Skip navigation
All People > Osarobo_Idehen > Osarobo Idehen's Blog > 2016 > November > 18

When trying to run openssl commands to generate certs you may run into the following error:

"WARNING: can't open config file: /usr/local/ssl/openssl.cnf"

To work around this just run the following in the command window:

set OPENSSL_CONF=c:\[PATH TO YOUR OPENSSL DIRECTORY]\bin\openssl.cfg

For example: set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

Remember that everytime you open a command prompt you have to run the above command unless you set this as your environment variable.


OpenSSL commands examples for generating the self-signed certificate:

1) Generate the private key:

openssl genrsa -out privatekey.pem 2048

 

2) Generate CSR (Certificate Signing Request) using this private key:

openssl req -new -key privatekey.pem -out certreq.pem

 

3) Use this certificate request (CSR) to request a certifcate from a Certificate Authority (CA) (like Verisign, etc or some internal CA server like Microsoft or Netscape Certificate Service or openssl for self-signed cert). For the CA server like MS CA server, you would go to the cert server's page via the browser to submit the request. For openssl to create a self-signed cert example is:

openssl x509 -req -days 365 -in certreq.pem -signkey privatekey.pem -out cert.pem

 

4) Convert the cert from PEM to DER format:

openssl x509 -in cert.pem -out cert.cer -outform DER

 

5) Convert the private key to DER format also:

openssl pkcs8 -topk8 -in privatekey.pem -outform DER -out privatekey.der

 

2. CONVERT pkcs12 to pem

 

3. openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem

4. openssl pkcs12 -nocerts -in cert.p12 -out userkey.pem

 

5. CONVERT pem to pkcs12

 

6. openssl pkcs12 -export -out cert.p12 -inkey ./userkey.pem -in ./usercert.pem

The Siteminder Administrative UI uses, from R12 SP3, the standard Log4j
PropertyConfigurator configuration file; all logging categories are
prefixed with 'log4j.category' and must have one of the specified log
levels: OFF, FATAL, ERROR, WARN, INFO, DEBUG, ALL.

Below examples show the default logging level.
" For Siteminder logging level:

/server/default/deploy/iam_siteminder.ear/user_console.war/META-INF/SiteMind
erLog4j.properties

# The root category for SiteMinder logging.
log4j.category.com.ca.siteminder=WARN

# Useful information. The following categories supply useful information
about the product and connectivity status with the policy server.
log4j.category.com.ca.siteminder.webadmin.BuildInfo=INFO
log4j.category.com.ca.siteminder.uiagent=INFO

# Tunnel messages. The following categories display communications with the
the policy server.
log4j.category.com.ca.siteminder.xps.Connection=OFF
log4j.category.com.ca.siteminder.xps.xml=OFF

# Administrative directory. The following categories are used by the
directory for logging information about administrators.
log4j.category.org.apache.directory=ON
log4j.category.com.ca.siteminder.directory=DEBUG

# Other categories. Uncomment these categories as needed for additional
logging.
#log4j.category.com.ca.siteminder.framework=INFO
#log4j.category.com.ca.siteminder.framework.action=INFO
#log4j.category.com.ca.siteminder.framework.tab=INFO
#log4j.category.com.ca.siteminder.framework.xps=INFO
#log4j.category.com.ca.siteminder.framework.xps.security=INFO
#log4j.category.com.ca.siteminder.webadmin=INFO
#log4j.category.com.ca.siteminder.webadmin.tabhandler=INFO
#log4j.category.com.ca.siteminder.webadmin.tabs=INFO

Change the log4j.category.com.ca.siteminder to DEBUG
Change the log4j.category.com.ca.siteminder.XX to DEBUG, according to your
needs
" For the underlying IAM FrameWork level:

/server/default/deploy/iam_siteminder.ear/config/com/netegrity/config/log4j_
jboss.properties

Change the log4j.category.ims to DEBUG
Uncomment all log4j.category.ims according to your needs
" For JBoss logging:
/server/default/conf/jboss-log4j.xml

In the Limit category section add the following:
<category name="com.netegrity.ims">
<priority value="ALL"/>
</category>

<category name="org.jboss.system.server.Server">
<priority value="INFO"/>
</category>
<category name="com.ca.siteminder.uiagent">
<priority value="ALL"/>
</category>
<category name="com.ca.siteminder.framework">
<priority value="ALL"/>
</category>
<category name="com.ca.siteminder.webadmin">
<priority value="ALL"/>
</category>
<category name="com.ca.siteminder.xps">
<priority value="ALL"/>
</category>

A core file should be created when an application crashes if the core file size is set using ulimit.

 

Please run the below command to view the default parameters:

 

ulimit -a

 

If you have 0 for this parameter a coredump file is not created

 

https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?940980.html?zoom_highlightsub=ulimt

 

If the core file size is set to 0, then do the following to enable core file file generation in times of application crashes:

 

ulimit -c unlimited

 

Then check if everything ran correctly by running again:

 

ulimit -a

 

Note:

You can specify the size of the core file size as well instead of using the unlimited option.

http://stackoverflow.com/questions/17965/how-to-generate-a-core-dump-in-linux-when-a-process-gets-a-segmentation-fault

Windows:

 

ldapsearch -b "dc=pstore,dc=com" -D "cn=siteminder,dc=pstore,dc=com" -w firewall -h abc.xyz.com -p 44391 (smAgentKeyOID4=*)

 

Unix

 

ldapsearch -b dc=pstore,dc=com -h abc.xyz.com -p 44391 -x smAgentKeyOID4=*

 

on windows you do not need Adminn/pwd to connect

 

ldapsearch -b "dc=pstore,dc=com" -h abc.xyz.com -p 44391 (smAgentKeyOID4=*)

 

For session key

 

ldapsearch -b "dc=pstore,dc=com" -h abc.xyz.com -p 44391 (smSharedSecretPolicyOID6=*)

Osarobo_Idehen

PKI-FORMULA

Posted by Osarobo_Idehen Employee Nov 18, 2016

SIGNATURE:
PRODUCE SIGNATURE USING THE SIGNING PARTY'S PRIVATE KEY
VERIFY SIGNATURE USING THE SIGNING PARTY'S PUBLIC CERT

 


ENCRYPTION:
ENCRYPT USING THE DECRYPTING PARTY'S PUBLIC CERT
DECRYPT USING YOUR OWN PRIVATE KEY

 

SSL:
HANDSHAKE FOR SSL

 

CLIENT <---> SERVER

 

SERVER SSL SERVER CERT

 

CLIENT ---> ROOT CA CERT --> TRUST THE SSL CERT

 

BROWSER <--> WEBSERVER

LDAPS

 

SMPS <--> LDAP SERVER WITH SSL

 

SMPS <--> RDBMS