_ID}/zen/com/ibm/event/api/v1/oltp/keystore" -o clientkeystore
      This will create a file called clientkeystore on your local filesystem. This file is not human readable. How to view this file with both the keytool and OpenSSL commands will be shown in step k.
    9. Get the public SSL certificate file by running the following command:
      curl -k -X GET -H "authorization: Bearer $bearerToken" "https://${REST_SERVER_ENDPOINT}/icp4data-databases/${DEPLOYMENT_ID}/zen/com/ibm/event/api/v1/oltp/certificate" -o eventstore.pem
      This command creates a file on your local filesystem called eventstore.pem.
    10. Validate the public SSL certificate by running the following command:
      cat eventstore.pem
      The output should look like:
      -----BEGIN CERTIFICATE-----
MIIB/zCCAWigAwIBAgIIKFIFFsTkygcwDQYJKoZIhvcNAQENBQAwIDEMMAoGA1UE
ChMDaWJtMRAwDgYDVQQDEwd4eXouY29tMB4XDTIxMDUxOTE5MjExNFoXDTQxMDUx
NTE5MjExNFowIDEMMAoGA1UEChMDaWJtMRAwDgYDVQQDEwd4eXouY29tMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCSD9d0sfsf9KLysS8cYg561Lnzgzy1si0R
LbKIPE4QGRudrbDeGCDA72ZPlxePVg8rQPstAhMkoiG7SG90OUG7JsPN08Oypp+z
KTWlbpsT5H5I7+4MAMbcx665VXsoC2UidF0Vk4o0UBGs7BfiKIlqNUD9ahMvyl2N
dOIi1XHunQIDAQABo0IwQDAdBgNVHQ4EFgQUi57QQ/6PK/Ot+efXncSwuEtWpI4w
HwYDVR0jBBgwFoAUi57QQ/6PK/Ot+efXncSwuEtWpI4wDQYJKoZIhvcNAQENBQAD
gYEAKWP5c5eexldMWU6uU7RPoEobKD1DZFkvxa/dmrXRCKBFWcW4CRTgDBAzFAHD
7tY6Qy1pnYXQ1R43s6lh06r/lJEKfu2vWIUyJyExkAcrUFPOzmBdTbVNV8RtTTKx
uRr/ypRYMnZ5vf71baThWedBl1bNrl1dM0fxQGmzGQ0CqGQ=
-----END CERTIFICATE-----
    11. Validate the clientkeystore keystore file. There are two ways to accomplish this.
      1. The first approach uses the keytool command which comes with the Java Runtime Environment (JRE). If the keytool command is not found, run this command:
        yum install -y java
        This will install Java and its accompanying keytool command.
        1. Run the keytool command:
          keytool -list -rfc -keystore clientkeystore -storepass <clientstore_password>
          Where <clientstore_password> is the value of the clientstore password obtained previously. A successful output of this command should look like:
          Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: client
Creation date: Sep 13, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
-----BEGIN CERTIFICATE-----
MIIC4TCCAcmgAwIBAgIEQgxB9zANBgkqhkiG9w0BAQsFADAgMQwwCgYDVQQKEwNp
Ym0xEDAOBgNVBAMTB3h5ei5jb20wIBcNMjEwOTE0MDAyNDA3WhgPMjEyMTA4MjEw
MDI0MDdaMCAxDDAKBgNVBAoTA2libTEQMA4GA1UEAxMHeHl6LmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+ST8z/35tkdYib3qWXkzj9r1tfs2KS
kNd48tqgDnmt6NtiB04V8Y+5KGDM61p2wWg+G+dRju5uPFbGMgfxd2j6N4p5b5QL
5KhLZ44xXUoJSveNxVf4KHJqjLaR/B410usBhmrvaCW0TORLMulyZLKo7ZDQI+RM
WIeVugujEI4Usl4dDpjcZdJhcZBde2bpw5l2XCyYMpXfQ9MsujwqSb7mwmC3sBec
LXntdyMpSh3om5GpUOkhOmei6IRUBnRqNfqLCSD6bF0x+ulg88D9FbsIkBBqW+zn
z4I5tsDW9ZIPPGPg2EUJXJxKw629FpAwm7rI3FLYl7r/5doNpVLVF6cCAwEAAaMh
MB8wHQYDVR0OBBYEFEze7D+hYKEW2SbpoJUByezbZ1nxMA0GCSqGSIb3DQEBCwUA
A4IBAQBrQKP4KGslT4b7wauEh7KSLig/Plgiv9NoRqC0fhTGr9jg6zYyQ5s13lNe
x7JvSmNWL1CcC5g72BigXv/8SvhJdeLQgx7w7wy8Vd3uFyEdRtqDI8KUQotHyM/M
YLuZClAYAGaPQF6lmzicWg1AUYu00qrEkgbjbQiOu47omwF7dycAdlzlRbLj2Kzk
UPIFy1dIwrdCEyzwwrmamWdHSRHNufOHDEWF7EdoxiUonyD2rvQ9PKiqPvdMZM2Z
dmqYVNrAGAOzB4nqe73dtbafQRQUmAu5PjMkDZvuadSFBVSllnoqYCMEJ9EkgDkL
sUjdlS0q54d1HFXA23y9nQPn+y3t
-----END CERTIFICATE-----


*******************************************
*******************************************


Alias name: sslcert
Creation date: Sep 24, 2021
Entry type: trustedCertEntry

-----BEGIN CERTIFICATE-----
MIIB/zCCAWigAwIBAgIIBWpYNRJhFI4wDQYJKoZIhvcNAQENBQAwIDEMMAoGA1UE
ChMDaWJtMRAwDgYDVQQDEwd4eXouY29tMB4XDTIxMDkxMzAwMjQwN1oXDTQxMDkw
OTAwMjQwN1owIDEMMAoGA1UEChMDaWJtMRAwDgYDVQQDEwd4eXouY29tMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo6eayFTVflyX6gzrHYcP+e4PxWMqP81hx
EWV4+0zcpGyAsiYQzC7wTQGe+eGH3IOfNhzLswMp5cYGN6sw+KIytpBO77Qk3L3g
O3X4DIr0RqTMO+m/tfWSJ3NBOJ3YotxcF8n24aUxW4g1SYgtZ0R3O+tyTSkcXuEG
t0iBFH2tlQIDAQABo0IwQDAdBgNVHQ4EFgQUQ6mkKuA+LdSR6orne7KplXdBg3Uw
HwYDVR0jBBgwFoAUQ6mkKuA+LdSR6orne7KplXdBg3UwDQYJKoZIhvcNAQENBQAD
gYEAFAqoOmSfDYR4RCV1tPOI5rQ4V9ZnC5KIZ49mtMrfQiDsm8jzadCpXcxUZXrS
KCEa1q5pY+e9mvFsdy43JPuWlz8BRPH+PnAaUgxXeAfytQ0wQ8kGQWVhWBEf92EI
ity8cyOSi9Qm3qE+3IQ9kl4rKRH9v/3EZbSyhsMfDXrrkqA=
-----END CERTIFICATE-----


*******************************************
*******************************************



Warning:
<sslcert> uses a 1024-bit RSA key which is considered a security risk and is disabled.
      2. The second approach is using the OpenSSL command on a Linux system.
        1. Install OpenSSL with this command:
          sudo yum install -y openssl
        2. Run the following command:
          openssl pkcs12 -nokeys -info -in clientkeystore -passin pass:<clientstore_password>
          Where <clientstore_password> is the value of the clientstore password obtained previously. A successful output of this command should look like:
          MAC: sha1, Iteration 100000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Bag Attributes
    friendlyName: client
    localKeyID: 54 69 6D 65 20 31 36 33 31 35 37 39 30 34 37 39 38 32 
subject=O = ibm, CN = xyz.com

