MQSeries.net :: View topic

jonny · Posted: Mon Jan 24, 2005 1:08 pm Post subject:

Hi,

I have spend so much time on configuring SSL, that I started seen SSL in my dreams !!!

We have a number of Solaris 8 and Windows 2000 and XP platforms. Some are running MQ client whereas others ar running MQ server. We are using WMQ 5.3 CSD8.

The SSL testing covers the following scenarios:

Solaris Queue Manager V Solaris Queue Manager
Solaris Queue Manager V Solaris MQ client
Solaris Queue Manager V Solaris MQ Java Client
Solaris Queue Manager V Windows MQ Cleint
Solaris Queue Manager V Windows MQ Java Cleint
Solaris Queue Manager V Windows Queue Manager
Windows Queue Manager V Solaris MQ Client
Windows Queue Manager V Solaris MQ Java Client
Windows Queue Manager V Windows MQ Client
Windows Queue Manager V Windows MQ Java Client
Windows Queue Manager V Windows Queue Manager

My understanding of different types of certificates, is that there are two types:

- Self-signed certificates: Where each system must store the certificates of all the other systems they connect to

- CA-signed certificates: A certificate request if first generated and then sent to a CA (or in-house CA), once the certificate is signed by a CA, is then imported together with the CA

We decided to test the above scenarios using both types of certificates.

Using self-signed certificates:
===============================

I have used iKeyman on Solaris to create certificates. For Windows, I generated the certificate on Solaris using iKeyman then FTP them back to Windows and import them using amqmcert. For Java client I used keytool, but I was getting some problems, and IBM then said that I wouldn't be able to use self-signed certificate with Java, and gave the following explanation:

"The reason for this is that the client does not have a certificate to authenticate itself. The Self-signed certificate in the java keystore is a trustedCAcert and not a keyEntry i.e. the certificate does not have a private key. After the server has authenticated itself the client will fail to supply a certificate causing the 2009 exception.

To get round this both client and server must have a personal certificate that has been signed by a CA certificate. Both server and client keystores must also contain the CA certificate."

Using In-House CA Certificates:
===============================

We didn't want to use a CA certifiates, nor openSSL. So we generated the CA certificate ourself, which we then use to sign certificates. This CA was created on Solaris using iKeyman, and given label THECA. this CA is then exported to all other systems. For each system a certificate request is required, which is then signed by the CA, here are the steps:

- Generate the CA certificate:
gsk6cmd -cert -create -db key.kdb -pw password -label THECA -dn "CN=CA,O=Organisation,C=GB" -size 1024 -default_cert yes

- Export the CA certificate
gsk6cmd -cert -extract -db key.kdb -pw password -lable THECA -target ca.cer

- Create a certificate request (for example for QM1 on a Solaris machine)
gsk6cmd -certreq -create -db key.kdb -pw password -label ibmwebspheremqqm1 -dn "CN=qm1,O=organisation,C=GB" -size 1024 -file qm1.req

- Signe the certificate request (the certificate request file must be copied to the machine where the CA was generated)
gsk6cmd -cert -sign -file qm1.req -db key.kdb -pw password -label THECA -target qm1.sig -format binary -expire 300

- receive the signed pesonal certificate (the signed certificate above must be copied back to where the request was generated)
gsk6cmd -cert -receive -file qm1.sig -db key.kdb -pw password -format binary

Questions:
==========

CA type of certificate works fine on SOlaris, but how would create a certificate request on Windows? I tried makecert, but it doesn't seem to have the option to create a certicate request.

For Java client I was able to create a certificate request, after the key was generated, but I was getting the following error when I tried to test the SSL connection:
"Error accessing Socket Streams"

Thanks in advance