Technical Blog Post
Abstract
Which keycert gets used for clients of Sterling External Authentication Server?
Body
This article answers the question for Windows. For Unix instead of \ use a / for any directory path. Instead of .bat look for .sh for example stopSeas.sh.
SEAS=Sterling External Authentication Server
The SEAS clients under {SEAS_INSTALL}/bin like cli.bat, stopSeas.bat, and configureAccepter.bat all
use the same keycert that the SEAS server uses. You may discover the configured keycert for SEAS
by running SEASCipherConfigToo utility. Indeed the SEAS server keycert is placed in {SEAS_INSTALL}/conf/system/keystore, likewise,
the trusted certificates are kept in {SEAS_INSTALL}/conf/system/truststore. Once, the keycert has been
inserted into {SEAS_INSTALL}/conf/system/keystore, then you may use the tool below to select which
keycert in {SEAS_INSTALL}/conf/system/keystore to be used. The SEAS GUI has a mechanism for
configuring it with the keystore and truststore to use to TLS connections.
****************************************************************************************************************************************
c:\SEAS2430-20161114-MAINT-BUILD88\bin>SEASCipherConfigTool.bat -help
Enter the system passphrase:
Loading configuration files...
Usage: SEASCipherConfigTool <switch> [options]
Switch:
-u Update configuration
-s Show configuration
-p display the supported TLS protocols for SEAS
-c display the supported Ciphersuites for specified TLS protocol
-h Show usage (this message)
Options:
-u options:
eaSslProtocol=TLS protocol version to use for TLS communication
eaServerAlias=Key certificate alias for SEAS server TLS
eaClientAlias=Key certificate alias for SEAS client TLS
eaCiphers=<list> Cipher suites for SEAS
Separate cipher suites with commas, colons, or semicolons.
-c options:
protocol=<protocol> TLS protocol for which its supported ciphers need to be displayed
Supported TLS versions for SEAS : SSLv3, TLSv1, TLSv1.1, or TLSv1.2; TLSv1.1; TLSv1; TLSv1.2; SSLv3
Supported SEAS Ciphersuites for TLS version : TLSv1
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
**************************************************************************************************************************************************
c:\SEAS2430-20161114-MAINT-BUILD88\bin>SEASCipherConfigTool.bat -s
IBM Sterling External Authentication Server V2.4.3.0
Copyright (c) 2016 IBM
Enter the system passphrase:
Loading configuration files...
EA Server SSL configuration:
SSL/TLS protocol : (unspecified)
Cipher suites : [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA]
Key store file : ../conf/system/keystore
Trust store file : ../conf/system/truststore
Server alias : (unspecified)
Client alias : (unspecified)
c:\SEAS2430-20161114-MAINT-BUILD88\bin>
UID
ibm11123539