issuer=O = ibm, CN = xyz.com

-----BEGIN CERTIFICATE-----
MIIC4TCCAcmgAwIBAgIEQgxB9zANBgkqhkiG9w0BAQsFADAgMQwwCgYDVQQKEwNp
Ym0xEDAOBgNVBAMTB3h5ei5jb20wIBcNMjEwOTE0MDAyNDA3WhgPMjEyMTA4MjEw
MDI0MDdaMCAxDDAKBgNVBAoTA2libTEQMA4GA1UEAxMHeHl6LmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+ST8z/35tkdYib3qWXkzj9r1tfs2KS
kNd48tqgDnmt6NtiB04V8Y+5KGDM61p2wWg+G+dRju5uPFbGMgfxd2j6N4p5b5QL
5KhLZ44xXUoJSveNxVf4KHJqjLaR/B410usBhmrvaCW0TORLMulyZLKo7ZDQI+RM
WIeVugujEI4Usl4dDpjcZdJhcZBde2bpw5l2XCyYMpXfQ9MsujwqSb7mwmC3sBec
LXntdyMpSh3om5GpUOkhOmei6IRUBnRqNfqLCSD6bF0x+ulg88D9FbsIkBBqW+zn
z4I5tsDW9ZIPPGPg2EUJXJxKw629FpAwm7rI3FLYl7r/5doNpVLVF6cCAwEAAaMh
MB8wHQYDVR0OBBYEFEze7D+hYKEW2SbpoJUByezbZ1nxMA0GCSqGSIb3DQEBCwUA
A4IBAQBrQKP4KGslT4b7wauEh7KSLig/Plgiv9NoRqC0fhTGr9jg6zYyQ5s13lNe
x7JvSmNWL1CcC5g72BigXv/8SvhJdeLQgx7w7wy8Vd3uFyEdRtqDI8KUQotHyM/M
YLuZClAYAGaPQF6lmzicWg1AUYu00qrEkgbjbQiOu47omwF7dycAdlzlRbLj2Kzk
UPIFy1dIwrdCEyzwwrmamWdHSRHNufOHDEWF7EdoxiUonyD2rvQ9PKiqPvdMZM2Z
dmqYVNrAGAOzB4nqe73dtbafQRQUmAu5PjMkDZvuadSFBVSllnoqYCMEJ9EkgDkL
sUjdlS0q54d1HFXA23y9nQPn+y3t
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    friendlyName: SSLCert
    2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
subject=O = ibm, CN = xyz.com

issuer=O = ibm, CN = xyz.com

-----BEGIN CERTIFICATE-----
MIIB/zCCAWigAwIBAgIIBWpYNRJhFI4wDQYJKoZIhvcNAQENBQAwIDEMMAoGA1UE
ChMDaWJtMRAwDgYDVQQDEwd4eXouY29tMB4XDTIxMDkxMzAwMjQwN1oXDTQxMDkw
OTAwMjQwN1owIDEMMAoGA1UEChMDaWJtMRAwDgYDVQQDEwd4eXouY29tMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo6eayFTVflyX6gzrHYcP+e4PxWMqP81hx
EWV4+0zcpGyAsiYQzC7wTQGe+eGH3IOfNhzLswMp5cYGN6sw+KIytpBO77Qk3L3g
O3X4DIr0RqTMO+m/tfWSJ3NBOJ3YotxcF8n24aUxW4g1SYgtZ0R3O+tyTSkcXuEG
t0iBFH2tlQIDAQABo0IwQDAdBgNVHQ4EFgQUQ6mkKuA+LdSR6orne7KplXdBg3Uw
HwYDVR0jBBgwFoAUQ6mkKuA+LdSR6orne7KplXdBg3UwDQYJKoZIhvcNAQENBQAD
gYEAFAqoOmSfDYR4RCV1tPOI5rQ4V9ZnC5KIZ49mtMrfQiDsm8jzadCpXcxUZXrS
KCEa1q5pY+e9mvFsdy43JPuWlz8BRPH+PnAaUgxXeAfytQ0wQ8kGQWVhWBEf92EI
ity8cyOSi9Qm3qE+3IQ9kl4rKRH9v/3EZbSyhsMfDXrrkqA=
-----END CERTIFICATE-----