TCP/IP SSL Server - Migrating a Linux-based Certificate Database

Notes:

  • The information that follows is applicable to z/VM Linux-based SSL server implementations only (those provided with TCP/IP for z/VM levels prior to TCP/IP level 540).

  • A z/VM level 520 or 530 level certificate database cannot not be relocated and used as-is by the z/VM 540 SSL server. To migrate certificates (with private keys) from a 530 level certificate database, to that used by the 540 level SSL server, the PTF for APAR PK75661 must be installed.

    Detailed information for installing the updated RPMs provided by this PTF, and instructions for migrating certfificates for use by a z/VM 540 (or later) SSL server can be found at the TCP/IP for z/VM 530 SSL Server: Certificate With Key Export Support page.

    Should the need arise to migrate certfificates from a z/VM 520 level certificate database, contact the IBM support center.

   SSL Server - Certificate Database Migration

The instructions that follow can be used to migrate an existing z/VM SSL server certificate database from one SSL server Linux guest system to another such system. For illustrative purposes, the database is transferred from a functioning SSL server guest and temporarily stored on a z/VM minidisk; it is then placed on a "new" SSL server guest system.

Note:
The server certificates (and thus, certificate databases) from two disparate SSL guest systems cannot be merged or combined using the procedure that follows, or through other means. Thus, any new server certificates that are to be used with a "new" SSL server guest should be acquired after an existing certificate database has been migrated to that system.

   Acquire the Certficated Database from the In-Use SSL Server

  1. Establish (or, re-establish) network connectivity for the SSL server guest from which the certificate database is to be migrated.

    The steps necessary to do this are described in the applicable "install" file provided with the SSL RPM package that is in use (for example, as described by the (SSL Server) Managing Network Connectivity page).

    Once this process is complete and this SSL server has been initialized to an inactive state, it will be possible to use ftp to transfer the certificate database to the selected destination.

  2. Login as the root user on the "from" guest, using either the Linux guest 3270 console or a VT100 telnet connection.

  3. Change the current directory to that where the certificate database is maintained, using the cd command: 
      cd /opt/vmssl/certdb

  4. Transfer the certificate database to the selected destination.

    Depending on circumstances, it may be possible to transfer the certificate database directly to the intended target Linux guest (with the assumption that Linux is operational and the required connectivity exists).

    However, this sample scenario assumes the database will be temporarily stored on a VM minidisk (the TCPMAINT 191 disk, in this example). This might be done to allow for setup and installation activity associated with the target Linux guest on which the database will ultimately reside.

    With this purpose in mind, use the commands that follow to transfer the database to a z/VM system minidisk.

    1. Initiate an FTP session to the z/VM host where the certificate database will be stored: 

        ftp vm_host_ip_address

    2. Login using the TCPMAINT user ID, and then change the working directory to its corresponding 191 minidisk. (Note that the "cd tcpmaint.191" FTP subcommand shown here is necessary only if this minidisk is not established as the working directory on a default basis): 

        user tcpmaint
  pass password
 
  cd tcpmaint.191

    3. Establish Binary transfer mode and store the files that comprise the certificate database: 

        bin
  put Database.kdb
  put Database.sth
  put Database.rdb
  put Database.crl

    4. End the FTP session after all files have been successfully transferred: 
        quit

    Note
    When the database files are stored on the z/VM host, case is not preserved for the file name and type. The files stored on the TCPMAINT 191 disk will be: 

      DATABASE  KDB
  DATABASE  STH
  DATABASE  RDB
  DATABASE  CRL

   Interim Database Storage

As previously stated, the certificate database dealt with in this example is temporarily stored on a VM minidisk for a period of time. This might be done to allow for the completion of installation and configuration of the target Linux guest on which the database will ultimately reside.

After such activity has been completed and the target Linux guest is operational, the database file can be transferred to that guest system.

   Move the Certficated Database to the Intended SSL Server

  1. Establish network connectivity for the SSL server guest to which the certificate database is to be migrated.

    The steps necessary to do this are described in the applicable "install" file provided with the SSL RPM package that is in use (for example, as described by the (SSL Server) Managing Network Connectivity page).

    Once this process is complete and this SSL server has been initialized to an inactive state, it will be possible to use ftp to transfer the certificate database from its interim location.

  2. Login as the root user on the target Linux, using either the Linux guest 3270 console or a VT100 telnet connection.

  3. Change the current directory to that where the certificate database is expected by the vmssl application, using the cd command: 
      cd /opt/vmssl/certdb

  4. Rename any existing certificate database files. For this example, the text ".orig247" is used to aid in identifying the renamed files, should they be required at a later time: 
      mv Database.kdb  Database.kdb.orig247
  mv Database.sth  Database.sth.orig247
  mv Database.rdb  Database.rdb.orig247
  mv Database.crl  Database.crl.orig247

  5. Transfer the certificate database to the appropriate directory in the target Linux guest.

    1. Initiate an FTP session to the z/VM host where the certificate database has been stored: 

        ftp vm_host_ip_address

    2. Login using the TCPMAINT user ID, and then change the working directory to its corresponding 191 minidisk. (Again, the "cd tcpmaint.191" FTP subcommand shown is necessary only if this minidisk is not established as the working directory on a default basis): 

        user tcpmaint
  pass password
 
  cd tcpmaint.191

    3. Establish Binary transfer mode and retrieve the various certificate database files. Note that case is significant for the file names of the local (Linux-resident) files: 

        bin
  get DATABASE.KDB  Database.kdb
  get DATABASE.STH  Database.sth
  get DATABASE.RDB  Database.rdb
  get DATABASE.CRL  Database.crl

    4. End the FTP session after all files have been successfully transferred: 
        quit
  6. With the relocated certificate database files in place, the target Linux guest can then be (re)configured to provide secure connection support. To do this, you must deactivate Linux networking support (for example, as described by the (SSL Server) Managing Network Connectivity page), which at the same time activates automatic startup of the vmssl daemon.