Author |
Message
|
sebastia |
Posted: Sat Apr 04, 2009 6:05 am Post subject: MQ Client using SSL sample |
|
|
 Grand Master
Joined: 07 Oct 2004 Posts: 1003
|
I have never seen a sample
on how to configure a Client channel to use SSL.
Can sameone provide a pointer to a sample
where MQ Client channel using SSL is configured ?
I have both manuals :
a) MQ CLient
b) MQ Security
but there is no such code there.
Any DeveloperWorks article ?
( there are few with JMS, but I use "normal" Client )
Thanks. |
|
Back to top |
|
 |
bruce2359 |
Posted: Sat Apr 04, 2009 7:08 am Post subject: |
|
|
 Poobah
Joined: 05 Jan 2008 Posts: 9469 Location: US: west coast, almost. Otherwise, enroute.
|
It's in the Clients manual. Look for Using WebSphere MQ environment variables . . . _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
 |
sebastia |
Posted: Sat Apr 04, 2009 8:03 am Post subject: |
|
|
 Grand Master
Joined: 07 Oct 2004 Posts: 1003
|
Thanks, Bruce, but that's quite not enough.
The only one related to SSL is ...
"MQSSLKEYR This variable specifies the location of the key repository
that holds the user’s digital certificate, in stem format."
Maybe I did express myself unproperly ...
What I need is a "SSL Client Channel Setup How-To" !
I was thinking on something like this (simple) checklist :
=======================================
To set up a SSL-protected Client Channel, you need :
*) MQ Server machine with MQ Server installed and a queue manager
*) MQ Client machine with MQ Client installed
*) SVRCONN channel definition
*) CLNTCONN channel definition
*) create a key repository on MQ Server machine
*) create and distribute the CA certificate
*) create the queue manager certificate
*) set SSLKEYR on queue manager
*) get client certificates and store them into the keystore
*) environment variables setup on MQ Client machine :
**) MQCHLTAB
**) MQCHLLIB
**) MQSSLKEYR
Yes, I do like checklists ... |
|
Back to top |
|
 |
Sam Uppu |
Posted: Sat Apr 04, 2009 10:14 am Post subject: |
|
|
 Yatiri
Joined: 11 Nov 2008 Posts: 610
|
Please check this Redbook Chapter 2.
This link may also helpful : SSL
Thanks. |
|
Back to top |
|
 |
sebastia |
Posted: Sat Apr 04, 2009 10:24 am Post subject: |
|
|
 Grand Master
Joined: 07 Oct 2004 Posts: 1003
|
Thanks Sam . shall read both tonite. |
|
Back to top |
|
 |
fjb_saper |
Posted: Sat Apr 04, 2009 5:15 pm Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
sebastia wrote: |
Thanks Sam . shall read both tonite. |
You will need to dig back into the clients manual and the programer's reference. You will then understand the reference Bruce made as the SSL setup of the channel is defined in the CLNTCONN part of the client channel.
Have fun  _________________ MQ & Broker admin |
|
Back to top |
|
 |
sebastia |
Posted: Sun Apr 05, 2009 12:44 am Post subject: |
|
|
 Grand Master
Joined: 07 Oct 2004 Posts: 1003
|
Thanks.
My (major) problem is not with the MQ parameters and configuration,
but with the keys and their management :
*) where to get them from,
*) where to store them (with passwords)
*) which ones to share
And I think there must be a short list of 10 steps to follow
to have a sample running,
without the need to read 2 big manuals plus a redbook.
I prefer to have the client channel running with SSL,
and then open the books,
and read the used parameters meaning,
and the possibilities around them.
I dont want to be the SSL master of the universe !!!
I have rude time enough trying to be good with MQ ... jejeje |
|
Back to top |
|
 |
bruce2359 |
Posted: Sun Apr 05, 2009 5:55 am Post subject: |
|
|
 Poobah
Joined: 05 Jan 2008 Posts: 9469 Location: US: west coast, almost. Otherwise, enroute.
|
|
Back to top |
|
 |
sebastia |
Posted: Sun Apr 05, 2009 6:11 am Post subject: |
|
|
 Grand Master
Joined: 07 Oct 2004 Posts: 1003
|
I agree with you, Bruce.
And that's the reason I want to try a "nice" entry into the theme.
Have MQ Client connecting to MQ Server using a SVRCONN channel
with SSL in 10 easy steps ....
... don't you think is a smooth start ?
( ) |
|
Back to top |
|
 |
Sam Uppu |
Posted: Sun Apr 05, 2009 7:26 am Post subject: |
|
|
 Yatiri
Joined: 11 Nov 2008 Posts: 610
|
I. On the client machine in a selected directory do this:
1. Create keydb.
2. Create the certificate request and send it to CA to sign
3. Receive the signed certificate
4. Add the CA certificate(assumed you have CA cert)
II. On the QMgr machine(Server) do this(on Unix directory: "/var/mqm/qmgrs/QMgrName/ssl):
1. Create keydb.
2. Create the certificate request and send it to CA to sign
3. Receive the signed certificate
4. Add the CA certificate(assumed you have CA cert)
III. Alter qmgr on QMgrserver for key repository
alter qmgr SSLKEYR('/var/mqm/qmgrs/QMgrName/ssl/keydb')
IV. Create the SVRCONN/ CLNTCONN channels and export the CHLTAB onto the Client Machine. For SSL to implement, the client should use CHLTAB to connect to QMgr and not the SVRCONN channel. Need to install the gskit also.
V. On both SVRCONN/ CLNTCONN, you need to select same Cipherspec.
Thanks |
|
Back to top |
|
 |
sebastia |
Posted: Sun Apr 05, 2009 7:30 am Post subject: |
|
|
 Grand Master
Joined: 07 Oct 2004 Posts: 1003
|
Thanks, Sam !
Hope you have done/used this sequence before !
With this and the manuals (to fill some [own] blanks)
I can try to setup a SSL channel.
Again, thanks. |
|
Back to top |
|
 |
bruce2359 |
Posted: Sun Apr 05, 2009 7:38 am Post subject: |
|
|
 Poobah
Joined: 05 Jan 2008 Posts: 9469 Location: US: west coast, almost. Otherwise, enroute.
|
Quote: |
2. Create the certificate request and send it to CA to sign |
The GSK utility allows you to create self-signed certs - a great place to start testing, OR to manage SSL on your intra-net. _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
 |
sebastia |
Posted: Sun Apr 05, 2009 7:46 am Post subject: |
|
|
 Grand Master
Joined: 07 Oct 2004 Posts: 1003
|
Hey, Bruce !
You have filled one of my "blanks" : how/where to get a certificate !!!
Sebastian. |
|
Back to top |
|
 |
sebastia |
Posted: Sun Apr 05, 2009 7:53 am Post subject: |
|
|
 Grand Master
Joined: 07 Oct 2004 Posts: 1003
|
Bruce : I know it is a simple/dumb question, but here it is ...
When you say "GSK utility" ...
... you mean "iKeyman" ??? |
|
Back to top |
|
 |
bruce2359 |
Posted: Sun Apr 05, 2009 7:54 am Post subject: |
|
|
 Poobah
Joined: 05 Jan 2008 Posts: 9469 Location: US: west coast, almost. Otherwise, enroute.
|
yep. it comes with WMQ installation. _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
 |
|