| Author |
Message
|
| sri_csee1983 |
 Posted: Thu Feb 12, 2009 2:30 am Post subject: Advice on SSL |
 |
|
Centurion
Joined: 25 Mar 2008
Posts: 125
Location: Chennai,India
|
Hi Friends,
I am in need of configuring the SSL from the Windows Qm to AIX Qm. IKeyman utility which came with MQ6.0.2.3 on that machine had some problem. So I created the key dbs in another AIX machine using command line. And then planned to move those key dbs to windows after receiving and exporting the certificates. Is this advisable. Will I face any problem as I create the Key dbs in AIX and move them to Windows. Please advice.
_________________
With Cheers,
Sri |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Feb 12, 2009 2:35 am Post subject: Re: Advice on SSL |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sri_csee1983 wrote: |
| IKeyman utility which came with MQ6.0.2.3 on that machine had some problem. |
Care to provide a clue?
| sri_csee1983 wrote: |
| Is this advisable. |
Are these self-signed or are you running your own CA?
| sri_csee1983 wrote: |
| Will I face any problem as I create the Key dbs in AIX and move them to Windows. |
Providing you're properly cautious with the transfer & encoding it should be ok.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sri_csee1983 |
| Posted: Thu Feb 12, 2009 3:20 am Post subject: |
|
|
Centurion
Joined: 25 Mar 2008
Posts: 125
Location: Chennai,India
|
Hi Vitor,
thanks for your reply. When I open the IKeyman utility, I get the following error "The procedure entry point ??_U@YAPAXI@Z could not be located in the dynamic link library MSVCRT.dll"
And we are using our own CA (personal certificate) and I find a difference between creating the keydb files in windows and AIX is that in AIX we get only 4 files when we create the keydb and we get 5 files in Windows. Key.sto is missing in Windows.
Another doubt is if the Sender and receiver uses the same signer certifcates (I mean if the signer certificate is already there in receiver db which used by the sender) whether we need not export the Public Key from the sender? Or still we should export the public key from the Sender and import it to the RCVR?
_________________
With Cheers,
Sri |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Feb 12, 2009 3:31 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sri_csee1983 wrote: |
| thanks for your reply. When I open the IKeyman utility, I get the following error "The procedure entry point ??_U@YAPAXI@Z could not be located in the dynamic link library MSVCRT.dll" |
 Now I see why you're using AIX...!
| sri_csee1983 wrote: |
| we get only 4 files when we create the keydb and we get 5 files in Windows. Key.sto is missing in Windows. |
I'd have expected key.sto to only be present on Windows. It's the file produced by amqmcert & has the password stashed for the queue manager's use.
| sri_csee1983 wrote: |
| Another doubt is if the Sender and receiver uses the same signer certifcates (I mean if the signer certificate is already there in receiver db which used by the sender) whether we need not export the Public Key from the sender? Or still we should export the public key from the Sender and import it to the RCVR? |
If both certs are signed by the same signer, and that signer's certificate is in the key chain of both queue managers, it should be work
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sri_csee1983 |
| Posted: Thu Feb 12, 2009 4:04 am Post subject: |
|
|
Centurion
Joined: 25 Mar 2008
Posts: 125
Location: Chennai,India
|
Vitor,
Ur reply motivates me  . I remember in MQ v5.3 we use to assign a certificate to the QM using the Manage SSL under QM properties --> SSL tab, With that we can assure that certificate is associated with the QM. But in MQ v6, We dont have that button Manage SSL. Is there any way to assure that the Certificate is associated with QM?
_________________
With Cheers,
Sri |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Feb 12, 2009 4:11 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sri_csee1983 wrote: |
| Ur reply motivates me |
Well this is a new experience.....!
| sri_csee1983 wrote: |
| I remember in MQ v5.3 we use to assign a certificate to the QM using the Manage SSL under QM properties --> SSL tab, With that we can assure that certificate is associated with the QM. But in MQ v6, We dont have that button Manage SSL. Is there any way to assure that the Certificate is associated with QM? |
I have no clue what that button used to do having never used it. How would a certificate not be associated with the queue manager, having the queue manager name as part of it's distinguished name? And being in the correct path?
I'm not sure I quite understand what you're asking.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Feb 12, 2009 4:15 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
| I'd have expected key.sto to only be present on Windows. It's the file produced by amqmcert & has the password stashed for the queue manager's use. |
I think you'll find that has now changed to *.sth (stash presumably) since WMQ V6.0, so you'll see *.crl, *.kdb, *.rdb and *.sth
And having seen the subsequent posts...an edit!
The SSLKEYR attribute of the queue manager paths to the key store containing the queue managers personal cert. You might try re-registering or replacing the MSVCRT.dll - plenty of hits on Google for problems with that particular library - and have another go at creating a key store.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
