ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » mqipt and ssl

Post new topic  Reply to topic
 mqipt and ssl « View previous topic :: View next topic » 
Author Message
bobbee
PostPosted: Tue Mar 10, 2009 5:12 am    Post subject: mqipt and ssl Reply with quote

Knight

Joined: 20 Sep 2001
Posts: 545
Location: Tampa
I have on my server two QMGRS and MQIPT. I configured two mqipt.conf files and started two MQIPT's to act as gateways for the QMGRS. They connected and messages went back and forth. I then created self signed certificates and did the appropriate exchange of signer keys and set up the mqipt.conf files. I got the channel started from DFJ to UPS but cannot start the sender from UPS to DFJ. When I created the mqipt.conf parms I copied them from on to the other and changed the appropriate fields. I thought maybe two MQIPT's on one server were butting heads. So I put all the config in one mqipt.conf file. The channel still comes up as retrying. I recreated the keys and certs incase I had a misspell I wasn't seeing. Still retrying. This is my mqipt.conf file:

################################################################################
# 5639-L92
# (c) Copyright IBM Corp. 2000-2002, 2008. All rights reserved.
################################################################################
#
# Global default properties for all routes
#
# AccessPw, CommandPort, ConnectionLog, RemoteShutDown and MaxLogFileSize can only
# be used in the global section.
#
[global]
CommandPort=1881
RemoteShutDown=true
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
QMgrAccess=true
HTTP=false
HTTPChunking=false
Trace=5
ConnectionLog=true
MaxLogFileSize=50
AccessPW=MQIPT


[route]
Name=DFJ.DFJ.UPS
Active=true
ListenerPort=1423
Destination=localhost
DestinationPort=1422
SSLClient=true
SSLClientCipherSuites=SSL_RSA_WITH_AES_128_CBC_SHA
SSLClientKeyRing=C:\\IBM\\MQ\\gskit\\ibm\\gsk7\\bin\\DFJ_NEW_key.p12
SSLClientCAKeyRing=C:\\IBM\\MQ\\gskit\\ibm\\gsk7\\bin\\DFJ_NEW_key.p12
SSLClientKeyRingPW=C:\\IBM\\MQIPT\\bin\\DFJ\\dfj_NEW.pwd
SSLClientCAKeyRingPW=C:\\IBM\\MQIPT\\bin\\DFJ\\dfj_NEW.pwd
SSLClientSiteLabel=ibmwebspheremqdfj

[route]
Name=DFJ.UPS.DFJ
Active=true
ListenerPort=1425
Destination=localhost
DestinationPort=1421


[route]
Name=UPS.UPS.DFJ
Active=true
ListenerPort=1424
Destination=localhost
DestinationPort=1425
SSLClient=true
SSLClientCipherSuites=SSL_RSA_WITH_AES_128_CBC_SHA
SSLClientKeyRing=C:\\IBM\\MQ\\gskit\\ibm\\gsk7\\bin\\UPS_NEW_key.p12
SSLClientCAKeyRing=C:\\IBM\\MQ\\gskit\\ibm\\gsk7\\bin\\UPS_NEW_key.p12
SSLClientKeyRingPW=C:\\IBM\\MQIPT\\bin\\UPS\\ups_NEW.pwd
SSLClientCAKeyRingPW=C:\\IBM\\MQIPT\\bin\\UPS\\ups_NEW.pwd
SSLClientSiteLabel=ibmwebspheremqups

[route]
Name=UPS.DFJ.UPS
Active=true
ListenerPort=1422
Destination=localhost
DestinationPort=1420

I am testing this out for a B2B installing I must set up. I know there is an issue but............
On the SSL side I created a selfsigned key in both keystores (ie ibmwebspheremqups and ibmwebspheredfj) I then extratced a cert.arm and place it in the alternate keystore in the signer store.

Any help would be greatly appreciated.
Back to top
View user's profile Send private message Send e-mail AIM Address
fjb_saper
PostPosted: Tue Mar 10, 2009 7:18 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
Ok your setup is wrong.
The sender mqipt needs to set SSLClient=true
The receiver mqipt needs to set SSLServer=true

Of course you need matching SSL protocols
matching certs
and correct keyrings and stashed password files...

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
mqjeff
PostPosted: Wed Mar 11, 2009 3:31 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447
What errors are you getting?
Back to top
View user's profile Send private message
bobbee
PostPosted: Wed Mar 11, 2009 5:56 am    Post subject: Reply with quote

Knight

Joined: 20 Sep 2001
Posts: 545
Location: Tampa
This is interesting. I did what I believe your suggestion implied. Although I had the same configuration for both senders and receiver routes and one direction 'was' working. So sender channel from DFJ.UPS came up and I was able to exchange messages. UPS.DFJ would not and to to RETRY. I set up the following MQIPT.CONF and started everything. Now the UPS.DFJ sender comes up and the DFJ.UPS gos to BINDING. I looged at the LOG and TRACE and there is no concernable exceptions being thrown.

