IBM Support

MustGather: Investigating SSL certificate related issues in IBM Security SOAR

How To


Summary

SSL certificate issues can be hard to determine and fix. This document aims to bring together various documents to provide a single place to start working from when faced with SSL-related problems in IBM Security SOAR.

Steps

Internal versus external certificate authority
When using an internal CA to sign SSL certificates it is highly unlikely IBM Resilient trusts the certificate unlike using an external CA such as Thawte, Comodo, VeriSign. When using an internal CA, you need to import the entire chain of certificates in the order of server (leaf) -> intermediate -> root.
If there is more than one intermediate certificate, then you need to include all of them, again, in order. If you need assistance with the order, get in touch with the team that provided you with the certificates.
When using an external CA the entire chain should not be needed as many of the external CA's signing certificates are present in Java keystores used by IBM Resilient.
Importing the SSL certificate
Formatting problems in the certificate file
If you receive an error such as this when running sudo cert-import, check the certificate file for any line breaks and remove them especially if you are importing a chained certificate file.
keytool error (likely untranslated): java.security.cert.CertificateException: Unable to initialize, java.io.IOException: insufficient data
If you see this response, check for any additional lines.
keytool error (likely untranslated): java.security.cert.CertificateException: Unable to initialize, java.io.IOException: Short read of DER length
If the following error is returned check the certificate file.
keytool error (likely untranslated): java.security.cert.CertificateException: Fail to parse input stream
Check the certificate to ensure that each certificate, especially if chained, has the correct BEGIN and END.
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Certificate, public key, or CSR does not match
If you see the following error, see "Certificate reply does not contain public key for <co3>" "Failed to establish chain from reply" when importing an SSL certificate to IBM Resilient. This document provides some useful information on how to check the modulus value for the certificate, CSR, and private key to ensure the private and public keys match.
"Certificate reply does not contain public key for <co3>" "Failed to establish chain from reply"
This happens infrequently and is generally a mistake made by the teams handling the certificate rather than it being a technical problem.

Print the md5 hash of the SSL Certificate modulus:

openssl x509 -noout -modulus -in CERTIFICATE.crt | openssl md5

Print the md5 hash of the CSR modulus:

openssl req -noout -modulus -in CSR.csr | openssl md5

Print the md5 hash of the Private Key modulus:

openssl rsa -noout -modulus -in PRIVATEKEY.key | openssl md5
The values returned from these commands must be the same.
Renewing an existing SSL certificate
When running sudo cert-req a new private key is not created. The Certificate Signing Request (CSR) created can be sent to the certificate authority (CA) to be signed as was the case with previous certificates.
Useful commands
Obtaining an SSL certificate by using keytool
This command taken from IBM Resilient users cannot login due to an expired Active Directory SSL certificate is a useful command to run on any server with keytool installed. The IBM Resilient appliance includes keytool.
keytool -printcert -rfc -sslserver {server}:<port> > cacerts.pem
It downloads all the certificates that the server exposes. Piping it to a file ensures the chain is present.
Keytool is a Java tool widely used by various applications and operating systems.
Obtaining an SSL certificate by using openssl
If keytool is not installed, then output all the SSL certificates in the chain.
openssl s_client -connect {server}:<port> -showcerts
Copy out all the BEGIN and END lines, including the base64 ASCII, in the order presented into a new file to make the chain. 
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Reading an SSL certificate
These commands output the certificate's details such as the subject, validity, signature algorithm, subject alternate names.
openssl x509 -in cacerts.pem -text -noout
keytool -printcert -v -file cacerts.pem
 

Additional Information

Working with certificates
Keystores
Videos

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z000000cvqUAAQ","label":"Security SSL"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
10 October 2023

UID

ibm16322097

Page Feedback