| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| how to implement SSL on MQ |
« View previous topic :: View next topic » |
| Author |
Message
|
| krish_blore |
 Posted: Sun Dec 19, 2010 7:17 am Post subject: how to implement SSL on MQ |
 |
|
Novice
Joined: 29 Nov 2010
Posts: 19
|
Hi,
I need help for writing client/server program using SSL on MQ.
below is the requirement for me,
1. create the certificate.
2. authenticate the client before communicating using SSL.
1. I have created SSL certificate using gsk7cmd.
client.c
---------
MQMD mqmd = {MQMD_DEFAULT};
MQPMO pmo = {MQPMO_DEFAULT};
MQCNO connect_options = {MQCNO_DEFAULT};
MQCD mycd = {MQCD_CLIENT_CONN_DEFAULT};
MQSCO mysco = {MQSCO_DEFAULT};
MQCHAR qmname[MQ_Q_MGR_NAME_LENGTH];
MQHCONN Hcon;
count = atoi(argv[4]);
strncpy(qmname, argv[2], MQ_Q_MGR_NAME_LENGTH);
strncpy(mycd.ConnectionName, argv[3], MQ_CONN_NAME_LENGTH);
strncpy(mycd.ChannelName, "CHANNEL1", MQ_CHANNEL_NAME_LENGTH);
printf("Channel Name :%s\n", mycd.ChannelName);
/* For SSL **/
/** Specify Keystore file name without ".sto" **/
strncpy(mysco.KeyRepository, "/var/mqm/qmgrs/ssl/key",
MQ_SSL_KEY_REPOSITORY_LENGTH);
printf("Key Repository:%s\n", mysco.KeyRepository);
/** Specify CipherSpec */
strcpy(mycd.SSLCipherSpec,"TRIPLE_DES_SHA_US");
connect_options.SSLConfigPtr = &mysco;
connect_options.ClientConnPtr=&mycd;
connect_options.Version = MQCNO_VERSION_4;
printf("CipherSpec :%s\n", mycd.SSLCipherSpec);
/* Connect Qmgr */
MQCONNX(qmname, &connect_options, &Hcon, &compcode, &reason);
if (compcode == MQCC_FAILED){
printf("MQCONNX ended with reason code %ld\n", reason);
exit( (int)reason );
}
strcpy(mqod.ObjectName, argv[1]);
-----------------------------------------------------
export MQSERVER=CHANNEL1/TCP/server name(9001)'
export MQCHLLIB=/var/mqm/qmgrs/QM_APPLE/@ipcc
export MQCHLTAB=AMQCLCHL.TAB
please help me to write server side authentication programming....
Thanks for your time,
Krish |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Sun Dec 19, 2010 8:10 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Don't set MQSERVER and MQCHLLIB/MQCHLTAB.
They don't work together, and you only need one.
Go back to the Client manual and review.
You don't do *anything* to write code to authenticate the certificate on the server side. MQ does that for.
Go back to the Security manual and review. |
|
| Back to top |
|
|
| shashikanth_in |
| Posted: Sun Dec 19, 2010 8:24 am Post subject: |
|
|
Centurion
Joined: 26 Feb 2009
Posts: 123
|
| Also search IBM DeveloperWorks website. There is lot of information there. Also T-Rob's website : https://t-rob.net/wmq/ |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Dec 19, 2010 12:24 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Moved to Security forum.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Dec 20, 2010 5:31 am Post subject: Re: how to implement SSL on MQ |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| krish_blore wrote: |
| I need help for writing client/server program using SSL on MQ. |
Help with what? Reading the manuals? You clearly can't read the forum guidleines on double posting! 
There's no indication in this post of what you're having trouble with. Just some code you've written. Your question indicates that you've not read or understood the Security manual describing WMQ's implementation of SSL, your client code & configuration indicates the same failure with the Client manual.
If you want answers from us, ask a question. Don't just double post "I've been given this requirement by my boss, I've no time to read how to do it, please tell me", post that you've written this code, given it a try, got some error message or code, you've made some changes, tried it again, still got nowhere, confirmed that you've got everything set up like the manual says and still no getting any joy.
In short, follow the guidelines. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| krish_blore |
| Posted: Mon Dec 20, 2010 11:25 am Post subject: |
|
|
Novice
Joined: 29 Nov 2010
Posts: 19
|
Hi,
Thanks shashi and mqjeff for your information.
