IBM GSKit (Global Security Kit) command line tool on Linux

Home > Search
  by

A public certificate and private key pair are used to encrypt packets being transmitted between a client an IBMs IHS web server. IBM stores the public certificate and private key in what is called a Key Database. The Key Database is a file that ends with the .kdb extension, and is typically located at ihs_home/conf/example.kdb (Linux). IBMs Global Security Kit (GSKit) command line tool is used to create the Key Database, and to view, export, add, and remove certificates from the Key Database.

 

When IHS is installed, the GSKit command line tool will also be installed. On Linux, in the home directory of IHS, there will be a GSKit directory, such as gsk7 or gsk8, which indicates the version of GSKit that is installed (version 8 in this example). In the GSKit directory will be a bin directory. The bin directory contains the GSKit command line tool. In this example, "gsk8capicmd_64" is the command line tool that is used to create a Key Database, and to view, export, add, and delete public certificates and private keys from a Key Database.

was_home/gsk8/bin/gsk8capicmd_64

 


PATH and LD_LIBRARY_PATH

The PATH and LD_LIBRARY_PATH variables will need the following variables in order for gsk command line tool to function.

LD_LIBRARY_PATH=/path/to/gsk8/lib
PATH=$PATH:/path/to/gsk8/bin

 

One option is to manually update PATH and LD_LIBRARY_PATH before using the gsk command.

export LD_LIBRARY_PATH=/path/to/gsk8/lib64
export PATH=$PATH:/path/to/gsk8/bin

 

Another option is to update your .bash_profile file (Red Hat) with the following. The benefit to this option is that you wouldn't need to manually update PATH and LD_LIBRARY_PATH before using the gsk command.

LD_LIBRARY_PATH=/path/to/gsk8/lib64
PATH=$PATH:/path/to/gsk8/bin
export LD_LIBRARY_PATH
export PATH

 


Create Key Database

If you do not yet have a Key Database, you must first create the Key Database. In this example, a Key Database named "example.kdb" is created. The -stash option is not necessary, but can be used so that you do not need to continue to use the -pw (password) option for subsequent commands.

ihs_home/bin/gsk8capicmd \
-keydb \
-create \
-db example.kdb \
-pw your_password \
-stash

 


View Certificates

IBM products that use GSKit will store keys in a file with the .kdb (key database) extension. There may also be files with the .crl, .rdb, and .sth (stored password file) extensions as well. You can then list the certificates in a key database. In this example, there are two certificates in the database (default and example). If the “-stashed” option fails, use the -pw <password> option.

ihs_home/gsk8/bin/gsk8capicmd_64 \
-cert \
-list \
-db /path/to/example.kdb \
-stashed or -pw your_password

* default
- example

 


View Certificate Details

Once you know the list of certificates in the key database, you can view the details of a specific certificate.

ihs_home/gsk8/bin/gsk8capicmd_64 \
-cert \
-details \
-db /path/to/example.kdb \
-stashed or -pw your_password \
-label "certificate_name"

 


Create a new Certificate

The -create option can be used to export a certificate from the key database.

ihs_home/gsk8/bin/gsk8capicmd_64 \
-cert \
-create \
-db /path/to/example.kdb \
-stashed or -pw your_password \
-label "certificate_name" \
-dn "cn=your_hostname,o=your_domain" \
-size 2048 \
-sigalg SHA512WithRSA \
-expire 365 \
-default_cert yes

 


Flag Certificate as Default

If you did not use the "-default_cert yes" option when adding a certificate, you can set a certificate as the default certficate using the "-setdefault" option.

ihs_home/gsk8/bin/gsk8capicmd_64 \
-cert \
-setdefault \
-db /path/to/example.kdb \
-stashed or -pw your_password \
-label "certificate_name"

 


Import Certificate

The -add option can be used to import a certifiles into the Key Database from a .crt file.

ihs_home/gsk8/bin/gsk8capicmd_64 \
-cert \
-add \
-db /path/to/example.kdb \
-stashed or -pw your_password \
-label "certificate_name" \
-file "/path/to/example.crt"

 

The following options are optional, but not required.

-dn "cn=your_hostname,o=your_domain"
-size 2048
-sigalg SHA512WithRSA
-expire 365
-default_cert yes

 


Export Certificate

The -export and -target options can be used to export a certificate from the key database. Exporting does not remove or delete the certificate from the key database.

ihs_home/gsk8/bin/gsk8capicmd_64 \
-cert \
-export \
-db /path/to/example.kdb \
-stashed or -pw your_password \
-label "certificate_name" \
-target /path/to/example.crt

 


Delete Certificate

The -delete option can be used to export a certificate from the key database.

ihs_home/gsk8/bin/gsk8capicmd_64 \
-cert \
-delete \
-db /path/to/example.kdb \
-stashed or -pw your_password \
-label "certificate_name"

 

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments