Where are IBM certificates stored in Information Server? - ibm-information-server

I'm currently installing IIS EE on EC2 instances in an AWS environment. A question from left field: does anyone happen to know where the IBM certificates are stored? 
Attempt: I usually inspect the certificate when handling the exception in a browser but I wants to know which file(s) to check on the services tier.

This depends on which certificates to which you are referring to. There are certificates on each of the tiers and in WAS. For example,
/opt/IBM/InformationServer/ASBNode/conf/iis-client-truststore.p12
/opt/IBM/InformationServer/ASBServer/conf/iis-client-truststore.p12
/opt/IBM/InformationServer/ASBServer/conf/isf-node.keystore

Related

Installing SSL Certificates for Wazuh-Dashboard

Is it possible to have Wazuh Manager served through custom SSL certificates? The wazuh-certs-tool gives you a self cert, and every other way to get it served through SSL has failed.
The closest I've gotten to getting this to work is I've had the dashboard being served by a custom SSL, I had agents connecting to it successfully and providing a heartbeat, but had zero log flows or events happening. When I had it in this state, I saw the API calls were coming from what appeared to be a Java instance, erroring out complaining about receiving certificate. I saw a keystore file located at /etc/wazuh-indexer. Do I also need to add the root-ca cert here as well?
It seems that your indexer's excepted certificates do not match the certificates in your manager or the dashboard.
If you follow the normal installation guide, it shows how and where to place your certificates, that are created using the wazuh-cert-tool. But, certificates can be created from any other source, as long as they have the expected information, you can check that informationenter link description here here.
I would recommend you follow the installation steps in the installation guide, from scratch to make sure you copy each excepted certificate in it's place and that the configuration files for your indexer, dashboard, and manager take into account the correct files. All you would need to change, the creation of the certificates, to have your own custom certs.
In case of further doubt, do not hesitate to ask.

Getting started with Vault for existing non-containerized Windows apps

We have a bunch of Windows server applications that currently handle secrets as follows; our apps are in C#.
We store them in settings files in code
We store them encrypted, using a certificate
The servers have this certificate with the private key, so they can decrypt the secret
We're looking at implementing Hashicorp Vault. It seems easy enough to simply replace the encrypt-store-decrypt with storing the secret in Vault in the KV engine, and just grabbing it in our apps - that takes that certificate out of the picture entirely. Since we're on-prem, I'll need to figure out our auth method.
We have different apps running on different machines, and it's somewhat dynamic (not as much as an autoscaling scenario, but not permanent - so we can't just assign servers to roles one time and depend on Kerberos auth).
I'm unsure how to make AppRole work in our scenario. We don't have one of the example "trusted platforms" or "trusted entities", there's no Nomad, Chef, Terraform, etc. We have Windows machines, in a domain, and we have a homegrown orchestrator that could be queried to say "This machine name runs these apps", so maybe there's something that can be done there?
Am I in "write your own auth plugin" territory, to speak to our homegrown orchestrator?
Edit - someone on Reddit suggested that this is a simple solution if our apps are all 1-to-1 with the Windows domain account they run under, because then we can just use kerb authentication. That's not currently the way we're architected, but we've got to solve this somehow, and that might do it nicely.
2nd edit - replaced "services" with "apps", since most of our services aren't actually running as Windows services, just processes. The launcher is a Windows service but the individual processes it launches are not.
How about Group Managed Service Accounts?
https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
Essentially you created one "trusted platform" (to your key vault service).
Your service can still has its own identity but delegation to the gMSA when you want to retrieve the secrets.
For future visibility, here's what we landed on:
TLS certificate authentication. Using Vault, we issue a handful of certs, each will correspond to a security policy/profile, so that any machine that holds that certificate will be able to authenticate and retrieve the secrets they should have access to.
Kerberos ended up being a dead-end for two reasons. The vault.exe agent (which is part of this use case) can't use the native Windows Kerberos SSPI, so we'd have to manage and distribute keytab files. Also, if we used machine authentication, it would blow up our client count (we're using the cloud-hosted HCP Vault, where pricing is partially based on client count).
Custom plugins can't be loaded into the HCP, of course
Azure won't work, it requires Managed Identities which you can't assign to on-prem machines. Otherwise this might have been a great fit

Credentials for Db2 in IBM

I recently signed up for the Lite version (free) of Db2 in IBM. When I select 'open console', I receive an error message: {"trace":"89cc4337d11c197f1e4c12c51f027b77","errors":[{"code":"authentication_failure","message":"HWCSEC0016E: Authentication failed for SSO. This may caused by failed to generate access token in console side using existing credentials.","target":{"type":"","name":""},"more_info":""}]}. I've placed a couple of ticktets with IBM, but they say since I signed up for the 'free' service that they are unable to assist even though I only need assistance to access the service. Any thoughts?
Deleted the existing DB instance and created a new one in different location. And that worked for me.

Configuring a custom CA in Hyperledger Fabric

Could somebody please point me in the right direction for configuring Hyperledger Fabric to use a custom CA. The docs here suggest that any CA that support ECDSA can be used.
Take a look at the Cryptogen tool.
It produces x509 certificates, and this can be used by you to prime the fabric network entities (orderer, peers, clients).
I recommend you run cryptogen to produce the needed PEM files by reading byfn (take a look at ./byfn.sh -m generate )
If you can replicate this folder structure you're good to go.
Additionally (this is just a thought, never tried it), Fabric-CA has an HTTP API for registering clients.
If you build your own gateway that mocks Fabric-CA's API and does the same things - you can make the client SDK (which includes also a fabric-ca client) talk with your CA as if it was Fabric-CA
I don't understand very well the aim of your question. However, I'm going to answer it.
right direction for configuring Hyperleger Fabric to use a custom CA
Hyperledger Fabric needs some certificates to control and restrict the acces to the Blockchain. For each channel you define who members are going to be part of it, and you configure the MSP. The certificates are used for the MSP. So, you can create those certificaes in any way, then you should pass them to the corresponding members and locate them in the corresponding directories.
However, Hyperledger Fabric gives you the chance to achieve it:
On the one hand, as #yacovm said, by using the cryptogen tool
On the other hand, as you said, by creating your own CA Authorithy, i.e. by your own CA Server

Creating multiple users in Bluemix Biginsight to test Knox service

I have created a space and a BigInsight cluster on Bluemix. In order to test Knox, I need multiple users for authentication. Is it possible to create users in Bluemix Biginsight service? The ID that is provided to access the cluster does not have root access. Also, it would be helpful if someone can explain in detail how the admin-related task(adding more components like Hue,Drill using yum commands) could be performed in Bluemix Biginsights service. Thanks in advance.
I am guessing here that you have created a Bluemix Biginsights Basic (Beta) plan.
This service is a single user service and cannot have multiple users.
In addition this service is a managed service and installation of software by the user is not allowed.
This service comes with preconfigured settings and pre-installed softwares that is fixed. If you do need something apart from this, I would suggest to open a Biginsights service ticket through Bluemix Support page with a request for it and why you need the software.
The product management team will look at it and see if they can be preinstalled in the future release.
These installations will not be done on a any Basic (Beta) plan for individual clusters.