| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| SSL access from Java |
« View previous topic :: View next topic » |
| Author |
Message
|
| xxx |
 Posted: Sat May 22, 2004 10:36 pm Post subject: |
 |
|
Centurion
Joined: 13 Oct 2003
Posts: 137
|
Above step isgiving error: An error occurred while processing X509 certificates.
there is a bug in gsktool kit , using the IE explorer open the cert you received form the CA authority and then Export that to a file.
Now you will be able to add/receive the certificate on HP box |
|
| Back to top |
|
 |
| techno |
| Posted: Sun May 23, 2004 9:23 am Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
I didn't get it. Could you pl explain?
Creating all those certificates on hp-ux.
Also, I am not so clear where is this happening: CA signing on (Personal)certificate? |
|
| Back to top |
|
|
| harwinderr |
| Posted: Mon May 24, 2004 1:41 am Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
Well, when you are developing a production application, you might not want to purchase a true digital certificate until after you are done testing the application.
So, there is no need to create a CA certificate. Just create and use a self-signed certificate for testing purposes.
On HP-UX, if you have the gsk6cmd running then issue the following commands:
1.
| Code: |
| $ gsk6cmd -keydb -create -db /var/mqm/qmgrs/hsr1/ssl/key.kdb -pw password -type cms -expire 180 -stash |
This will create a key.kdb key database file in the directory /var/mqm/qmgrs/hsr1/ssl
2. Now create a self-signed certificate
| Code: |
| $ gsk6cmd -cert -create -db /var/mqm/qmgrs/hsr1/ssl/key.kdb -pw password -label ibmwebspheremqhsr1 -dn "CN=SH,O=OSH,C=CSH" -size 1024 |
Note the name of the label, its "ibmwebspheremq" followed by the name of the queue manager (hsr1 in this case)
3. Extract the certificate
| Code: |
| $ gsk6cmd -cert -extract -db /var/mqm/qmgrs/hsr1/ssl/key.kdb -pw password -label ibmwebspheremqhsr1 -target cert.arm |
Now, you need to FTP this "cert.arm" to the Windows box, and issue the following command
1.
| Code: |
| $ keytool -import -alias wmq -keystore keyStore -file cert.arm |
This wil create a trusted store called keyStore in the current directory and add cert.arm as a trusted certificate
That is all!!
For some of your other queries
| Quote: |
| SelfSigned Certificate that gets created by gsk6cmd- Is ita CA certificate? |
No, they are not CA certificates, they are just self-signed certificates generated by gsk6cmd for testing purposes.
| Quote: |
| Then where are the public and private keys? There has to be some key with qmgr, right! |
The public/private keys are in the key database file (key.kdb) and yes, there has to be some key associated with the qmgr. This is specified by naming the label of the certificate by "ibmwebspheremq" followed by the qmgr name.
Hope this will help. All the best  |
|
| Back to top |
|
|
| techno |
| Posted: Mon May 24, 2004 2:46 pm Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
Above is fine. Thank you.
I am getting the error while adding personal cert (Not self-signed) to key database..
| Code: |
On HP-UX
// Adding Personal Certificate to KeyStore
gsk6cmd -cert -receive -file MyPersCert -db /var/mqm/qmgrs/QMGR/ssl/key.kdb
Above step isgiving error: An error occurred while processing X509 certificates.
Also, How is CA linked to above personal certificate? Personal Certificate shold be signed by CA? (MYCA)(so that client will assume that server is valid) |
|
|
| Back to top |
|
|
| harwinderr |
| Posted: Tue May 25, 2004 9:55 pm Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
You dont need to add the self-signed personal certificate to the key database file, because when you create the personal certificate using gsk6cmd, it is added to db file.
If you are trying to add a personal certifiacate received from a CA, then check the format of the certificate. |
|
| Back to top |
|
|
| xxx |
| Posted: Thu May 27, 2004 6:02 am Post subject: |
|
|
Centurion
Joined: 13 Oct 2003
Posts: 137
|
gsk6cmd -cert -receive -file MyPersCert -db /var/mqm/qmgrs/QMGR/ssl/key.kdb
sorry for the late reply , You are not able to receive the cert from CA ,
the work around for this is to open the cert you got from the CA on windows , i.e just double click it on you desktop , and once you do this there is an option to export it to a file, so export it do some temp.arm
Now you will be able to recevie the cert on HP machine, This is only for CA certs not selfsinged ones |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
