| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| enabling SSL on MQ Server and MQ base java |
« View previous topic :: View next topic » |
| Author |
Message
|
| pythonrocks |
 Posted: Mon Nov 07, 2005 3:11 pm Post subject: enabling SSL on MQ Server and MQ base java |
 |
|
Newbie
Joined: 08 Aug 2005
Posts: 3
|
This is for sharing my expericence here. I didn't find any good and simple document telling me the steps, so I 've decided to write my own how to version. This is actually my 1st day to act as a MQ admin, my MQ admin is off for the vacation.
I 've successfully enabled SSL on MQ Server with a self assigned certificate. o well this is not for production:-).
In additon, correctly set up the MQ base Java to talk to the server. It seems quite straightforward once I figured it out. However the MQ document is a little hard to digest. As a side effect, I found it is so easy to turn on/off SSL on the channel dynamically by runmqsc "alter channel". The Java client can be configured to run in SSL or non SSL mode dynmaically too. I even used the tcpdump to verify SSL and non SSL traffic. It works great.
Environment
MQ Server: 5.3, AIX 5.2, no ssl has been configured before.
MQ base java: 5.3, running remote on Windows or AIX.
Configure the MQ Server
====================
gsk6cmd is used here to create key.kdb (if necessary), create a self assigned certificate, export to a .ARM file.
Let us assume the qmgr is call FOO.
1. (If necessary) create a key.kdb (crt_kdb.sh) for MQ Server.
/home/victor> cat crt_kdb.sh
export JAVA_HOME=/usr/mqm/ssl/jre
gsk6cmd -keydb -create -db key.kdb -pw changeit -type cms -expire 365 -stash
2. create a self assigned certifcate in key.kdb.
/home/victor> cat crt_cert.sh
export JAVA_HOME=/usr/mqm/ssl/jre
gsk6cmd -cert -create -db key.kdb -pw changeit -label ibmwebspheremqfoo -dn CN=AUGUSTA,O=CCE,C=US -expire 365 -size 1024 -x509version 3
note the fixed "ibmwebspheremq<qmgr in lower case>".
qmgr Foo becomes "foo" here.
3. Export the ibmwebspheremqfoo to .arm format (foo.arm)
/home/victor> cat ext_cert.sh
export JAVA_HOME=/usr/mqm/ssl/jre
gsk6cmd -cert -extract -db key.kdb -pw changeit -label ibmwebspheremqfoo -target foo.arm -format ascii
4. log on as mqm, copy the key.kdb,key.sth to /var/mqm/qmgrs/FOO/ssl.
5. log on as mqm, turn on SSL for the channel "FOO.CLIENT" , only SVRCONN is needed. Here is how to turn on/off the SSL on the fly.
cat ssl.mqsc | runmqsc FOO
$ cat ssl.mqsc
alter channel(FOO.CLIENT) CHLTYPE(SVRCONN) SSLCIPH(TRIPLE_DES_SHA_US) SSLCAUTH(OPTIONAL)
Optionally, to turn the SSL off,
cat nossl.mqsc | runmqsc FOO
$ cat nossl.mqsc
alter channel(FOO.CLIENT) CHLTYPE(SVRCONN) SSLCIPH('')
Configure MQ base java.
========================
1. use keytool -keystore cacerts -import -file foo.arm
2. In the code, make sure this line runs.
MQEnvironment.sslCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA";
In my case, I only set the CipherSuite when some property "sslEnabled" is true from a XML file. In this way, I can turn the SSL on/off from the client to match what is on the MQ server side. |
|
| Back to top |
|
 |
| raghug |
| Posted: Thu Apr 17, 2008 8:23 am Post subject: I follow your steps I got error please help me |
|
|
Acolyte
Joined: 19 Jul 2006
Posts: 60
Location: NJ
|
Hello
I follow your steps as well as
I got below erroe
20086 - An error occurred while opening files, check for file existence and permissions
I did not understand where you created these two files key.kdb,key.sth
Thanks |
|
| Back to top |
|
|
| mvic |
| Posted: Thu Apr 17, 2008 8:28 am Post subject: Re: I follow your steps I got error please help me |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
