| Author |
Message
|
| garyprmr |
 Posted: Tue Nov 03, 2009 11:20 am Post subject: SSL in cluster |
 |
|
Acolyte
Joined: 03 Sep 2005
Posts: 74
|
I have a setup where cluster channels are NON-SSL .The requirement is to convert them to the SSL.
I have three queue managers A ,(FR) B(FR) , C(PR) D(PR)
I will set up the key repositories on all the 4 queue managers and create a self signed certificate on all the queue managers .
I will exchnage the certificates between A and B my full repsitories that fine.
Now my C will connect to A.
and D will connect to B .
The question is will exchanging certifctaes betten C and A
and correspodingly exchagning certificates between D and B will do the job.
Or C and D cerificiates need to be added to the both of the key .
C certifcate add to A and B .
D certificate add to A and B |
|
| Back to top |
|
 |
| jeevan |
| Posted: Tue Nov 03, 2009 11:25 am Post subject: Re: SSL in cluster |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| garyprmr wrote: |
I have a setup where cluster channels are NON-SSL .The requirement is to convert them to the SSL.
I have three queue managers A ,(FR) B(FR) , C(PR) D(PR)
I will set up the key repositories on all the 4 queue managers and create a self signed certificate on all the queue managers .
I will exchnage the certificates between A and B my full repsitories that fine.
Now my C will connect to A.
and D will connect to B .
The question is will exchanging certifctaes betten C and A
and correspodingly exchagning certificates between D and B will do the job.
Or C and D cerificiates need to be added to the both of the key .
C certifcate add to A and B .
D certificate add to A and B |
I set up SSL in existing cluster follwoing an article published in developerworks. I think it may answer your questions.
http://www.ibm.com/developerworks/websphere/library/techarticles/0608_vanstone/0608_vanstone.html |
|
| Back to top |
|
|
| garyprmr |
| Posted: Tue Nov 03, 2009 11:45 am Post subject: |
|
|
Acolyte
Joined: 03 Sep 2005
Posts: 74
|
| That article doesnt answer my question as they have another qmgr 5 which is taking care of these stuff. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Nov 03, 2009 11:57 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| garyprmr wrote: |
| That article doesnt answer my question as they have another qmgr 5 which is taking care of these stuff. |
If you've not got a queue manager in the cluster acting as a CA (qmgr 5 in the article) then you need to exchange certificates between all the cluster queue managers manually. This is obviously a pain and the reason the IBM-supplied example uses a CA.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jeevan |
| Posted: Tue Nov 03, 2009 12:54 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| garyprmr wrote: |
| That article doesnt answer my question as they have another qmgr 5 which is taking care of these stuff. |
Vitor already answered your question. But what is the problem to have a CA? which is, I think, you are going to use eventually if you implement in production. Or are you doing just for test? |
|
| Back to top |
|
|
| garyprmr |
| Posted: Tue Nov 03, 2009 1:01 pm Post subject: |
|
|
Acolyte
Joined: 03 Sep 2005
Posts: 74
|
| Test as of now and production later on . There was already setup before I joined in which was corrupted and it was moved to NON-SSL and I am not aware how was earlier on implemeneted . I am looking around in the queue managers repositories if I can find somethi |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Nov 03, 2009 1:21 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
As this is test-level, download OpenSSL and use it to create a CA certificate, then generate requests in each of your queue managers and use the CA certificate to sign them.
Not only will it give you hands-on experience of adding CA certificates, generating requests, and receiving certificates, but also allow you to deliberately break things and then fix them.
More importantly, it will give you the necessary information to produce key management procedures etc.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| garyprmr |
| Posted: Tue Nov 03, 2009 1:50 pm Post subject: |
|
|
Acolyte
Joined: 03 Sep 2005
Posts: 74
|
Right , I am doing that on a local machine.
The question here is as mentioned in that article on the Security Administartors machine.
