| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Using SSL certificates with MO71 supportpac |
« View previous topic :: View next topic » |
| Author |
Message
|
| nhenshall |
 Posted: Fri Oct 23, 2009 12:09 am Post subject: Using SSL certificates with MO71 supportpac |
 |
|
Novice
Joined: 20 Aug 2007
Posts: 13
Location: Paris, France
|
Hi everyone,
I am a long time reader, but never posted, so here I go !
I am having problems getting MO71 to work using SSL certificates. I have tested it on a test system, and using self-signed certificates, I managed to get MO71 to connect to my test QM on UNIX after a lot of swearing. Now I have proper signed certificates and I keep getting 2393 errors. At the moment on the QM side its "AMQ9637 Channel is lacking a certificate." Sounds straightforward.. but
My question to those who have this working, which certificates need to be installed and how/where? On the QM side, I have the 2 root certificates of the issuer, plus the private certificate of the QM which it also uses to talk to other QMs.
Client side (a Windows PC) I have the same 2 root certificates of the issuer plus my own user certificate which I received from the issuer as a .DER file. Using self-signed, I needed to have the same certificates both sides. I assume that that is not the case here as these are signed. The authority gave me my user certificates as 2 files, one a binary .DER certificate and a .PFX file (which I've not used)
I'm using gsk7cmd on UNIX and runmqckm on windows to add the certificates. Any help gratefully appreciated !!
Thanks
Neil |
|
| Back to top |
|
 |
| exerk |
| Posted: Fri Oct 23, 2009 12:59 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Queue Manager Key Store
2 CA certificates + Personal certificate labelled ibmwebspheremq<qmgrname>
Client Key Store
2 CA certificates + Personal certificate labelled ibmwebspheremq<clientuserid>
I am assuming that you are reusing the connection you had working with the self-signed certificates, so I'd say this is possibly due to lack of refresh of the queue managers' security; ensure you refresh security type(ssl) or restart the queue manager if sub-V6, for it to read the certificate changes.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| nhenshall |
| Posted: Sun Oct 25, 2009 2:27 pm Post subject: |
|
|
Novice
Joined: 20 Aug 2007
Posts: 13
Location: Paris, France
|
Good, this confirms what I have done :
| exerk wrote: |
Queue Manager Key Store
2 CA certificates + Personal certificate labelled ibmwebspheremq<qmgrname>
Client Key Store
2 CA certificates + Personal certificate labelled ibmwebspheremq<clientuserid>
|
Yes, I am using a queue manager at level 6.0.2.5, though my windows machine is at 6.0.0.0, but it did work with self certified certificates. I have issued the refresh command and restarted the QM in frustration.
| exerk wrote: |
I am assuming that you are reusing the connection you had working with the self-signed certificates, so I'd say this is possibly due to lack of refresh of the queue managers' security; ensure you refresh security type(ssl) or restart the queue manager if sub-V6, for it to read the certificate changes. |
I have started to wonder if my windows machine is corrupt somehow. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sun Oct 25, 2009 3:55 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Apply Fix Pack 6.0.2.8 to your Windows machine - no excuse to be running 6.0.0.0.
Try again and if it still fails after upgrading:
Can you make this work using these CA signed certs with only the same SSLCIPH on both ends of the SVRCONN/CLNTCONN channel? Do not bother with SSLPEER and SSLCAUTH(REQUIRED) yet.
If it still fails with your PC upgraded to MQ 6.0.2.8 and SSLCAUTH(OPTIONAL), then post your channel definitions, your QM definition and the output from the command that displays all the certs in both your keystores. Also the corresponding errors in the QM error log and the client error log.
Do you have all the certs required by the CAs, including all the intermediate ones in the chain if required?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| nhenshall |
| Posted: Sun Oct 25, 2009 10:55 pm Post subject: |
|
|
Novice
Joined: 20 Aug 2007
Posts: 13
Location: Paris, France
|
I will contact our PC guys today on this one, this troubles me also..
| PeterPotkay wrote: |
| Apply Fix Pack 6.0.2.8 to your Windows machine - no excuse to be running 6.0.0.0. |
I am using SSLCAUTH(REQUIRED) but not SSLPEER (it is my intention once I can get the SSL negotiation going OK) and the ciper spec I am using is NULL_SHA, I will try SSLCAUTH(OPTIONAL)
| PeterPotkay wrote: |
| Do not bother with SSLPEER and SSLCAUTH(REQUIRED) yet. |
This interests me also, I have looked in the C:/Program files/IBM/Webspshere MQ/errors folder and there is nothing, is there anything else I've missed ? As I said earlier, it's MO71 I'm trying to use.
| PeterPotkay wrote: |
and the client error log.
|
|
|
| Back to top |
|
|
| nhenshall |
| Posted: Mon Oct 26, 2009 8:14 am Post subject: |
|
|
Novice
Joined: 20 Aug 2007
Posts: 13
Location: Paris, France
|
An interesting thing I have just noticed, I do not have administration rights on the PC. I have found errors in the event viewer because I do not have rights on the websphere errors folder. So when MQ on the PC is trying to write an error message to the log, it fails. Tomorrow I hope to have this situation fixed so I at least I might be able to see what is wrong on this side. Funny, because at this site they favor MO71 because they dont need to deal out administration rights... then came SSL !
| nhenshall wrote: |
This interests me also, I have looked in the C:/Program files/IBM/Webspshere MQ/errors folder and there is nothing, is there anything else I've missed ? As I said earlier, it's MO71 I'm trying to use.
| PeterPotkay wrote: |
and the client error log.
|
|
|
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Oct 26, 2009 9:51 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9470
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| So when MQ on the PC is trying to write an error message to the log, it fails. |
MQ needs write privilege, you need read.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| nhenshall |
| Posted: Wed Oct 28, 2009 2:42 am Post subject: |
|
|
Novice
Joined: 20 Aug 2007
Posts: 13
Location: Paris, France
|
Ok, it's fixed 
I got the write authority for the PC, which just repeated the error messages that I was getting in UNIX. I spoke to the people who sent the SSL certificate and the .DER certificate I was using wasn't what I needed, it was the .PFX.
Back to square one, I couldnt get the certificate into the repository, and in frustration, I used the strmqikm graphic tool instead of the command line runmqckm and of course it worked !! Worst part, I was showing a colleague at the time and of course he assumes its his presence which did the trick 
I've noticed there is another thread on here about the same thing, how to get a certificate from the command line integrated the same way the graphic utility does it.
Thanks to all
Neil |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
