| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Adding a PKCS12 SSL cert and key using gsk7capicmd |
« View previous topic :: View next topic » |
| Author |
Message
|
| sgb |
 Posted: Tue Mar 30, 2010 4:24 pm Post subject: Adding a PKCS12 SSL cert and key using gsk7capicmd |
 |
|
Newbie
Joined: 10 Mar 2010
Posts: 7
|
It appears that the only way to give MQ a cert and key to use for SSL connections is add them in the combined PKCS12 format (please correct me if I'm wrong about this!), so I've created a PKCS12 file containing the appropriate data using openssl:
openssl pkcs12 -inkey queue.key -in queue.crt -export -out queue.p12
This seems to work, and if I ask openssl to read the file then it does (when given appropriate passwords - although for importing to MQ I'm leaving the passwords blank/empty).
However, when I try to import that .p12 file using:
gsk7capicmd_64 -cert -add -db key.kdb -label ibmwebspheremqQUEUE -file /path/to/queue.p12
...I just get the not-particularly-helpful response:
Error: 2
Please refer to the GSKCapiCmd User's Guide
for the meaning of the error.
Error id: GSKKM_ERR_ASN
Details: ibmwebspheremqQUEUE
Is there something special I need to do to import a PKCS12 cert/key into the key database? Is there something obvious that I'm missing?
Any help would be appreciated,
Steve. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Mar 30, 2010 8:32 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Moved to the security forum.
@sgb I see you used openssl. It does not matter what you use as CA authority, all you really need, is to be able to pass the CA Cert and the signed cert. These can (and typically will) be text files in base64 encoding.
For MQ you NEED to use the CMS type for the keystore and certstore.
The formats will be supported by gsk7 (gsk7capicmd).
Potentially you can use a pkcs12 store and convert it to a CMS store.
There is a very good reference on one of the earlier posts about how to run your own CA authority with the gsk7 kit (pdf). You might want to explore it...
I used it and it worked fine for me.
Using openssl should work fine too. I used it mostly with the x509 command.
Like I said, all that's needed for you is to be able to create your CA key (rsa ), request the CAcert (req -new ...) (x509 -selfsign -req) and then sign the certs as you get the requests.
Note that you can edit the certificates to remove trusted from trusted certificate in the header and footer line, and remove anything that does not look like base64 encoded stuff (x500 principal above the certificate line...)
Hope this helps some, have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Mar 31, 2010 1:43 am Post subject: Re: Adding a PKCS12 SSL cert and key using gsk7capicmd |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| sgb wrote: |
| ...Details: ibmwebspheremqQUEUE... |
I'm not sure whether that is the label name you have assigned, or whether that's how the error message displayed, but watch this as on distributed the construction for label names is ibmwebspheremqqueuemanagername - it's all folded to lower case.
To add to fjb's advice, you may also want to look at Supportpacs MC6C: WebSphere MQ - How to Configure SSL for V5.3, MH03: WebSphere MQ SSL Configuration Checker for V6.0, and MO04: WebSphere MQ SSL Wizard for V7.0. The last one is particularly useful irrespective of version as it essentially provides a basic tutorial.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