But in real time
Should I use any mahcine in the network which is connected to the machine where queue managers are hosted and as myhost5 and I can create a folder structure as mq/ssl/ there or whatever I like to keep. |
|
| Back to top |
|
|
| jeevan |
| Posted: Tue Nov 03, 2009 11:01 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| garyprmr wrote: |
Right , I am doing that on a local machine.
The question here is as mentioned in that article on the Security Administartors machine.
But in real time
Should I use any mahcine in the network which is connected to the machine where queue managers are hosted and as myhost5 and I can create a folder structure as mq/ssl/ there or whatever I like to keep. |
u can not do from any server. MQ has to be installed or at least gskit7has to be installed to use the different commands required for CA to create db, create ss certificate, and sign certificate for queue manager. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Nov 04, 2009 6:57 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| garyprmr wrote: |
| Should I use any mahcine in the network which is connected to the machine where queue managers are hosted and as myhost5 and I can create a folder structure as mq/ssl/ there or whatever I like to keep. |
It's a machine in the network which is eligible to host a member of the cluster.
Why would you want to use a different directory structure? What would this gain you?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| garyprmr |
| Posted: Wed Nov 04, 2009 8:41 am Post subject: |
|
|
Acolyte
Joined: 03 Sep 2005
Posts: 74
|
I was just checking in line as suggested by the article on IBM developer works so the directory structure.
So mean it can be machine having MQ series or GSKIT installed but having no real queue manager created in that .
or we can use out of these 4 machines on which A , B , C ,D is hosted for the purpose as sited in the article for myhost5 |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Nov 04, 2009 9:52 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| garyprmr wrote: |
| So mean it can be machine having MQ series or GSKIT installed but having no real queue manager created in that . |
So you think installing the WMQ software and plugging a network cable in will do? You believe the rest of the cluster will locate this without any actively running components? WMQ is clever but it's not that clever. It needs to be set up like myhost5 in the article - a queue manager which is a member of the cluster.
| garyprmr wrote: |
| or we can use out of these 4 machines on which A , B , C ,D is hosted for the purpose as sited in the article for myhost5 |
It's the easiest solution unless you're going to have a large amount of SSL in a number of locations/clusters, when you might want a separate machine being the CA. Or not.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jeevan |
| Posted: Wed Nov 04, 2009 11:56 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| Vitor wrote: |
| garyprmr wrote: |
| So mean it can be machine having MQ series or GSKIT installed but having no real queue manager created in that . |
So you think installing the WMQ software and plugging a network cable in will do? You believe the rest of the cluster will locate this without any actively running components? WMQ is clever but it's not that clever. It needs to be set up like myhost5 in the article - a queue manager which is a member of the cluster.
| garyprmr wrote: |
| or we can use out of these 4 machines on which A , B , C ,D is hosted for the purpose as sited in the article for myhost5 |
It's the easiest solution unless you're going to have a large amount of SSL in a number of locations/clusters, when you might want a separate machine being the CA. Or not. |
Vitor,
Why a queue manager is needed for CA? Yes, he can use one of the cluster menber server, create a directory for CA, and create a db for CA, ss for ca and sigh the certificate.
I dun think a qmgr is needed to act as CA. What it needs is a keydatabase, ss certificate for signing certificate.
But gskit7 has to be installed. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Nov 04, 2009 12:09 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| jeevan wrote: |
I dun think a qmgr is needed to act as CA. What it needs is a keydatabase, ss certificate for signing certificate.
|
I thought the keystore needed to be owned by a queue manager. I could be wrong, it does happen.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jeevan |
| Posted: Wed Nov 04, 2009 12:33 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| Vitor wrote: |
| jeevan wrote: |
I dun think a qmgr is needed to act as CA. What it needs is a keydatabase, ss certificate for signing certificate.
|
I thought the keystore needed to be owned by a queue manager. I could be wrong, it does happen. |
Definitely. I remember, because I just have done it. |
|
| Back to top |
|
|
|
|
