| Author |
Message
|
| friedl.otto |
 Posted: Thu Feb 12, 2009 1:28 pm Post subject: MQ 7.0.0.1 + SSL = PAIN! |
 |
|
Centurion
Joined: 06 Jul 2007
Posts: 116
|
On this:
| Code: |
Name: WebSphere MQ
Version: 7.0.0.1
CMVC level: p700-001-081219
BuildType: IKAP - (Production)
|
Which sports two way (vanilla) channel comms:
| Code: |
AMQ8417: Display Channel Status details.
CHANNEL(A_TO_B) CHLTYPE(SDR)
CONNAME(bob.domain.com(1410))
CURRENT RQMNAME(BOB)
STATUS(RUNNING) SUBSTATE(MQGET)
XMITQ(QXMT_B)
AMQ8417: Display Channel Status details.
CHANNEL(B_TO_A) CHLTYPE(RCVR)
CONNAME(bob.domain.com) CURRENT
RQMNAME(BOB) STATUS(RUNNING)
SUBSTATE(RECEIVE)
|
I did this:
| Code: |
1. Prepare the key repository on each queue manager
ON alice.domain.com: gsk7capicmd -keydb -create -db alice.kdb -pw <alice_password> -type cms -expire 365 -stash -fips -strong
ON bob.domain.com: gsk7capicmd -keydb -create -db bob.kdb -pw <bob_password> -type cms -expire 365 -stash -fips -strong
2. Create a self-signed certificate for each queue manager
ON alice.domain.com: gsk7capicmd -cert -create -db alice.kdb -pw <alice_password> -label ALICE -dn "CN=QMGR_ALICE,O=ACME,OU=IT,L=GOTHAM,C=US" -size 2048 -x509version 3 -default_cert yes -expire 365 -fips -sigalg sha512
ON bob.domain.com: gsk7capicmd -cert -create -db bob.kdb -pw <bob_password> -label BOB -dn "CN=QMGR_BOB,O=ACME,OU=IT,L=GOTHAM,C=US" -size 2048 -x509version 3 -default_cert yes -expire 365 -fips -sigalg sha512
3. Extract a copy of each certificate
ON alice.domain.com: gsk7capicmd -cert -extract -db alice.kdb -pw <alice_password> -label ALICE -target alice.arm -format ascii -fips
ON bob.domain.com: gsk7capicmd -cert -extract -db bob.kdb -pw <bob_password> -label BOB -target bob.arm -format ascii -fips
4. Exchange certificates
ON alice.domain.com: scp alice.arm bob.domain.com:/var/mqm/qmgrs/BOB/ssl
ON bob.domain.com: scp bob.arm alice.domain.com:/var/mqm/qmgrs/ALICE/ssl
5. Add partner's certificate to the key repository
ON alice.domain.com: gsk7capicmd -cert -add -db alice.kdb -pw <alice_password> -label BOB -file bob.arm -format ascii -fips
ON bob.domain.com: gsk7capicmd -cert -add -db bob.kdb -pw <bob_password> -label ALICE -file alice.arm -format ascii -fips
6. Configure each QMGR
ON alice.domain.com: crtmqm ALICE
ON alice.domain.com: strmqm ALICE
ON alice.domain.com: ALTER QMGR SSLKEYR('/var/mqm/qmgrs/ALICE/ssl/alice')
ON alice.domain.com: REFRESH SECURITY TYPE(SSL)
ON alice.domain.com: DEFINE CHANNEL('ALICE_TO_BOB') CHLTYPE(SDR) TRPTYPE(TCP) CONNAME('bob.domain.com(1410)') XMITQ(QXMT_BOB) SSLCIPH(RC4_MD5_US) DESCR('Sender channel using SSL from ALICE to BOB') REPLACE
ON alice.domain.com: DEFINE QLOCAL('QXMT_BOB') USAGE(XMITQ) DEFPSIST(YES) REPLACE
ON bob.domain.com: crtmqm BOB
ON bob.domain.com: strmqm ALICE
ON bob.domain.com: ALTER QMGR SSLKEYR('/var/mqm/qmgrs/BOB/ssl/bob')
ON bob.domain.com: REFRESH SECURITY TYPE(SSL)
ON bob.domain.com: DEFINE CHANNEL('BOB_TO_ALICE') CHLTYPE(RCVR) TRPTYPE(TCP) SSLCIPH(RC4_MD5_US) SSLCAUTH(REQUIRED) DESCR('Receiver channel using SSL from BOB to ALICE') REPLACE
|
which yields this:
| Code: |
02/12/2009 10:58:04 PM - Process(15244.1) User(mqm) Program(runmqchl)
AMQ9002: Channel 'ALICE_TO_BOB' is starting.
EXPLANATION:
Channel 'ALICE_TO_BOB' is starting.
ACTION:
None.
