| Author |
Message
|
| Trainee |
 Posted: Tue Jan 08, 2008 3:01 pm Post subject: SSL |
 |
|
Centurion
Joined: 27 Oct 2006
Posts: 124
|
Hi I am having issue working with SSL.
WMQ:Version: 6.0.2.2
OS:Windows XP 2002 Service pack1
Issue:SSL
Used ikeyman to configure SSL.
Have the QueueManagers QM3,QM4 in cluster .Both the Queue Managers on the same machine.
1:Created key repository for both queue managers
Created ssl key repository in the folder C:\IBM\WebSphere MQ\Qmgrs\QM3\ssl
Created ssl key repository in the folder C:\IBM\WebSphere MQ\Qmgrs\QM4\ssl
2.Alter the queue manager
ALTER QMGR SSLKEYR('C:\IBM\WebSphere MQ\qmgrs\QM4\ssl\qm4key');
ALTER QMGR SSLKEYR('C:\IBM\WebSphere MQ\qmgrs\QM3\ssl\qm3key');
3.Created self -signed certificate for each queue manager
I can see them in key database content -Personal Certificates
4.Extracted CA part of self-signed certificate from key repository and placed C:\IBM\WebSphere MQ for both the queue managers with different names.
5.Added that CA part of self signed certificate to the key repository.
Alter the queue manager
ALTER QMGR SSLKEYR('C:\IBM\WebSphere MQ\qmgrs\QM4\ssl\qm4key');
ALTER QMGR SSLKEYR('C:\IBM\WebSphere MQ\qmgrs\QM3\ssl\qm3key');
6. Alter the cluster channels SSL CipherSpec RC4_MD5_US (didn't work ) and then changed to RC4_MD5_EXPORT
7.Did the REFRESH SECURITY TYPE(SSL);
8.Restarted the Qmgrs....
SSL didn't work for me. Any one can tell what the steps that I missed. What is wrong here.
(Requesting ,Receiving a personal certificates ..what is this for).
Thank you
Trainee |
|
| Back to top |
|
 |
| Trainee |
| Posted: Wed Jan 09, 2008 7:14 am Post subject: |
|
|
Centurion
Joined: 27 Oct 2006
Posts: 124
|
Any one has any suggestion
Thanks
Trainee |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jan 09, 2008 7:24 am Post subject: Re: SSL |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Trainee wrote: |
What is wrong here.
|
I don't know - what's wrong here? What codes / messages are you getting? There must be something more specific being thrown other than the channels not starting.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Jan 09, 2008 7:33 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
There are very specific, step by step, instructions for how to set this up in the Security manual.
There is a lovely support pac MO04 that will create the necessary commands to accomplish this for you.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Jan 09, 2008 8:40 am Post subject: Re: SSL |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| Trainee wrote: |
6. Alter the cluster channels SSL CipherSpec RC4_MD5_US (didn't work ) and then changed to RC4_MD5_EXPORT
|
You can't just throw darts hoping to get the right cipherspec. When you created the certs you chose a particular cipherspec. If the QM is using a cert with cipherspec XYZ, the channels must specify the same.
EDIT: Ignore this post; I don't know what I'm talking about!
_________________
Peter Potkay
Keep Calm and MQ On
Last edited by PeterPotkay on Wed Jan 09, 2008 2:03 pm; edited 1 time in total |
|
| Back to top |
|
|
| bbburson |
| Posted: Wed Jan 09, 2008 11:35 am Post subject: Re: SSL |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| PeterPotkay wrote: |
| Trainee wrote: |
6. Alter the cluster channels SSL CipherSpec RC4_MD5_US (didn't work ) and then changed to RC4_MD5_EXPORT
|
You can't just throw darts hoping to get the right cipherspec. When you created the certs you chose a particular cipherspec. If the QM is using a cert with cipherspec XYZ, the channels must specify the same. |
WHAT? The certificates themselves don't know anything about cipherspecs. Those are specified on the channel definitions and must be the same at both ends of the channels. The same certificate can be used without regard to the channel cipherspec.
At least that's been my understanding and experience. |
|
| Back to top |
|
|
| Trainee |
| Posted: Wed Jan 09, 2008 1:01 pm Post subject: |
|
|
Centurion
Joined: 27 Oct 2006
Posts: 124
|
Thanks Everyone.
I read the security manual.I did try to do according the stpes,didn't work and posted here to take suggestions...any way I will try MO04
Trainee |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Jan 09, 2008 1:59 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Bruce, your absolutly right.
Me? 
The channels have to match on both ends. Somehow I convoluted that and said it has to match the cert as well, which doesn't make any sense. I should stop posting today......
Trainee, RC4_MD5_US is a valid Cipherspec on Windows according to the MQSC manual. I don't think that was the problem.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Trainee |
| Posted: Thu Jan 10, 2008 9:58 am Post subject: |
|
|
Centurion
Joined: 27 Oct 2006
Posts: 124
|
Then,
Did I miss any thing here.Any thing additional I have to do...
Thanks to every one
Trainee |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Jan 10, 2008 10:07 am Post subject: Re: SSL |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| Vitor wrote: |
| Trainee wrote: |
What is wrong here.
|
I don't know - what's wrong here? What codes / messages are you getting? There must be something more specific being thrown other than the channels not starting. |
Also, turn on SSL Events at the QM level. That might provide additional useful info about the problem.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Trainee |
| Posted: Fri Jan 11, 2008 11:10 am Post subject: |
|
|
Centurion
Joined: 27 Oct 2006
Posts: 124
|
|
| Back to top |
|
|
|
|
