Background
If your company uses Office365 for email, and you need to use the Netcool Email Probe, you will have to configure a KeyStore database to store the valid/trusted certificates presented by Office365. What I found at one customer was that after we imported one certificate into the KeyStore, we still frequently received Certificate chaining errors, which eventually would cause the probe to stop working. The problems I saw were caused by what looks like a configuration difference on the load-balanced Office365 servers, where multiple different certificates (and certificate chains) were being presented to the Email Probe.
Solution
After several attempts at resolving the problem, I took the nuclear approach to download every possible certificate from Office365 and import them all into the KeyStore database. I'm certain it's overkill, but I scripted the solution below, and it doesn't affect the performance of the probe. Here's the script, with comments:
cd /tmp
for i in file{1..100}
do
openssl s_client
-showcerts -verify 5 -connect outlook.office365.com:995 < /dev/null > $i
# each file contains at
least two certificates. Each certificate needs to be in its own file
# to import it into the
keystore. That's what the following command does. It will create
# files named file*-00,
file*-01, file*-02 if there are two certificates returned by the above
# command.
csplit -f $i- $i '/-----BEGIN
CERTIFICATE-----/' '{*}'
# file*-00 doeesn't
contain anything useful (certs are in *-01 and *-02), so we will delete it
rm file*-00
done
# now import all of the
above certs into the keystore.
for i in file*-*
do
keytool -keystore "/opt/IBM/tivoli/netcool/core/certs/key_netcool.jks" -import \
-trustcacerts
-alias $i -file $i -noprompt -storepass
THE_KEYSTORE_PASS
done
No comments:
Post a Comment