I'm using MQ 7.0.0.1 ..correct me if I am missing
I am doing one way authentication using SSL,
1. create the certificate on server side.
2. authenticate the client before communicating using SSL.
------------------------------
1. I have created SSL certificate using gsk7cmd on AIX machine.
keypath =/var/mqm/qmgrs/QM_APPLE/ssl/
----------------------------
I am using AIX machine as server and Linux machine as client,
QUEUE MANAGER :QM_APPLE:
------------------------
QUEUE NAME= QUEUE1
server(AIX) setup:
-----------------------
define qlocal (queue1)
define channel (channel1) chltype (svrconn) trptype (tcp) mcauser ('mqm')
DEFINE CHANNEL(CHANNEL1) CHLTYPE(CLNTCONN) TRPTYPE(TCP) CONNAME(10.135.128.180) QMNAME(QM_APPLE)
define listener (listener1) trptype (tcp) control (qmgr) port (9001)
start listener(listener1)
client (LINUX)setup:
-----------------------
export MQSERVER=CHANNEL1/TCP/'10.135.128.180(9001)'
I have taken amqsput0.c and added below LOC and modifed MQCONN to MQCONNX ,
/*ssl options*/
MQCNO connect_options = {MQCNO_DEFAULT};
MQCD mycd = {MQCD_CLIENT_CONN_DEFAULT};
MQSCO mysco = {MQSCO_DEFAULT};
strncpy(mycd.ConnectionName,"atlxpf01.atldev.com" , MQ_CONN_NAME_LENGTH);
strncpy(mycd.ChannelName, "CHANNEL1", MQ_CHANNEL_NAME_LENGTH);
printf("Channel Name :%s\n", mycd.ChannelName);
/* For SSL **/
/** Specify Keystore file name without ".sto" **/
strncpy(mysco.KeyRepository, "/var/mqm/qmgrs/QM_APPLE/ssl/key",MQ_SSL_KEY_REPOSITORY_LENGTH);
printf("Key Repository:%s\n", mysco.KeyRepository);
/** Specify CipherSpec */
strcpy(mycd.SSLCipherSpec,"TRIPLE_DES_SHA_US");
connect_options.SSLConfigPtr = &mysco;
connect_options.ClientConnPtr=&mycd;
connect_options.Version = MQCNO_VERSION_2;
printf("CipherSpec :%s\n", mycd.SSLCipherSpec);
/* Connect Qmgr */
MQCONNX(qmname, &connect_options, &Hcon, &compcode, &reason);
$ gcc -m64 -fPIC -o amqsputc amqsput0.c /opt/mqm/lib64/libmqic.so
$ ./amqsputc QUEUE1
Channel Name :CHANNEL1
Key Repository:/var/mqm/qmgrs/QM_APPLE/ssl/key
CipherSpec :TRIPLE_DES_SHA_US
Sample AMQSPUT0 start
MQCONNX ended with reason code 2538
This code has thrown the above error..please correct me if i missing something on side on writing MQclient program.
Thanks for your time,
krish |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Dec 20, 2010 11:29 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
So you configured MQCONNX to use a ConnectOpts structure, and then also redundantly and useless set MQSERVER.
You then set MQSERVER to a completely different set of values than you populated in MQCONNX.
I'm not surprised you got MQRC_HOST_NOT_AVAILABLE. |
|
| Back to top |
|
|
| krish_blore |
| Posted: Mon Dec 20, 2010 11:36 am Post subject: |
|
|
Novice
Joined: 29 Nov 2010
Posts: 19
|
I apologize for double posting vitor...FYI ..my boss requirement is entirely different such that.. i have to write API and link with the libraries for framework...I would be more satisfied if you would have given a solution rather than trying to corrct my query..
I am going through the MQclient and MQsecurity documents and parallely
trying coding part..
For your kind information.. i believe this is the place where people share about MQ rather than trying to mock each one's post... |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Dec 20, 2010 12:02 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| I would be more satisfied if you would have given a solution rather than trying to corrct my query.. |
Yes, I'm sure it be more convenient if someone here would just offer up a solution.
