| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL - certificate from a Certification Authority |
« View previous topic :: View next topic » |
| Author |
Message
|
| enthumq |
 Posted: Thu Mar 17, 2011 6:05 am Post subject: SSL - certificate from a Certification Authority |
 |
|
Newbie
Joined: 16 Mar 2011
Posts: 2
|
Hi All,
New to MQ and getting myself acquainted with SSL. I'm trying to implement SSL between two queue managers ( QM1 and QM2 ).
I have got one certificate for each queue manager from a Certification Authority ( www.globalsign.com ) . Created seperate key repositories for each queue manager and when i try to import the personal certficate for queue manager 1,i'm getting the below error.
Error:
An attempt to import the certificate failed.
Validation failed for certificate labelled-4835703278459746211194282cn=globalsign primary class 1 ca, ou=primary class 1 ca, o=globalsign nv-sa, c=be.
Pleas do let me know where exactly i'm doing wrong. |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Mar 17, 2011 6:18 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
The presumption is that you created key stores (one for each queue manager) using the IBM GSKit, cleared out any non-relevant CA certificates and added the GlobalSign CA certificate within each key store, then created certificate requests within each key store and sent the requests for signing.
I suspect your issue "...when i try to import the personal certficate for queue manager 1, i'm getting the below error...", is due to the fact that you are confusing the CA certificate with the personal one "...Validation failed for certificate labelled-4835703278459746211194282cn=globalsign primary class 1 ca, ou=primary class 1 ca, o=globalsign nv-sa, c=be...". I very much doubt that your queue manager certificate is labelled the same as the CA one, or that the DN values are the same either.
A moment spent actually reading the error... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| enthumq |
| Posted: Thu Mar 17, 2011 7:35 am Post subject: |
|
|
Newbie
Joined: 16 Mar 2011
Posts: 2
|
hi exerk,
As presumed,i have created the key stores using GSkit (strmqikm utility) and have exported the certificates from the browser ( Tools-Internet Options - Content-Certificates-Personal ).
The CA certificate is labelled as QM_CERT ( .pfx file ) and the queue manager certficate is labelled as ibmwebspheremqqmtest1 . ( QMTEST1 - queue manager ).
Also the distinguished names of the CA and the queue manager certificate are different.
Took sometime as well in analysing/reading the error,but couldn't understand it properly. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Mar 17, 2011 10:36 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
So, have you solved your issue or not?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Mar 17, 2011 8:18 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Looks to me that you cannot import the signed cert as long as you do not have the cert of the cert authority in your key database. You may have to add to the trusted certs any intermediary CA certs in the chain.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Mar 17, 2011 10:01 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
Using ikeyman on Windows and then FTPing the keystore to the QM server afterwards makes working with keystores much easier.
In any event, create the keystore using the latest version of MQ as this may give you more CA signer certificates as standard. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
