| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL |
« View previous topic :: View next topic » |
| Author |
Message
|
| solomon_13000 |
 Posted: Thu Aug 21, 2008 7:41 pm Post subject: SSL |
 |
|
Master
Joined: 13 Jun 2008
Posts: 284
|
| How do I know that SSL is not up on my server?. How do I verify this at my end?. Because if SSL is not up then the channel will enter the retrying mode. According to one article if the SSLCIPH attribute value is set to null it means that SSL is turn off and if a string parameter is stated in this attribute it means SSL is turn on. Is this true?. |
|
| Back to top |
|
 |
| Tibor |
| Posted: Fri Aug 22, 2008 5:21 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
Firstly, look the queue manager's keystore info:
| Code: |
$ runmqsc QM01
7 : dis qmgr sslkeyr
AMQ8408: Display Queue Manager details.
QMNAME(QM01) SSLKEYR(/var/mqm/qmgrs/QM01/ssl/key)
$ ls -l /var/mqm/qmgrs/QM01/ssl/key*
-rw------- 1 mqm mqm 80 Feb 20 2007 /var/mqm/qmgrs/QM01/ssl/key.crl
-rw------- 1 mqm mqm 100080 Feb 20 2007 /var/mqm/qmgrs/QM01/ssl/key.kdb
-rw------- 1 mqm mqm 80 Feb 20 2007 /var/mqm/qmgrs/QM01/ssl/key.rdb
-rw------- 1 mqm mqm 129 Sep 29 2005 /var/mqm/qmgrs/QM01/ssl/key.sth |
But this is only the SSL keystore information, and it isn't necessary for using in network traffic. You can ask for the channel status information, e.g.
DISPLAY CHSTATUS(*) SSLPEER SSLCERTI
Where SSLPEER is not empty, the channel traffic is using SSL based on the SSLCIPH channel attribute. |
|
| Back to top |
|
|
| zhanghz |
| Posted: Sat Aug 23, 2008 4:39 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
yes, if the SSLCIPH in your channel definition is blank, it means your channel is not using SSL.
And, to enable SSL, you have to make sure:
1) you create the ker ring / key store.
2) alter qmgr to use the ker ring / key store.
3) alter the channel to use a SSLCIPH. SSLCAUTH and SSLPEER can also be set.
of course, all necessary certs must be created, imported and labeled correctly. |
|
| Back to top |
|
|
| jeevan |
| Posted: Tue Aug 26, 2008 3:50 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| zhanghz wrote: |
yes, if the SSLCIPH in your channel definition is blank, it means your channel is not using SSL.
And, to enable SSL, you have to make sure:
1) you create the ker ring / key store.
2) alter qmgr to use the ker ring / key store.
3) alter the channel to use a SSLCIPH. SSLCAUTH and SSLPEER can also be set.
of course, all necessary certs must be created, imported and labeled correctly. |
I am currently working on SSL and ge the intial -SSL server authentication working. However, I am still not sure about :
differece between add a certificate or a import a certificate
extraxt and/or export
are these two terms same ?
For those who are struggling ( like me) the red book I mentioned in my another post in this forum is really helpful and have good explanation.
http://www.mqseries.net/phpBB2/viewtopic.php?t=44927 |
|
| Back to top |
|
|
| solomon_13000 |
| Posted: Sat Sep 20, 2008 10:19 am Post subject: |
|
|
Master
Joined: 13 Jun 2008
Posts: 284
|
| Quote: |
| you create the ker ring / key store. |
So the key store holds the digital certificate.
| Quote: |
| alter qmgr to use the ker ring / key store. |
This is done by ALTER QMGR SSLKEYR(mynewfile). Then I need to amqmcert to add a public cert to the queue manager.
| Quote: |
| alter the channel to use a SSLCIPH. SSLCAUTH and SSLPEER can also be set. |
ALTER CHL(SSL.SVRCONN) SSLCIPH(RC4_MD5_US)
SSLCAUTH - Optional but is used to authenticate the cert from the client
SSLPEER - Optional but is used to differentiate the cert from the client
Is this correct?. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
