| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL problem - receiving the signed certificate |
« View previous topic :: View next topic » |
| Author |
Message
|
| jeevan |
 Posted: Thu Jan 08, 2009 9:58 am Post subject: SSL problem - receiving the signed certificate |
 |
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
We are implementing SSL on MQ where tibco BW is the client. I am working on the mq side to set it up. We had done initial test( kind of POC) and we know it works. Now, we are implementing SSL in our TEST environment followed by production later on.
We will be using internal CA signed certificate instead of selfsigned. That means that, I need to create CA artifacts as well. when tested last time, we used self signed certificate. My only little confusion is that, what should be the database type of CA? Does it matter at all? As this requires to hold CA certificate which will be exported and send to other anyway.
Any suggestions would be appreciate
I know the database type for MQ shold be cms.
Last edited by jeevan on Fri Jan 09, 2009 10:34 am; edited 2 times in total |
|
| Back to top |
|
 |
| marcin.kasinski |
| Posted: Thu Jan 08, 2009 10:40 am Post subject: Re: SSL CA database type |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
From SSL point of view there is not database type of CA.
CA is just key pair .
Your MQ and partner certs are signed by CA private key.
What you have to do is importing CA public key to your MQ SSL trust store.
Your partner shoul do the same.
_________________
Marcin |
|
| Back to top |
|
|
| jeevan |
| Posted: Thu Jan 08, 2009 11:03 am Post subject: Re: SSL CA database type |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| marcin.kasinski wrote: |
From SSL point of view there is not database type of CA.
CA is just key pair .
Your MQ and partner certs are signed by CA private key.
What you have to do is importing CA public key to your MQ SSL trust store.
Your partner shoul do the same. |
I am also acting as a CA. In this case, I have to created a database for CA as CA needs it to hold its own root certificate( self signed) which will be sent to the queue maanger and client who want to access the queue manager. Also, a database is necessary in order to signe a certificate request from qmgr or client.
Last edited by jeevan on Fri Jan 09, 2009 10:36 am; edited 1 time in total |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Thu Jan 08, 2009 11:24 am Post subject: Re: SSL CA database type |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
It can be any database type ?
Any means database supported for "normal certs", cmd, jks, ....
You can use standard tool to manage CA cert, keytool, ikeyman, ...
Example: http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm
If you are acting as CA your CA key pair is just selfsigned cert or cert signed by global CA.
CA is just "normal cert" using to sign other certs.
_________________
Marcin |
|
| Back to top |
|
|
| jeevan |
| Posted: Thu Jan 08, 2009 1:45 pm Post subject: Re: SSL CA database type |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| marcin.kasinski wrote: |
It can be any database type ?
Any means database supported for "normal certs", cmd, jks, ....
You can use standard tool to manage CA cert, keytool, ikeyman, ...
Example: http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm
If you are acting as CA your CA key pair is just selfsigned cert or cert signed by global CA.
CA is just "normal cert" using to sign other certs. |
I am having unusual error while receiving qmgr certificate which is signed by CA and sent to queue manager. I am able to add the CA certificate though.
These are the steps. I have set all the var properly
==========
Rem ------------CA TASKs
runmqckm -keydb -create -db %CADB% -pw %pw% -type cms
runmqckm -cert -create -db %CADB% -pw %pw% -label "CACert" -dn %dn% -expire %exp%
runmqckm -cert -extract -db %CADB% -pw %pw% -label "CACert" -target cacert.cer -format ascii
echo "CA signs certificate request"
rem sign QMGR certificate
runmqckm -cert -sign -db %CADB% -pw %pw% -label "CACert" -sernum $RANDOM -file %QM%.req -target %QM%.cer -expire 363 -format ascii
rem Sign App/client certificate ( for future)
RUNMQCKM -cert -sign -db CA.kdb -pw %PW% -label "CACert" -file appcer.req -target appsigned.cer -expire %exp%
ECHO #QMGRs
echo "Creating key database"
runmqckm -keydb -create -db %QMDB% -pw %pw% -type cms -expire %exp% -stash
echo "Creating certificate request in key database"
runmqckm -certreq -create -db %QMDB% -pw %pw% -label ibmwebspheremq%qm% -dn %dn% -file %QM%.req
REM ==========================
echo "Adding CA cert to key database"
runmqckm -cert -add -db %QMdb% -type cms -pw %pw% -label "CACert" -file CACert.cer
echo "Adding CA signed QMgr certificate to qmgr's key database"
runmqckm -cert -receive -db %QMdb% -pw %pw% -file %QM%.cer
echo Cleaning up temporary files
rem del %QM%.cer
rem del %QM%.req
======
when I run the command to receive the certificate signed by CA, it gives the follwoing error
An attempt to receive the certificate has failed.
All the signer certificates should exist in the key database
I have added the CA certificate before I received the signed certificate.
I woudl be a greathelp if someone can point the mistake I am making
thanks a lot
Last edited by jeevan on Fri Jan 09, 2009 10:38 am; edited 1 time in total |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Fri Jan 09, 2009 12:08 am Post subject: Re: SSL CA database type |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
Is this CA cert selfsigned ?
Is your personal certificate signed by CA you have aded to database ?
Can you post here information about:
1. database content (list of certs)
2. CA cert you have added to database
3. cert you are trying to add to database
I Think this is problem with signer path.
Let sey you have CA1, CA2 and personalcert.
If CA2 is signed by CA1 and personalcert is signed by CA2 in your database you shoud have at least CA2 to add there personalcert. Having CA1 is not enough because personalcert is signed by CA2 not CA1.
I hope it helps.
_________________
Marcin |
|
| Back to top |
|
|
| jeevan |
| Posted: Fri Jan 09, 2009 9:44 am Post subject: Re: SSL CA database type |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| marcin.kasinski wrote: |
Is this CA cert selfsigned ?
Is your personal certificate signed by CA you have aded to database ?
Can you post here information about:
1. database content (list of certs)
2. CA cert you have added to database
3. cert you are trying to add to database
I Think this is problem with signer path.
Let sey you have CA1, CA2 and personalcert.
If CA2 is signed by CA1 and personalcert is signed by CA2 in your database you shoud have at least CA2 to add there personalcert. Having CA1 is not enough because personalcert is signed by CA2 not CA1.
I hope it helps. |
Marcin,
These are the steps I followed.
As qmgr admin, the following has to be performed
1. Create a key Repository
2. Create a Certificate Request and sent to CA
3. add CA’s certificate to KR (key Repository) of queue manager
4. When signed certificate is received back from CA, receive it in queue manager's repository
As CA, I have to do the following,
1. create a key Repository
2. create a self signed certificate ( root certificate)
3. extracted the certificate and send to the qmgr and Client ( who want to access this particular queue manager)
4. Signed the certificate request received from QMGR and send back to QMGR
As a client, I have to do the following:
1. Create a truststore (using runmqckm for C client or keytool for java client) if does not exist already. Software like Tibco, a repository already exists.
2. add CA/SS certificate to KR (truststore)
Changes in qmgr
1. create/modified SSL channel
2. change the SSLKEYR indicating the certificate repository of the queue manager
3. Set the CIPHER to ( one of the 5 ciphers)
4. SSLCAUTH attribute should be set optional for one way of ssl
The only problem I have is when I receive the signed certificate by CA.
I would send you the screen shots, could you please give your email.
Note: The laber for CA certificate is CACert and the laber for certificate request by qmgr to CA is ibmwebspheremq<qmgrname>
Thansk |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
