ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Problem with import certificate into the certificate DB

Post new topic  Reply to topic Goto page 1, 2  Next
 Problem with import certificate into the certificate DB « View previous topic :: View next topic » 
Author Message
hilltops
PostPosted: Fri Jan 04, 2008 7:28 am    Post subject: Problem with import certificate into the certificate DB Reply with quote

Centurion

Joined: 01 Mar 2006
Posts: 112

I am having trouble "receiving" a CA-signed certiifcate in the certificate database for a queue manager. I get the following error when I try toload the cert into the DB.

An error occurred while receiving the certificate from the given file.
The certificate request created for the certificate is not in the key database.


The DB has the intermediate certificate of the CA installed.

Has anyone encountered this problem before?

Thankx
Back to top
View user's profile Send private message
Gaya3
PostPosted: Fri Jan 04, 2008 8:20 am    Post subject: Reply with quote

Jedi

Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US

Hi

Hope you have installed GSK kit properly well.....

The .kdb file is created when you create a new key database. A key record in a .kdb file can be either a certificate or a certificate with its encrypted private key information.

Mr Google will help you for the rest

Regards
Gayathri
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die
Back to top
View user's profile Send private message
hilltops
PostPosted: Fri Jan 04, 2008 8:38 am    Post subject: Reply with quote

Centurion

Joined: 01 Mar 2006
Posts: 112

Yes, the GSK has been correctly installed. I am able to use all the relevant command OK; The command I have used are as follows;

To create the .kdb
gsk7cmd -keydb -create -db "/var/mqm/qmgrs/QMGR/ssl/QMGR.kdb" -pw passwd -type cms -stash

To generate the cert signing request
gsk7cmd -certreq -create -db "/var/mqm/qmgrs/QMGR/ssl/QMGR.kdb" -pw passwd -label ibmwebspheremqqmgr -dn 'CN=QMGR,O=MyComp,OU=MQManager,L=SomeWhere,ST=Here,C=GB' -size 1024 -file QMGR.csr


To add the CA cert to the kdb
gsk7cmd -cert -add -db "/var/mqm/qmgrs/QMGR/ssl/QMGR.kdb" -pw passwd -label verisign_intermediate -file verisign.cert

To receive the queue manager cert into the kdb
gsk7cmd -cert -receive -db "/var/mqm/qmgrs/QMGR/ssl/QMGR.kdb" -pw passwd -file /var/mqm/qmgrs/QMGR/ssl/QMGR.cert


Is there anything I have missed out?
Back to top
View user's profile Send private message
bbburson
PostPosted: Fri Jan 04, 2008 9:40 am    Post subject: Reply with quote

Partisan

Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager

The gsk7cmd command I use for receiving a cert into the database includes the flag
Code:
-format ascii

Don't know if that could be your answer or not.

Also, you MUST receive the cert into the same database where the request was issued. You can see outstanding requests in the database using gsk7ikm GUI (and I'm sure there's a gsk7cmd equivalent but I don't know what it is).
Back to top
View user's profile Send private message
hilltops
PostPosted: Fri Jan 04, 2008 3:43 pm    Post subject: Reply with quote

Centurion

Joined: 01 Mar 2006
Posts: 112

Yes, indeed I did have the "-format ascii" flag in the "receive" command. But I still have the same problem.
Back to top
View user's profile Send private message
revathi
PostPosted: Mon Jan 05, 2009 8:22 pm    Post subject: Reply with quote

Newbie

Joined: 05 Jan 2009
Posts: 1

Hi,

Simple issue. You are receiving the cert into a different keystore instead of the one that generated it.

Mahesh
Back to top
View user's profile Send private message
aspre1b
PostPosted: Thu Jul 09, 2009 6:05 am    Post subject: Reply with quote

Voyager

Joined: 05 Jul 2007
Posts: 78
Location: Coventry, UK

Does anyone know if it is possible to import a CSR (Cert Signer Request) into a keystore (IBM Key Mgt)?

Senario - the original keystore has been deleted, but I still have the CSR and the resulting Signed Certificate?

Is it just a case of recreating the CSR again?

