| Author |
Message
|
| apk007 |
 Posted: Sun Apr 18, 2010 9:35 am Post subject: SSL through .net to MQ |
 |
|
Apprentice
Joined: 23 Mar 2010
Posts: 25
|
I got key files from our client where i need to use them to connect to MQ over SSL. The files we have got from client are
xxx.crl
xxx.kdb
xxx.rdb
xxx.sth
xxx.tab
They said client channel table in that. I am trying to connect using the below code. And they are saying i don't need to specify the Queue Manager it will be defined in the Client Channel Table. But one thing is they have done while created key with the using "user1".
Code:
Hashtable connectionProperties = new Hashtable();
// Add the connection type
connectionProperties.Add(MQC.TRANSPORT_PROPERTY, connectionType);
MQQueueManager qMgr;
MQEnvironment.SSLCipherSpec = "TRIPLE_DES_SHA_US";
MQEnvironment.SSLKeyRepository = @"D:\Cert\BB\key";
MQEnvironment.UserId = "user1";
MQEnvironment.properties.Add(MQC.TRANSPORT_PROPERTY, connectionType);
qMgr = new MQQueueManager();
Error i am getting -
Message = "MQRC_Q_MGR_NAME_ERROR"
I also tried telneting the server which i am able to do.
Can some help me what is worng i am doing here and why i am getting this error. |
|
| Back to top |
|
 |
| exerk |
| Posted: Sun Apr 18, 2010 11:16 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
You do not need to create a hashtable, you do not need to set any connection properties. As I found the manual to be a little unclear, below is what you do need to do:
1. Set the NMQ_MQ_LIB variable to mqic.dll
2. Edit the mqclient.ini file to include the CHANNELS and SSL blocks, the stanzas of which are specified in the manual, and point them to the locations of your CCDT and SSL key store files.
Depending on how your CCDT is configured, you will only need to pass the queue manager name, or blank, or asterisk, (as I suspect your 'client' has the CCDT with a blank queue manager name in the channel) in the call, e.g. qMgr = New MQQueueManager(qmgrName), and don't hard code the name is my advice, even if it is blank or *.
Things of note:
1. As you have obtained your CCDT from your 'client', you must use the queue manager name they have used in the table - find out from them whether a blank or * can be used.
2. As you have obtained your key store files from your 'client', you must run the application under the userid they have used in the label name of the personal certificate.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Apr 19, 2010 9:46 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| exerk wrote: |
2. As you have obtained your key store files from your 'client', you must run the application under the userid they have used in the label name of the personal certificate. |
And here I thought you would just need to modify the Alias of the certificate to use the right name....according to convention...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Apr 19, 2010 10:24 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| exerk wrote: |
2. As you have obtained your key store files from your 'client', you must run the application under the userid they have used in the label name of the personal certificate. |
And here I thought you would just need to modify the Alias of the certificate to use the right name....according to convention...
Have fun |
Which is why you're a Grand Poobah, and I am not 
I'm at the limit of my knowledge here so I ask, most humbly, please how you do that with a certificate in a CMS key store?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Apr 19, 2010 1:49 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| exerk wrote: |
| fjb_saper wrote: |
| exerk wrote: |
2. As you have obtained your key store files from your 'client', you must run the application under the userid they have used in the label name of the personal certificate. |
And here I thought you would just need to modify the Alias of the certificate to use the right name....according to convention...
Have fun |
Which is why you're a Grand Poobah, and I am not
I'm at the limit of my knowledge here so I ask, most humbly, please how you do that with a certificate in a CMS key store? |
Use graphical or command tool. You might have to (worst case scenario) request a new cert.... I know that I can set the alias in the x509 cert with openssl. So there should be a way to set this correctly...check moving from one alias to the other... You may also have to import the cert with a different alias ( duplication).
Make sure you keep the original cert safe.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Apr 19, 2010 9:19 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
We use the GSKit here, except for Tandem and z/OS of course, so I'll give it a go; thank you fj, yet another string added to my bow
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Apr 21, 2010 3:18 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Well, I've had a look and the only attribute that can be altered (within CMS-format key stores), that I could find in relation to a certificate, is the Certificate Trust field. The note within documentation (WMQ V7.0 Info Centre) states that "...Note: Currently, the only field that can be modified is the Certificate Trust field...", so from this it looks like I can't do it with the GSKit.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Apr 21, 2010 3:39 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| you can export the cert from one keystore into another. This will allow you to change the label. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Apr 21, 2010 4:42 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| mqjeff wrote: |
| you can export the cert from one keystore into another. This will allow you to change the label. |
Jeff,
Thank you, it's always the obvious things that elude me! For the benefit of others that may find the need, I had to do the export/import in pkcs12 format to get the option to change the label.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
