| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Implementing SSL with ACF2 |
View previous topic :: View next topic |
| Author |
Message
|
| crossland |
 Posted: Thu Apr 22, 2004 7:19 am Post subject: Implementing SSL with ACF2 |
 |
|
Master
Joined: 26 Jun 2001
Posts: 248
|
While all the documentation for implementing SSL on the mainframe seems to be for RACF, I am in the process of translating it to to ACF2. SSL is being implemented between z/os and a Java client running on Windows.
When I run the Java client, the following error is produced on the mainframe:
gsk_secure_soc_init RC=-27
Looking at gskssl.h, I assume this translates to GSK_ERROR_NO_PRIVATE_KEY.
This is what I have done so far:
Create Keyring
Set profile(user) div(keyring)
INSERT QMGRCHIN ringname(QMGRCHIN)
- QMGRCHIN is the CHIN userid.
Create CA certificate
On z/os:
tso acf
set profile(user) div(certdata)
Gencert certauth.cert1 subjdsn(cn='LPAR CA' o=’ORG’ ou=’DEPT’ c=’GB’) label(CA certificate for LPAR) size(1024)
connect certauth.cert1 keyring(QMGRCHIN)
exp certauth.cert1 label(CA certificate for LPAR) dsname(‘logon.cacert’)
Create Certificate for Queue Manager
Gencert QMGRCHIN subjdsn(cn=’QMGR’,o=’ORG’,ou=’DEPT’ c=’GB’) label(ibmWebSphereMQQMGR) signwith(certauth label(CA certificate for LPAR)) expire(04/04/14) size(1024)
connect certdata(QMGRCHIN) keyring(QMGRCHIN)
Generate certificate for client
On Windows:
keytool -genkey -dname "CN=JavaClientPersCert,O=ORG,OU=DEPT,C=GB" -alias MyJavaClient -storepass password -keypass password -keystore keyStore –keyalg RSA –keysize 2048
keytool -certreq -keystore keyStore -storepass password -keypass password -alias MyJavaClient -file CLNTREQ
ftp CLNTREQ from NT to Mainframe (ascii)
On Mainframe:
Gencert client.cert dsn(‘logon.clntreq’) label(MyJavaClient) signwith(certauth.cert1) expire(04/04/14)
Connect certdata(client.cert) keyring(QMGRCHIN)
exp client.cert label(myJavaClient) dsn(‘logon.clntcert’)
exp certauth.cert1 label(CA certificate for LPAR) dsname('logon.cacert')
ftp clntcert and cacert from Mainframe to Windows (ascii)
On Windows:
keytool -import -keystore keyStore -storepass password -alias “CA certificate for LPAR” -import -file cacert
keytool -import -keystore keyStore -storepass password -alias MyJavaClient -import -file clntcert
Alter queue manager to use SSL
ALTER QMGR SSLTASKS(5)
ALTER QMGR SSLKEYR(QMGRCHIN)
Specify Cipher Specification for Channel
ALTER CHL(CH.TIM.TO.QMGR) SSLCIPH(NULL_MD5)
Test Java Program
In Java program:
MQEnvironment.port = 1414;
MQEnvironment.hostname = "LPAR";
MQEnvironment.channel = "CH.TIM.TO.QMGR";
MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_NULL_MD5";
MQEnvironment.properties.put(MQC.TRANSPORT_PROPERTY,
MQC.TRANSPORT_MQSERIES);
C:\stuff>java -Djavax.net.ssl.keyStore=certs1\keyStore -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=certs1\keyStore -Djavax.net.ssl.trustStorePassword=password MQGetClientMFSSL
I would be very grateful if anyone can spot the reason why this is failing. Without SSL, I have managed to get a Java client running on the same NT box to connect to the same mainframe queue manager.
Thanks,
Tim |
|
| Back to top |
|
 |
| dutchman |
| Posted: Tue Aug 29, 2006 11:06 pm Post subject: |
|
|
Acolyte
Joined: 15 May 2001
Posts: 71
Location: Netherlands
|
Hi - I know the original query was posted over 2 years ago, but I've got the same problem, ie gsk_secure_soc_init with RC=-27 using ACF2.
Any takers? |
|
| Back to top |
|
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
