| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Process for renewing digital certificates |
View previous topic :: View next topic |
| Author |
Message
|
| bbburson |
 Posted: Wed Feb 22, 2006 2:25 pm Post subject: Process for renewing digital certificates |
 |
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
I've searched this site and have not found info about what happens when digital certificates have to be renewed. We're a few months out from our first certificate expirations and I want to make sure I have a good handle on what I need to do to keep things flowing.
Some of the questions I have include:
-- how far ahead of expiration can I order the new certificates?
-- does the lifetime of the new certificate start at the end of life for the one it is replacing, or at the time the new cert is ordered?
-- what has to be done to put the new certificates in place for the queue managers to use them?
-- what gotchas are lurking out there that need special attention?
I'll study the Security manual to see what it says about this topic, but I want real-world experiences as well.
Thanks in advance, |
|
| Back to top |
|
 |
| csmith28 |
| Posted: Thu Feb 23, 2006 6:10 am Post subject: |
|
|
Grand Master
Joined: 15 Jul 2003
Posts: 1196
Location: Arizona
|
The process is a bit different on every platform. I have worked with AIX/SSL Certs for MQSeries but not on Windows, Solaris, HP/UX or any other platform.
Don't request your new Cert until it is ready to expire. The new Certs will expire 365 days after they are created not they date they are applied.
Here are he instructions I wrote/used last year for AIX51/MQ5.3.0.6.
| Quote: |
Everything you wanted to know about SSL on AIX5.1 for MQ5.3 but were afraid to ask.
1.1 SSL Installation on MQSeries 5.3 on AIX 5.1 Server page 1
1.2 Opening the MQ SSL gsk6ikm GUI Interface page 2
1.3 Request SSL Cert for MQServer page 2
1.4 Installing SSL Cert for MQServer page 3
1.5 Renew SSL Cert for MQServer page 4
1.1 SSL Installation on MQSeries 5.3 on AIX 5.1 Server
These instructions assume that MQSeries 5.3 has been installed. To confirm this run the following command: #lslpp –l | grep –i mqm
You should see the following filesets:
mqm.Client.Bnd mqm.Server.Bnd mqm.base.runtime mqm.base.samples
mqm.base.sdk mqm.client.rte mqm.java.rte mqm.keyman.rte
mqm.man.en_US.data mqm.msg.en_US mqm.server.rte.
If xlC.aix50.rte 5.0.0.6 or better is not installed the gsk6ikm GUI will throw the following error message “The Java native library was not correctly loaded. You can work only with a pure Java based key databases but not a CMS key database.”
To check the current version of xlC.aix50.rte run lslpp -ha "xlC.*"
Once the above is completed follow the steps in section 1.2 to open the /usr/bin/gsk6ikm GUI then return to this section to complete the installation.
1.2 Opening the MQ SSL gsk6ikm GUI Interface
1. log on to each server as root
2. ksh
3. set -o vi
4. stty erase ^?
5. export JAVA_HOME=/usr/mqm/ssl/jre
6. export DISPLAY=yourIP:0.0
7. execute /usr/bin/gsk6ikm & then wait for the GUI to load.
8. click "Key Database File -> Open
9. for Key Database Type select CMS
10. the file name should be key.kdb
11. location is /var/mqm/qmgrs/MQMgrName/ssl
12. click OK
13. enter password
1.3 Request SSL Cert for MQServer
1. follow the steps in Section 1.1 to bring up the gsk6ikm GUI
2. in the drop down menu select “Personal Certificates”
3. select “Create > Create New Key and Certificate Request”
4. enter the path to the directory where you want the file created (preferred location is /var/mqm/qmgrs/QMGR/ssl/<year>)
5. the Cert Label should be ibmwebspheremq<MQMgrName><year> for example: ibmwebspheremqQMGR2003
6. fill in the rest of the information, website if any, business unit, city, state ZIP and click Ok
7. log on to server as root
8. cd /export/depot/mqsslcerts/<year as in 2003>/servername
9. ftp to the server you just generated the Cert Request on then cd /var/mqm/qmgrs/MQMGR/ssl/<year> or go to the location you chose and get the certreq.arm
10. using ASCII mode type get
11. enter certreq.arm for the remote file
12. enter certreq.arm for the local file
13. bye
14. go to the SSL Cert Request web site
15. fill out the information requested
16. vi the cert.arm file and remove all the ^M’s at the end of each line then copy and past the certreq.arm from begin line to end line from into the form and submit.
1.4 Installing NEW SSL Cert for MQServer
1. follow the steps in Section 1.1 to open the gsk6ikm GUI
2. follow the steps in Section 1.2 if you have not already requested your Certs.
