Author |
Message
|
hdjur |
Posted: Tue Oct 25, 2005 1:47 am Post subject: SSL problem: password stash file absent or unusable |
|
|
Centurion
Joined: 16 Sep 2004 Posts: 116 Location: Zagreb
|
Hello!
I have a problem configuring SSL. First of all, does anybody know
how to create password stash file and where to place it? I'm using keytool on Solaris, and I have created keystore file in /var/mqm/qmgrs/<qmgrname>/ssl directory. I have named it "key"
so the full path to the file is "/var/mqm/qmgrs/<qmgrname>/ssl/key" ,
and this is what I have placed in SSLKEYR attribute of the queue manager.
When I try to ping some channel configured to use SSL (attribute
SSLCIPH set to RC4_MD5_US), this is what I got (see Subject please).
Thanks in advance. I realize that maybe this is somewhat question for Solaris forum . . . |
|
Back to top |
|
 |
wschutz |
Posted: Tue Oct 25, 2005 1:53 am Post subject: |
|
|
 Jedi Knight
Joined: 02 Jun 2005 Posts: 3316 Location: IBM (retired)
|
|
Back to top |
|
 |
hdjur |
Posted: Tue Oct 25, 2005 2:08 am Post subject: |
|
|
Centurion
Joined: 16 Sep 2004 Posts: 116 Location: Zagreb
|
Thank you Wayne for your answer. Still, my main problem is keytool usage. I have issued command:
keytool -keystore /var/mqm/qmgrs/mqmtest/ssl/key -storepass somepwd -genkey -alias ibmWebSphereMQmqmtest
and created one file as I have described earlier.
This discussion refers to gsk7cmd_64 as a key generation tool,
which is O.K., and it creates four files:
key.kdb
key.sth
key.crl
key.rdb
I've got one. Keytool documentation does not provide any information on password stash files.
Hrvoje |
|
Back to top |
|
 |
wschutz |
Posted: Tue Oct 25, 2005 2:15 am Post subject: |
|
|
 Jedi Knight
Joined: 02 Jun 2005 Posts: 3316 Location: IBM (retired)
|
So, if you use gsk7cmd/gui, can you start the channels with SSL on? _________________ -wayne |
|
Back to top |
|
 |
hdjur |
Posted: Tue Oct 25, 2005 2:25 am Post subject: |
|
|
Centurion
Joined: 16 Sep 2004 Posts: 116 Location: Zagreb
|
Unfortunately, I have no iKeyman installed on my Solaris machine,
only this keytool. Will that be a problem? |
|
Back to top |
|
 |
wschutz |
Posted: Tue Oct 25, 2005 2:26 am Post subject: |
|
|
 Jedi Knight
Joined: 02 Jun 2005 Posts: 3316 Location: IBM (retired)
|
My suggestion is to install iKeyman and try that. It should be on the MQ CD _________________ -wayne |
|
Back to top |
|
 |
hdjur |
Posted: Tue Oct 25, 2005 2:37 am Post subject: |
|
|
Centurion
Joined: 16 Sep 2004 Posts: 116 Location: Zagreb
|
Sorry, this one is AIX machine, I have mixed up, with so many different
hosts arround. The content of the directory /usr/mqm/ssl/jre/bin after a installation done by my sysadmin is:
awt_robot jvmtcf libdt_socket.a libjavaplugin_oji.a libnet.a policytool
classic keytool libfontmanager.a libJdbcOdbc.a liborb.a rmid
java libagent.a libhpi.a libjdwp.a libxhpi.a rmiregistry
javaplugin.a libawt.a libhprof.a libjitc.a libzip.a tnameserv
JavaPluginControlPanel libcmm.a libjava.a libjpeg.a oldjava
javaw libdcpr.a libjavaplugin_jni.a libjsound.a oldjavaw
So, You think it can't work with this keytool, which is also a part of some
typical installation. |
|
Back to top |
|
 |
wschutz |
Posted: Tue Oct 25, 2005 2:41 am Post subject: |
|
|
 Jedi Knight
Joined: 02 Jun 2005 Posts: 3316 Location: IBM (retired)
|
I don't really know anything about keytool. You do need a "key.sth" file, which is easily produced by iKeyman (gsk6/7cmd/gui) _________________ -wayne |
|
Back to top |
|
 |
hdjur |
Posted: Tue Oct 25, 2005 2:43 am Post subject: |
|
|
Centurion
Joined: 16 Sep 2004 Posts: 116 Location: Zagreb
|
All right. Thank you Wayne. Bye! |
|
Back to top |
|
 |
Tibor |
Posted: Tue Oct 25, 2005 12:08 pm Post subject: |
|
|
 Grand Master
Joined: 20 May 2001 Posts: 1033 Location: Hungary
|
Hrvoje,
The main difference is in the internal structure of the default keystore: JKS (keytool) vs CMS (gskit) - however gskit can create a JKS, too. That's why you need the gskit (here is the supported version).
Tibor |
|
Back to top |
|
 |
hdjur |
Posted: Fri Oct 28, 2005 2:25 am Post subject: |
|
|
Centurion
Joined: 16 Sep 2004 Posts: 116 Location: Zagreb
|
Thank you Tibor for your answer too. I have noticed it with a bit of delay, since I have started new discussion on usage of gskit, after which I have accomplished my goal. Now, could I do that without gskit? Quote from keytool documentation:
-storetype storetype
This qualifier specifies the type of keystore to be instantiated. The default keystore type is the one that is specified as the value of the "keystore.type" property in the security properties file, which is returned by the static getDefaultType method in java.security.KeyStore.
Obviously, I could create CMS database type with keytool too, and perform all necessary steps with this tool, although I didn't try yet.
Hrvoje |
|
Back to top |
|
 |
Tibor |
Posted: Sat Oct 29, 2005 11:49 pm Post subject: |
|
|
 Grand Master
Joined: 20 May 2001 Posts: 1033 Location: Hungary
|
For using another storetype than 'JKS' you have to install a new provider. Otherwise:
Quote: |
There is a built-in default implementation, provided by Sun Microsystems. It implements the keystore as a file, utilizing a proprietary keystore type (format) named "JKS". It protects each private key with its individual password, and also protects the integrity of the entire keystore with a (possibly different) password. |
But the GSKit's java.security contains these entries:
Quote: |
# List of providers and their preference orders (see above):
security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.spi.IBMCMSProvider
security.provider.3=com.ibm.crypto.provider.IBMJCE
|
You have to purchase the GSKit
Tibor |
|
Back to top |
|
 |
wschutz |
Posted: Sun Oct 30, 2005 2:29 am Post subject: |
|
|
 Jedi Knight
Joined: 02 Jun 2005 Posts: 3316 Location: IBM (retired)
|
Quote: |
You have to purchase the GSKit |
I thought GSkit shipped with MQ. _________________ -wayne |
|
Back to top |
|
 |
Tibor |
Posted: Sun Oct 30, 2005 8:23 am Post subject: |
|
|
 Grand Master
Joined: 20 May 2001 Posts: 1033 Location: Hungary
|
Wayne,
You're right, but there was some problem with installation:
Quote: |
Posted: 25 Oct 2005 11:25 Post subject:
Unfortunately, I have no iKeyman installed on my Solaris machine,
only this keytool. Will that be a problem? |
Tibor |
|
Back to top |
|
 |
|