| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Adding a PFX certificate at Broker Level |
« View previous topic :: View next topic » |
| Author |
Message
|
| digoshc |
 Posted: Fri Oct 25, 2013 3:41 am Post subject: Adding a PFX certificate at Broker Level |
 |
|
Apprentice
Joined: 11 Jul 2013
Posts: 25
|
Hi Guys,
I'm not a security specialist so that might be a beginner question. I need to consume a Web Service via SSL and I do have a PFX certificate bag. I'm struggling so set up a Public Key Infrastructure at Broker Level. I do have the steps for a JKS certificate and it needs 2 files, a .jks and a .der file, but I only have one *.pfx file.
The steps to configure the jks that I have is the following:
-- create a certificate repository
runmqckm -keydb -create -db myBrokerTruststore -pw passw0rd -type jks
-- Add a certificate to repository
runmqckm -cert -add -db myBrokerTruststore.jks -label LABEL -file XXXXX.der -format binary
-- verify the certificate was successfully added
runmqckm -cert -details -db myBrokerTruststore.jks -label LABEL
-- add the certificate as trust at broker level
mqsichangeproperties MB8BROKER -o BrokerRegistry -n brokerTruststoreFile -v /PATH/myBrokerTruststore.jks
mqsisetdbparms MB8BROKER -n brokerTruststore::password -u ignore
I already looked at http://pic.dhe.ibm.com/infocenter/wmbhelp/v8r0m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fap12235_.htm, but the examples there uses gsk7cmd tool and I don't have it neither know what it's.
So, any comments what I'm doing wrong? Why broker needs a .der file for jks certificates? Does PFX also needs one?
Thanks in advance, |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri Oct 25, 2013 5:03 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Try just transforming the pkcs12 repository into a JKS repository...
This should do half the trick... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mgk |
| Posted: Fri Oct 25, 2013 11:52 am Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
Hi, as you say you are new to this area I want to point out that to consume a service you may not need to add a certificate to the trust store if the cert is signed by one of the big certificate providers as the broker default truststore already contains their certs. If it is a self signed cert however, then of course you will. If you are trying to do "mutual auth" then you should be changing the "keystore" not the "truststore".
That said, if you want to change the truststore you may be able to use the pfx directly, by changing the Broker's truststore type to "pkcs12" and pointing the truststore directly to the pfx file. I have done this for inbound certs fine, but not tried it for outbound. Did the pfx come from a Windows certificate export?
Also, you can use the java "keytool" command line program to manipulate the keystores/truststores to add certs, delete certs and view certs. For example to view the contents of your file try this command:
| Code: |
| keytool -list -keystore myTest.pfx -storetype pkcs12 |
Kind regards,
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
| digoshc |
| Posted: Sun Oct 27, 2013 12:57 pm Post subject: |
|
|
Apprentice
Joined: 11 Jul 2013
Posts: 25
|
| mgk wrote: |
| Hi, as you say you are new to this area I want to point out that to consume a service you may not need to add a certificate to the trust store if the cert is signed by one of the big certificate providers as the broker default truststore already contains their certs. If it is a self signed cert however, then of course you will. If you are trying to do "mutual auth" then you should be changing the "keystore" not the "truststore". |
Good point to know, I believe that it's not a "mutual auth" but I'm going to double check.
| mgk wrote: |
| That said, if you want to change the truststore you may be able to use the pfx directly, by changing the Broker's truststore type to "pkcs12" and pointing the truststore directly to the pfx file. I have done this for inbound certs fine, but not tried it for outbound. Did the pfx come from a Windows certificate export? |
I've tried that using runmqckm but didn't get any luck, then learned from mq info center that runmqckm supports JKS and JCEKS key repositories types and that runmqakm does not support PFX file and it suggests to use iKeyman. Then, I decided to convert my certificate repository PFX to .DER format and was able to complete the procedure successfully. What tool have you used to point the truststore to pfx? gsk7cmd?
| mgk wrote: |
Also, you can use the java "keytool" command line program to manipulate the keystores/truststores to add certs, delete certs and view certs. For example to view the contents of your file try this command:
| Code: |
| keytool -list -keystore myTest.pfx -storetype pkcs12 |
|
Nice, I had some fun with keytool commands discovering more about the certificate bag. So, bottom line, my solution was to convert PFX to DER file and create a truststore in JKS format, kind of your suggestion @fjb_saper.
Thank you guys,
Rodrigo |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