But in order to do so, we need to figure out exactly what you are trying to do, what you have already tried, and what results you've received.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Dec 20, 2010 12:03 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| krish_blore wrote: |
| I would be more satisfied if you would have given a solution rather than trying to corrct my query.. |
I had nothing to add which would not have redundantly repeated the advice of others.
| krish_blore wrote: |
| I am going through the MQclient and MQsecurity documents and parallely trying coding part.. |
With software of the complexity of WMQ this is the hard way of doing it, though I applaude your attempts. You'd be better advised to try simpler applications as a learning experience than straight off into coding & SSL.
| krish_blore wrote: |
| For your kind information.. i believe this is the place where people share about MQ rather than trying to mock each one's post... |
Follow the guidelines, which are for the benefit of all including you, and you'll do far better. If only as those guidelines often lead to you finding a solution yourself.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Dec 20, 2010 1:56 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
krish_blore: We are volunteers here. We offer our services because we see great value in the hardware, software and people, this site serves.
This is not a training site. Much can be learned here by searching this site, and reading the relevant documentation - IBM manuals and the InfoCenter.
We expect those who post will be active participants in the process. We expect that you have done basic problem-determination, researched, tested alternate solutions, documented your results. We expect that you will answer questions asked by those whose help you seek.
I am certain that none of us intended to offend you. I try not to read an attitude into posts; but I sensed that you were demanding that one of us solve your problem without delay.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| krish_blore |
| Posted: Tue Dec 21, 2010 12:48 pm Post subject: |
|
|
Novice
Joined: 29 Nov 2010
Posts: 19
|
I am following the Running the SSL/TLS sample program from IBM Info center,
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=/com.ibm.mq.csqzal.doc/fg17940_.htm
i have created the default queue manager on AIX machine(server)and then set up the key repository for Queue manager(step 1 and 2)
In the step 3.Create a key repository for the client. Call it clientkey.kdb.
MQCLIENT is running on LINUX machine.
Do i need to create clientkey on LINUX machine?
In the server machine i have done following steps,
CA certificate:
----------------
gsk7cmd -keydb -create -db ca_key.kdb -pw krishna -type cms
gsk7cmd -cert -create -db ca_key.kdb -pw krishna -label "CA_Cert" -dn "CN=WMQ Blog Certificate Authority,O=IBM,OU=Hursleyblog,L=Hursley,C=UK"
CERTIFICATE FOR QM_APPLE
-----------------------------------
1. gsk7cmd -certreq -create -db ca_key.kdb -pw krishna -label ibmwebspheremqQM_APPLE -dn "CN=QM_APPLE,O=IBM,OU=Hursley blog,L=Hursley,C=UK" -file QM_APPLEreq.arm
2.gsk7cmd -cert -sign -db ca_key.kdb -pw krishna -label "CA_Cert" -file QM_APPLEreq.arm -target QM_APPLEsigned.arm -expire 364
3.gsk7cmd -cert -receive -db ca_key.kdb -pw krishna -file QM_APPLEsigned.arm
4.gsk7cmd -cert -export -db ca_key.kdb -pw krishna -label ibmwebspheremqQM_APPLE -target QM_APPLEcert.p12 -target_pw krishna -target_type pkcs12
5. gsk7cmd -keydb -create -db QM_APPLE.kdb -pw krishna -type cms -stash
6.gsk7cmd -cert -import -file QM_APPLEcert.p12 -pw krishna -type pkcs12 -target QM_APPLE.kdb -target_pw krishna
Thanks in advance,
krish |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Tue Dec 21, 2010 10:55 pm Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
I hope, you are not working at IBM Hursley lab, otherwise you should be able, to answer your question yourself. But when you are not working at Hursley lab, you should use your own company and your own location for the DN of the certificate .
I strongly suggest to read the security parts of the information center. There are several tasks which describe setting up the SSL security. And at least you will find there, that the label of a certificate has always (on distributed platforms) to be written with lowercase characters only.
_________________
Regards
Hubert |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Dec 22, 2010 8:08 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
A useful resource: WebSphere MQ V6, WebSphere Message Broker V6, and SSL
http://www.redbooks.ibm.com/abstracts/redp4140.html
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Wed Dec 22, 2010 10:16 pm Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
Nice idea, but I fear, that krish_blore does not read documents  .
_________________
Regards
Hubert |
|
| Back to top |
|
|
|
|
|
  |
Goto page 1, 2 Next |
Page 1 of 2 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
