| Author |
Message
|
| hilltops |
 Posted: Wed Sep 06, 2006 5:06 am Post subject: Problems with SSL for MQ client connection |
 |
|
Centurion
Joined: 01 Mar 2006
Posts: 112
|
I have a problem with my configuration for SSL on an MQI client connection using self-signed certificates. I am using MQ V6 and have installed the gskit. The client is on a Windows box while the server is on a linux box. The rest of the configuration is as follows;
On the server
Queue manager name = DNLCAZ5CPS
And created the keystore as follows;
gsk7cmd -keydb -create -db /var/mqm/qmgrs/DNLCAZ5CPS/ssl/key.kdb -pw cms -type cms -expire 365 -stash
chmod g+r /var/mqm/qmgrs/DNLCAZ5CPS/ssl/key.kdb
chmod g+r /var/mqm/qmgrs/DNLCAZ5CPS/ssl/key.sth
Created the self-signed certificate as follows;
gsk7cmd -cert -create -db /var/mqm/qmgrs/DNLCAZ5CPS/ssl/key.kdb -pw cms -label ibmwebspheremqjoebloggs -dn "CN=DNLCAZ5CPS,O=XXXX,OU=Middleware,C=UK" -size 1024 -expire 365
defined the svrconn as
DEFINE CHANNEL(TO.DNLCAZ5CPS.SSL) CHLTYPE(SVRCONN) TRPTYPE(TCP) +
DESCR('Server connection on queue manager DNLCAZ5CPS') +
MCAUSER('joebloggs') +
SSLCIPH(RC4_MD5_EXPORT) +
SSLPEER('CN=DNLCAZ5CPS,O=XXXX,OU=Middleware,C=UK') +
SSLCAUTH(REQUIRED) +
replace
With the display qmgr command I get
SSLKEYR(/var/mqm/qmgrs/SDBC01EGDS/ssl/key) amonsgt other.
On the Client side
Created a directory call ssl under D:\Program Files\IBM\WebSphere MQ\
Run the following script to create the repository in the directory you just created.
runmqckm -keydb -create -db "D:\Program Files\IBM\WebSphere MQ\ssl\key.sto" -pw cms -type cms -expire 365 -stash
Run the script to create a certificate and store in repository.
runmqckm -cert -create -db "D:\Program Files\IBM\WebSphere MQ\ssl\key.sto" -pw cms -label ibmwebspheremqjoebloggs -dn "CN=DNLCAZ5CPS,O=XXXX,OU=Middleware,C=UK" -size 1024 -expire 365
Set the environment variable that point to the repository
set MQSSLKEYR=D:\Program Files\IBM\WebSphere MQ\ssl\key
The java application on the client side is coded with the following properties;
MQEnvironment.hostname = server;
MQEnvironment.channel = "TO.DNLCAZ5CPS.SSL";
MQEnvironment.port = 15000;
MQEnvironment.sslCipherSuite = "SSL_RSA_EXPORT_WITH_RC4_40_MD5";
MQEnvironment.sslPeerName = "CN=DNLCAZ5CPS,O=XXXX,OU=Middleware,C=UK";
When application is run I get :
MQJE001: An MQException occurred: Completion Code 2, Reason 2397
MQJE056: Initial negotiation failure
MQJE001: Completion Code 2, Reason 2397
com.ibm.mq.MQException: MQJE001: Completion Code 2, Reason 2397
Any help?
Thankx |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed Sep 06, 2006 5:07 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Java applications have to use JKS keystores, not CMS keystores.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| mvic |
| Posted: Wed Sep 06, 2006 5:58 am Post subject: Re: Problems with SSL for MQ client connection |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
|
| Back to top |
|
|
| hilltops |
| Posted: Wed Sep 06, 2006 9:31 am Post subject: |
|
|
Centurion
Joined: 01 Mar 2006
Posts: 112
|
I have now create jks keystore and added a self-signed certificate as follows:
runmqckm -keydb -create -db compass.jks -type jks -pw c0mp4ss
runmqckm -cert -create -db compass.jks -pw c0mp4ss -label ibmwebspheremqjoebloggs -dn "CN=DNLCAZ5CPS,O=XXXX,OU=Middleware,C=UK" -size 1024 -expire 365
While still on the Windows client machine, I used the contact admin command to start a cmd windows for user joebloggs (contact admin /user:joebloggs cmd). The certificate label was for a user called joebloggs.
I run the java application in this new window as:
java -Djavax.net.ssl.keyStore=c:\TEST\compass.jks -Djavax.net.ssl.keyStorePassword=c0mp4ss -Djavax.net.ssl.trustStore=C:\TEST\compass.jks MQSample2"
I get the same problem.
These server configuration has not changed. |
|
| Back to top |
|
|
| Ivans |
| Posted: Wed Sep 06, 2006 11:37 pm Post subject: |
|
|
Apprentice
Joined: 03 Jan 2006
Posts: 48
Location: Hursley
|
Hi hilltops,
The problems with your config include...
* You are creating one certificate on the server and one on the client and not extracting/adding them to the separate keystores. You have SSLCAUTH(REQUIRED) so both the client and server must have their own seperate certs and you must extract each cert and add it to the other's keystore.
* The queue manager certificate must be labelled ibmwebspheremqdnlcaz5cps
* The cipherspecs must match on the each end of the channel
Please read the SSL portions of the WMQ Security manual and take a look at supportpac MO04 (WMQ SSL Wizard) which will generate sample MQSC/GSKit commands and supplies sample Java client source code too. And it's free! 
MO04 can be googled or see here... http://www.ibm.com/support/docview.wss?rs=171&uid=swg24010367&loc=en_US&cs=utf-8&lang=en
Cheers,
Ian |
|
| Back to top |
|
|
| hilltops |
| Posted: Thu Sep 07, 2006 8:21 am Post subject: |
|
|
Centurion
Joined: 01 Mar 2006
Posts: 112
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Sep 07, 2006 2:36 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
So If I understood right you have a cert with a private key in Win and a cert with a private key in linux. They are both signed by the same "CA" authority, and never shall the twain meet.....
Send the public key from Win to Linux and the public key from linux to the Win keystore and import on each side...
After that you might have more luck...
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mvic |
| Posted: Fri Sep 08, 2006 1:44 am Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
|
| Back to top |
|
|
| hilltops |
| Posted: Fri Sep 08, 2006 8:18 am Post subject: |
|
|
Centurion
Joined: 01 Mar 2006
Posts: 112
|
The MQ security manual V6.0 (csqzas02.pdf) on page 26 say ;
"If the server requires client authentication, the server verifies the client's identity by verifying the client's digital certificate with the public key for the CA that issues the personal certificate to the client ......"
I understand this to mean that if client authentication is all I want, I do not need to have the client certificate on the server's keystore as long as I have the certificate from the CA that signed the client's certificate.
Thus in my server queue manager keystore I have my "CA" certificate and the queue manager's certificate. This should suffice, shouldn't it. OR is the manual wrong? |
|
| Back to top |
|
|
|
|