-------------------------------------------------------------------------------
02/12/2009 10:58:06 PM - Process(15244.1) User(mqm) Program(runmqchl)
AMQ9209: Connection to host '10 (<IP for bob.domain.com>)' closed.
EXPLANATION:
An error occurred receiving data from '10 (<IP for bob.domain.com>)' over TCP/IP. The
connection to the remote host has unexpectedly terminated.
ACTION:
Tell the systems administrator.
----- amqccita.c : 3396 -------------------------------------------------------
02/12/2009 10:58:06 PM - Process(15244.1) User(mqm) Program(runmqchl)
AMQ9999: Channel program ended abnormally.
EXPLANATION:
Channel program 'ALICE_TO_BOB' ended abnormally.
ACTION:
Look at previous error messages for channel program 'ALICE_TO_BOB' in the error
files to determine the cause of the failure.
|
PLEASE  !!!
_________________
Here's an idea - don't destroy semaphores unless you're certain of what you're doing!  -- Vitor |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Feb 12, 2009 1:39 pm Post subject: Re: MQ 7.0.0.1 + SSL = PAIN! |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| friedl.otto wrote: |
| PLEASE !!! |
Are you sure about those labels? Are you sure ALICE shouldn't be ibmwebspheremqalice?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bbburson |
| Posted: Thu Feb 12, 2009 2:23 pm Post subject: Re: MQ 7.0.0.1 + SSL = PAIN! |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| Vitor wrote: |
| friedl.otto wrote: |
| PLEASE !!! |
Are you sure about those labels? Are you sure ALICE shouldn't be ibmwebspheremqalice? |
And once you get that sorted out make sure your SDR/RCVR channel pairs have the same name at both ends. SDR ALICE_TO_BOB will not connect up with RCVR BOB_TO_ALICE. |
|
| Back to top |
|
|
| friedl.otto |
| Posted: Fri Feb 13, 2009 12:36 am Post subject: Re: MQ 7.0.0.1 + SSL = PAIN! |
|
|
Centurion
Joined: 06 Jul 2007
Posts: 116
|
| bbburson wrote: |
| And once you get that sorted out make sure your SDR/RCVR channel pairs have the same name at both ends. SDR ALICE_TO_BOB will not connect up with RCVR BOB_TO_ALICE. |
It was very late ... I pasted the wrong RCVR. 
| Vitor wrote: |
| Are you sure about those labels? Are you sure ALICE shouldn't be ibmwebspheremqalice? |
I was going to ask about that 'ibmwebspheremq' prefix ... I didn't see any
specifics to that effect on here. But I do recall seeing 'ibmwebspheremq'
somewhere and thinking how do I then distinguish the two keys?
*Drops head and slinks back to the drawingboard*
_________________
Here's an idea - don't destroy semaphores unless you're certain of what you're doing! -- Vitor |
|
| Back to top |
|
|
| friedl.otto |
| Posted: Fri Feb 13, 2009 12:52 am Post subject: |
|
|
Centurion
Joined: 06 Jul 2007
Posts: 116
|
Ladies and Gentlemen ... thanks to your assistance:
| Code: |
AMQ8417: Display Channel Status details.
CHANNEL(ALICE_TO_BOB) CHLTYPE(SDR)
CONNAME(bob.domain.com(1410))
CURRENT RQMNAME(BOB)
STATUS(RUNNING) SUBSTATE(MQGET)
XMITQ(QXMT_BOB)
|
_________________
Here's an idea - don't destroy semaphores unless you're certain of what you're doing! -- Vitor |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Feb 13, 2009 12:53 am Post subject: Re: MQ 7.0.0.1 + SSL = PAIN! |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| friedl.otto wrote: |
I was going to ask about that 'ibmwebspheremq' prefix ... I didn't see any
specifics to that effect on here. |
It's in step 2 of there, confusingly hidden in this section called "Creating A Self Signed Certificate". I mean, last place you'd look for information on creating a self signed certificate..... 
Don't let the drawing board hit you on the way out.
For the benefit of future readers, the relevent section says:
| Quote: |
| In the Key Label field, type: for a queue manager, ibmwebspheremq followed by the name of your queue manager folded to lower case. For example, for QM1, ibmwebspheremqqm1, or, for a WebSphere MQ client, ibmwebspheremq followed by your logon user ID folded to lower case, for example ibmwebspheremqmyuserid. |
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| friedl.otto |
| Posted: Fri Feb 13, 2009 1:42 am Post subject: Re: MQ 7.0.0.1 + SSL = PAIN! |
|
|
Centurion
Joined: 06 Jul 2007
Posts: 116
|
| Vitor wrote: |
| It's in step 2 of there, confusingly hidden in this section called "Creating A Self Signed Certificate". I mean, last place you'd look for information on creating a self signed certificate..... |
Indeed ... slight oversight while burning the midnight oil! 
_________________
Here's an idea - don't destroy semaphores unless you're certain of what you're doing! -- Vitor |
|
| Back to top |
|
|
|
|
