Friday, February 27, 2015

CentOS Recovery Use Case 5: Downloading the Tomcat Certificate Private Key

recently published a blog entry on how one could use the CentOS distribution and Recovery process to access the Cisco UCOS root file system. As noted in the initial blog, this isn't a new revelation. I originally was going to provide a group of use cases in the "primer" but decided that it was a little too long. 

So, I am breaking the use cases out into individual entries. Who knows, over time this may become another series. For now, let's focus on one of the CentOS recovery use cases: Downloading the Tomcat Certificate Private Key.


Unlike the other articles in this series, this particular entry is focused on a task that is more "pro-active" than reactive. Anyone who is worth their salt in this game knows that they have to strive for a deeper understanding of how things work if they are going to excel. Deeper than you are going to find in documentation provided by the software manufacturer.

In our communications arena, this usually means: protocol analysis! Er mer gerd, Perkets! 

Protocol analysis and packet "sniffing" is probably one of my favorite things. It is right up there with tinkering with the CUCM SQL DB and custom building scripts/apps to automate tasks. 

The Challenge

Getting the TFTP, SCCP, SIP, MGCP, etc. packet traces is easy. However, more and more of the communication transactions that Cisco UC applications are fulfilling rely on HTTPS. Transactions between IM&P and the UCM cluster and Mobile Remote Access (MRA) are only two of the more interesting things that some of us would like more visibility on. Also, let's not forget that using TLS for the aforementioned communication protocols could also make the underpinnings less transparent.

So, what is one to do? Well, we can use an application like Wireshark to view the packet traces. Of course, since the HTTPS communication is encrypted, we need to have access to the private keys to decrypt the communication. 

The process outlined herein covers how to download private keys for self-signed certificates.
The Procedure

The CentOS boot process is discussed in a separate blog entry (read that first). To access the private keys, do the following after booting into CentOS:

Note: It is recommended that you are enabling the network boot option with CentOS recovery process.

1. Go to the Tomcat cert directory using the following command:
cd /usr/local/platform/.security/tomcat/keys/

2. Execute the following command to create a format for use with Wireshark:
openssl pkcs8 -nocrypt -in tomcat_priv.pem -out tomcat-rsa-private.key

3. SFTP the file created in the previous step to your work station. I use Mac OSX, so SFTP is easily provisioned. If you are using a Windows OS then you can download a third-party application (maybe Filezilla server would work).

Unlike CentOS 5, CentOS 7 doesn't give you a network configuration wizard during the Recovery initialization process. You can provision the network after CentOS 7 is booted up using a process similar to this one

Using the Key in Wireshark

I'll probably provide a more detailed discussion with examples in a separate blog. That said, it would be a little unfair if I failed to give at least a high-level overview of the procedures for loading the RSA key from CUCM into Wireshark. The following procedures work on Mac OS X.

1. Launch Wireshark 

2. Go to Edit > Preferences

3. Go to Protocols > SSL

4. Click on the configuration option "RSA Keys List"

5. Click on New to add a new RSA key entry

6. Enter in the parameters and point to the RSA key file. Click on OK.

7. Click on Apply/OK

You should be good to go.

Thanks for reading. If you have time, post a comment!


  1. Great post as always.
    If might we worth noting that you can also inspect HTTPS traffic using Fiddler ( in some situations too. It basically acts as a web proxy which permits it to perform man-in-the-middle secure traffic inspection.

  2. Step 3 of the procedure, you can also utilize a local tftp or sftp server to move the file.
    sftp/tftp @
    put /usr/local/platform/.security/tomcat/keys/tomcat-rsa-private.key

  3. Hi Bill,
    I'll start by saying great post and thanks. My comment is more of a theoretical question. Do you envision this process can be used to manually replicate a CUCM TOMCAT SAN cert or csr to the IM&P server to use in place of the CUP-XMPP cert and CUP-XMPP-S2S. My thought process was to create one SAN cert on the CUCM that could be used for all CUCM & IM&P services.