| Author |
Message
|
| paustin_ours |
 Posted: Thu Jun 30, 2011 2:02 pm Post subject: pkcs12 |
 |
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
| trying to import signed cert to broker keystore. the commands in the infocenter looks like it only supports pkcs12 format. Can anyone confirm this please? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Jun 30, 2011 2:41 pm Post subject: Re: pkcs12 |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| paustin_ours wrote: |
| trying to import signed cert to broker keystore. the commands in the infocenter looks like it only supports pkcs12 format. Can anyone confirm this please? |
What commands are you looking at?
gskit, both for command line and gui will support pcks12, cms, jks for the keystore and X509 as cert to import...
True you may also use the native format of the store...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Jul 01, 2011 4:29 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
WMB7 has no such limitation.
| Code: |
# Associate keystore and truststore to broker instance.
mqsichangeproperties MB7_AEF -o BrokerRegistry -n brokerKeystoreFile -v "C:\Program Files\IBM\MQSI\7.0\jre16\lib\security\cacerts"
mqsichangeproperties MB7_AEF -o BrokerRegistry -n brokerTruststoreFile -v "C:\Program Files\IBM\MQSI\7.0\jre16\lib\security\trustcerts"
# import SSL certificate into truststore.
keytool -import -alias someserver -file somecertificate.cer -keystore "C:\Program Files\IBM\MQSI\7.0\jre16\lib\security\trustcerts" -keypass changeit
|
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jul 01, 2011 4:59 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| WMB7 has no such limitation. |
Thank you for sharing. Regretably the OP hasn't indicated which version he's using.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Fri Jul 01, 2011 6:04 am Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
I am running 7.0.0.2 broker on aix.
if you look at the below link
http://publib.boulder.ibm.com/infocenter/wmbhelp/v7r0m0/topic/com.ibm.etools.mft.doc/ap34020_.htm
***********************
Importing a certificate for production use
Import a personal certificate from a certificate authority for production use.
Issue the following command:
gsk7cmd -cert -import
-db pkcs12_file_name
[-pw pkcs12_password]
-label label
-type pkcs12
-target keystore_name
[-target_pw keystore_password]
For example:
gsk7cmd -cert -import
-db SOAPListenerCertificate.p12
-label soaplistener
-type pkcs12
-target myBrokerKeystore.jks
-target_pw myBrokerKpass
A password is required to access this key database.
Please enter a password:
*******
the above command clearly states that for an import the type needs to be
pkcs12 or is that not true? |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Jul 01, 2011 6:11 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
keytool is the key management tool that comes with the JVM. You can use any key management tool you want. If your chosen tool does not support the features or functions you want, don't use it. keytool works well, and supports many features and functions without the limitations you describe.
There are two stores in use by broker. A keystore which identifies who you are (thanks mqjeff). And a truststore that contains certificates from servers you trust.
It is not true that the only format supported by WMB is pkcs12. keytool supports many formats.
http://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Fri Jul 01, 2011 6:17 am Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
| Is it safe to say that gskkit tool only supports pkcs12? |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Jul 01, 2011 6:27 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jul 01, 2011 8:23 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| paustin_ours wrote: |
| Is it safe to say that gskkit tool only supports pkcs12? |
No. It is safe to say that pks12 is one among the multiple formats supported by the tool.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