3. once you have opened the GUI and received you new Certs change the drop down to “Signer Certificate” and click the “Add” button and browse to or enter file name “gte_root_ca_cer” then enter the path in the location field “/var/mqm/qmgrs/MQMGR/ssl/<year> NOTE: if there are existing instances of “GTE CyberTrust or Company Authority” select and delete them.
4. enter GTE CyberTrust_<year> as the Label
5. click “Add” again and browse to or enter file name “***_ca01_ca_cer” then enter the path in the location field “/var/mqm/qmgrs/MQMGR/ssl/<year>”
6. enter “Company Authority Certificate_2005” as the label name
7. change the drop down to "Personal Certificates"
8. click “Receive” and browse to or enter the path “/var/mqm/qmgrs/MQMGR/ssl/<year>” and file name to “<server>_cer”
9. enter “ibmwebspheremq{qmgrname}{year}” as the label name for example ibmwenbspheremqMQMGR2005
10. View the Cert and write down the expiration date
11. then you need to extract the cert.der and send a copy of it to whoever needs it , to do this click on “Extract Certificate”
12. Change the drop down menu from 64 bin Encrypted ASCII to Binary and select the path to where you want the cert.der file created as in “/var/mqm/qmgrs/MQMGR/ssl/<year>/cert.der” and click OK. NOTE: click ok if it prompts you to replace an existing file
13. Once the cert.der is generated ftp it to your workstation and email it to whomever noting what server the Cert was Installed on and the expiration date.
14. Then place a backup copy of the cert.der <server>_cer, ***_ca01_ca_cer and gte_root_ca_cer on a server in /export/home/mqsslcerts/<year>/server.
1.5 Renew SSL Cert for MQServer
1. follow the steps in Section 1.1 to open the gsk6ikm GUI
2. follow the steps in Section 1.2 if you have not already requested your Certs.
3. once you have opened the GUI and received you new Certs change the drop down to “Signer Certificate” then Click the “Add” button and browse to or enter file name “gte_root_ca_cer” then enter the path in the location field “/var/mqm/qmgrs/MQMGR/ssl/<year>” NOTE: if there are existing instances of “GTE CyberTrust or Company Authority” select and delete them.
4. enter GTE CyberTrust as the Label
5. click “Add” again and browse to or enter file name “***_ca01_ca_cer” then enter the path in the location field “/var/mqm/qmgrs/MQMGR/ssl/<year>”
6. enter “Company Authority” as the label name
7. change the drop down to "Personal Certificates"
8. click “Receive” and browse to or enter the path “/var/mqm/qmgrs/MQMGR/ssl/<year>” and file name to “<server>_cer”
9. enter “ibmwebspheremq{qmgrname}{year}” as the label name for example ibmwenbspheremqMQMGR_2005
10. View the Cert and write down the expiration date
11. then you need to extract the cert.der and send a copy of it to Guy Perara, to do this click on “Extract Certificate”
12. Change the drop down menu from 64 bin Encrypted ASCII to Binary and select the path to where you want the cert.der file created as in “/var/mqm/qmgrs/MQMGR/ssl/<year>/cert.der” and click OK. NOTE: click ok if it prompts you to replace an existing file
13. Once the cert.der is generated ftp it to your workstation and email it to whomever noting what server the Cert was Installed on and the expiration date.
14. Then place a backup copy of the cert.der ServerCert.cer, wf_ca.cer and root_ca.cer on server in /export/home/mqsslcerts/year/server. NOTE: in production to avoid an outage do not delete the existing ibmwebpheremqxxxxxx. |
_________________
Yes, I am an agent of Satan but my duties are largely ceremonial. |
|
| Back to top |
|
|
| bbburson |
| Posted: Thu Feb 23, 2006 7:34 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
Thanks for the info, csmith28. Couple of questions.
You end up with both old and new certificate in your key file, right? Can I assume that sometime later you go in and remove the old one?
Do you really use labels with the year tacked onto the end? From the documentation I thought the label had to be "ibmwebspheremqqmgrname" and nothing more. All our current certs have labels that conform to that requirement. |
|
| Back to top |
|
|
| csmith28 |
| Posted: Thu Feb 23, 2006 8:20 am Post subject: |
|
|
Grand Master
Joined: 15 Jul 2003
Posts: 1196
Location: Arizona
|
I started using a labels with the Year about two years ago and everything works fine. It's up to you I guess.
The Cyber Trust and Authority certs have to be deleted before you can create the new ones and since they are so small I haven't bothered to delete the old root certs.
_________________
Yes, I am an agent of Satan but my duties are largely ceremonial. |
|
| Back to top |
|
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