Platform - Win XP
Product - IBM Key Mgt (IKeyman) 7.0.4.11
Back to top
View user's profile Send private message
WMBDEV1
PostPosted: Thu Jul 09, 2009 6:21 am    Post subject: Reply with quote

Sentinel

Joined: 05 Mar 2009
Posts: 888
Location: UK

use the -recreate flag?

http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=/com.ibm.mq.amqzag.doc/fa16150_.htm

Not tried it but looks like what you want.


Last edited by WMBDEV1 on Thu Jul 09, 2009 6:32 am; edited 1 time in total
Back to top
View user's profile Send private message
WMBDEV1
PostPosted: Thu Jul 09, 2009 6:26 am    Post subject: Reply with quote

Sentinel

Joined: 05 Mar 2009
Posts: 888
Location: UK

In fact the more I look at that the less convinced I am that its doable.

Anyway, I hope the link is useful at least!
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Jul 09, 2009 6:39 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

WMBDEV1 wrote:
use the -recreate flag?...


Used to generate a new request from an existing received certificate, using the same key used to create the original request...I believe.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
WMBDEV1
PostPosted: Thu Jul 09, 2009 6:46 am    Post subject: Reply with quote

Sentinel

Joined: 05 Mar 2009
Posts: 888
Location: UK

exerk wrote:
WMBDEV1 wrote:
use the -recreate flag?...


Used to generate a new request from an existing received certificate, using the same key used to create the original request...I believe.


Yeah I kinda backpedalled after I reread the link I posted and this one...

http://www-01.ibm.com/support/docview.wss?uid=swg21250603

I'm out of ideas (and my comfort zone) now so will leave it to others to try and offer better advise.

Although I was wandering if you could retrieve it from a backup?
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Jul 09, 2009 6:53 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

WMBDEV1 wrote:
...Although I was wandering if you could retrieve it from a backup?


As far as I am aware, the only thing that ties a queue manager to its key store is the SSLKEYR setting. At my current site, the process is for the contents of the ../ssl directory to be backed up, off-server, whenever any changes are made to it. Even if the queue manager has to be recreated, there is no latency waiting for a new certificate request to be signed etc.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
WMBDEV1
PostPosted: Thu Jul 09, 2009 7:01 am    Post subject: Reply with quote

Sentinel

Joined: 05 Mar 2009
Posts: 888
Location: UK

exerk wrote:
WMBDEV1 wrote:
...Although I was wandering if you could retrieve it from a backup?


As far as I am aware, the only thing that ties a queue manager to its key store is the SSLKEYR setting. At my current site, the process is for the contents of the ../ssl directory to be backed up, off-server, whenever any changes are made to it. Even if the queue manager has to be recreated, there is no latency waiting for a new certificate request to be signed etc.


Sounds reasonable..... I was thinking more about whether they had backups containing the keystore to restore it from than the feasability of the process!


Last edited by WMBDEV1 on Thu Jul 09, 2009 11:09 am; edited 1 time in total
Back to top
View user's profile Send private message
zpat
PostPosted: Thu Jul 09, 2009 7:43 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5866
Location: UK

We had a similar problem and had to request another certificate to make sure the matching request was in the keystore.

You can also get a problem when importing a CA signed certificate - make sure it is imported as an "personal" certificate, not as a signer certificate.

Finally we had to import another verisign CA signer certificate (class 3 G2) because it didn't come as standard with MQ.

If you open your CA personal certificate under Windows you can see the signer hierarchy (cert path) - all these signers need to be in the keystore.

Using Ikeyman instead of GSK7CMD makes things easier to get right.
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Jul 09, 2009 1:05 pm    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

zpat wrote:
...Finally we had to import another verisign CA signer certificate (class 3 G2) because it didn't come as standard with MQ...


VeriSign changed their trust chain signers in May this year - caught us on the hop.

zpat wrote:
...Using Ikeyman instead of GSK7CMD makes things easier to get right...


I've known gsk7cmd to fail if an intermediate CA certificate add is attempted before its root CA certificate is added.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » General IBM MQ Support » Problem with import certificate into the certificate DB
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.