################################################################################
# 5639-L92
# (c) Copyright IBM Corp. 2000-2002, 2008. All rights reserved.
################################################################################
#
# Global default properties for all routes
#
# AccessPw, CommandPort, ConnectionLog, RemoteShutDown and MaxLogFileSize can only
# be used in the global section.
#
[global]
CommandPort=1881
RemoteShutDown=true
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
QMgrAccess=true
HTTP=false
HTTPChunking=false
Trace=5
ConnectionLog=true
MaxLogFileSize=50
AccessPW=MQIPT


[route]
Name=DFJ.DFJ.UPS
Active=true
ListenerPort=1423
Destination=localhost
DestinationPort=1422
SSLClient=true
SSLClientCipherSuites=SSL_RSA_WITH_AES_128_CBC_SHA
SSLClientKeyRing=C:\\IBM\\MQ\\gskit\\ibm\\gsk7\\bin\\DFJ_NEW_key.p12
SSLClientCAKeyRing=C:\\IBM\\MQ\\gskit\\ibm\\gsk7\\bin\\DFJ_NEW_key.p12
SSLClientKeyRingPW=C:\\IBM\\MQIPT\\bin\\DFJ\\dfj_NEW.pwd
SSLClientCAKeyRingPW=C:\\IBM\\MQIPT\\bin\\DFJ\\dfj_NEW.pwd
SSLClientSiteLabel=ibmwebspheremqdfj

[route]
Name=DFJ.UPS.DFJ
Active=true
ListenerPort=1425
Destination=localhost
DestinationPort=1421
SSLServer=true
SSLServerCipherSuites=SSL_RSA_WITH_AES_128_CBC_SHA
SSLServerKeyRing=C:\\IBM\\MQ\\gskit\\ibm\\gsk7\\bin\\DFJ_NEW_key.p12
SSLServerCAKeyRing=C:\\IBM\\MQ\\gskit\\ibm\\gsk7\\bin\\DFJ_NEW_key.p12
SSLServerKeyRingPW=C:\\IBM\\MQIPT\\bin\\DFJ\\dfj_NEW.pwd
SSLServerCAKeyRingPW=C:\\IBM\\MQIPT\\bin\\DFJ\\dfj_NEW.pwd


[route]
Name=UPS.UPS.DFJ
Active=true
ListenerPort=1424
Destination=localhost
DestinationPort=1425
SSLClient=true
SSLClientCipherSuites=SSL_RSA_WITH_AES_128_CBC_SHA
SSLClientKeyRing=C:\\IBM\\MQ\\gskit\\ibm\\gsk7\\bin\\UPS_NEW_key.p12
SSLClientCAKeyRing=C:\\IBM\\MQ\\gskit\\ibm\\gsk7\\bin\\UPS_NEW_key.p12
SSLClientKeyRingPW=C:\\IBM\\MQIPT\\bin\\UPS\\ups_NEW.pwd
SSLClientCAKeyRingPW=C:\\IBM\\MQIPT\\bin\\UPS\\ups_NEW.pwd
SSLClientSiteLabel=ibmwebspheremqups

[route]
Name=UPS.DFJ.UPS
Active=true
ListenerPort=1422
Destination=localhost
DestinationPort=1420
SSLServer=true
SSLServerCipherSuites=SSL_RSA_WITH_AES_128_CBC_SHA
SSLServerKeyRing=C:\\IBM\\MQ\\gskit\\ibm\\gsk7\\bin\\UPS_NEW_key.p12
SSLServerCAKeyRing=C:\\IBM\\MQ\\gskit\\ibm\\gsk7\\bin\\UPS_NEW_key.p12
SSLServerKeyRingPW=C:\\IBM\\MQIPT\\bin\\UPS\\ups_NEW.pwd
SSLServerCAKeyRingPW=C:\\IBM\\MQIPT\\bin\\UPS\\ups_NEW.pwd
Back to top
View user's profile Send private message Send e-mail AIM Address
fjb_saper
PostPosted: Wed Mar 11, 2009 8:13 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
I see your config file but it really very difficult to read because all is local host....

Can you make the setup over 2 machines (even if virtual?)

So you have an mqipt on machine1 that acts as a client towards machine2 and as a server towards machine1, and an mqipt on machine2 that acts as a client for machine1 and a server for machine2.

You will need at least 2 self signed certs. Machine1 has one in its server key ring and machine2 has one in its server key ring. Machine1 sends its 509 cert to machine 2 for the client ssl to use. Machine2 sends its 509 cert to machine 1 for the client ssl to use....

This should all work. Now if you are very careful with the ports the certs and the setup you can bring this all under 1 roof (machine).
But I would advise for a lot more comments in the setup as it is complex...

You can also try this: we have no cipher suite defined at the server. The client side defined its cipher suite. As long as the cert supports the cipher suite it should be good to go.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
bobbee
PostPosted: Thu Mar 12, 2009 3:57 am    Post subject: Reply with quote

Knight

Joined: 20 Sep 2001
Posts: 545
Location: Tampa
This is a test so I can transfer the mqipt.conf to my customer and all they have to do is change the dns/ip of the destinations. While the 'localhost' does make it confusing the ips are important. The SSL certificates have to be OK, I have had this running in both directions but not both at the same time. When I did not have SSLServer in the receiving configuration the DFJ.UPS Sender channel worked. Upon a suggestion I put SSLServer in both receivers. At that point only the UPS.DFJ sender channel came up. I could understand both or neither working. But one or the other? I will play more but I have done what you have suggested. When I used the same procedures going QMGR to QMGR this works. When IPT is in the middle it gets funky
Back to top
View user's profile Send private message Send e-mail AIM Address
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » mqipt and ssl
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.