| Author |
Message
|
| ALCSALCS |
 Posted: Tue Jan 22, 2013 7:51 am Post subject: SSL:Copy MQ CA Certificate from one server to another server |
 |
|
Acolyte
Joined: 14 Apr 2002
Posts: 61
|
I need to copy an CA certificate from one unix server running MQ V6.0.2.3 to a new unix server running MQ V7.1.0.2
I didn't find any documentation that covers what I wanted to do.
I tried the following and it didn't work, any comments/suggestions or
examples in any documentation :
created qmgrs qm1 & qm2
created receiver in qm1 & sender in qm2
started channels to ensure they go into run status without any ssl enabled which they did
created the ssl key database in both qmgrs
set each channel in both qmgrs with RC4_MD5_US as is set in current environment
copied the complete directory, var/mqm/qmgrs/qm1/ssl from the current MQ V6 environment to the new test server MQ V7 as var/mqm/qmgrs/qm1/sslold
then changing path to /var/mqm/qmgrs/qm1/sslold in the new server, we are able to enter display commands against old key.kdb
gsk7cmd -cert -list all -db key.kdb -pw pwdmq this displays all certs including primary_intermediate, secondary_intermediate & ibmwebspheremqqm1
gsk7cmd -cert -export -db key.kdb -pw pwdmq-label ibmwebspheremqqm1 -target /var/mqm/qmgrs/qm1/ssl/key.kdb -target_pw pwdmq to export from old to new key.kdb
then changing path to /var/mqm/qmgrs/qm1/ssl in the new server, we are able to enter display commands against new key.kdb
gsk7cmd -cert -list all -db key.kdb -pw pwdmq now also displays all certs including primary_intermediate, secondary_intermediate & ibmwebspheremqqm1
we restarted both qmgrs
on starting the channels, the channel does not go into run status, error logs in qm2 simply shows 'channel is starting' no errors in qm1 qmgr noted.
Many Thanks |
|
| Back to top |
|
 |
| Toronto_MQ |
| Posted: Tue Jan 22, 2013 8:02 am Post subject: |
|
|
Master
Joined: 10 Jul 2002
Posts: 263
Location: read my name
|
Are the queue manager names the same? Remember the rules around the label name.
If you're not seeing any errors in the error logs, it likely hasn't gotten to the point of negotiation.
Also I assume you have tried starting the channels initially without SSL to ensure you have basic connectivity from the new server. |
|
| Back to top |
|
|
| ALCSALCS |
| Posted: Tue Jan 22, 2013 8:10 am Post subject: |
|
|
Acolyte
Joined: 14 Apr 2002
Posts: 61
|
Hi,
Yes the qmgr names are the same qm1 in old environment and qm1 in new. Label name was ibmwebspheremqqm1, and yes 'started channels to ensure they go into run status without any ssl enabled which they did '
Thanks. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jan 22, 2013 12:28 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Have you tried exporting the 'old' key.kdb in PKCS12 format then importing it into the 'new' key.kdb?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ALCSALCS |
| Posted: Tue Jan 22, 2013 3:17 pm Post subject: |
|
|
Acolyte
Joined: 14 Apr 2002
Posts: 61
|
Hi,
The old key.kdb & the new key.kdb were both created as type CMS, and I believe the export entry I listed defaults with type parameter CMS for both the origin and the destination database. So I think we need to stick with the type CMS, or are you suggesting something different ?
Thanks. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jan 22, 2013 9:19 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| ALCSALCS wrote: |
Hi,
The old key.kdb & the new key.kdb were both created as type CMS, and I believe the export entry I listed defaults with type parameter CMS for both the origin and the destination database. So I think we need to stick with the type CMS, or are you suggesting something different ?
Thanks. |
He is suggesting that you use a transit format of PKCS12:
origin -> export to PKCS12 -> move to target ->export PKCS12 to CMS.
This would allow you bypass any problems due to a subtle change in gskit level and CMS.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ALCSALCS |
| Posted: Wed Jan 23, 2013 2:33 am Post subject: |
|
|
Acolyte
Joined: 14 Apr 2002
Posts: 61
|
Hi,
Just tried what was suggested,i.e.
origin -> export to PKCS12 -> move to target ->export PKCS12 to CMS
When we did the first step, exported to PKCS12 and displayed all certs, all displayed correctly, primary_intermediate, secondary_intermediate & ibmwebspheremqqm1.
but when we did the second step export to CMS we received following error;
'An attempt to store the certificate has failed.
All the signer certificates must exist in the key database.'
Any further suggestions, will be much appreciated.
Many thanks. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jan 23, 2013 3:20 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Are you sure you have the full chain? Check the 'Issued by' value in each of the certificates.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jan 23, 2013 4:10 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| ALCSALCS wrote: |
Hi,
Just tried what was suggested,i.e.
origin -> export to PKCS12 -> move to target ->export PKCS12 to CMS
When we did the first step, exported to PKCS12 and displayed all certs, all displayed correctly, primary_intermediate, secondary_intermediate & ibmwebspheremqqm1.
but when we did the second step export to CMS we received following error;
'An attempt to store the certificate has failed.
All the signer certificates must exist in the key database.'
Any further suggestions, will be much appreciated.
Many thanks. |
Apparently missing the root CA? try and add it to the PKCS12 and reattempt the last step...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ALCSALCS |
| Posted: Wed Jan 23, 2013 4:54 am Post subject: |
|
|
Acolyte
Joined: 14 Apr 2002
Posts: 61
|
Hi,
The issued by value is the same before and after the exports.
How can we check that the full chain has been exported ?
In windows we found command amqccert, to check chain, but is there something similar for UNIX platform which is what we are using ?
How can we check the root has been exported ? |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jan 23, 2013 5:48 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| ALCSALCS wrote: |
Hi,
The issued by value is the same before and after the exports.
How can we check that the full chain has been exported ?
In windows we found command amqccert, to check chain, but is there something similar for UNIX platform which is what we are using ?
How can we check the root has been exported ? |
You posted earlier "...When we did the first step, exported to PKCS12 and displayed all certs, all displayed correctly, primary_intermediate, secondary_intermediate & ibmwebspheremqqm1...", hence fjb_saper's comment that you appear to be missing a certificate, and why your 'root' CA certificate 'Issued by' value and 'Issued to' values should be the same, your intermediate CA certificate 'Issued by' value will be that of the 'root' CA, and the queue manager personal certificate's 'Issued by' value will be that of the intermediate CA.
Not sure if there's a chain checker in UNIX but one (tedious) way of doing it would be to extract all the certificates, copy them to a Windows box and display each certificate side by side using the Windows crypto shell extensions.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ALCSALCS |
| Posted: Wed Jan 23, 2013 7:09 am Post subject: |
|
|
Acolyte
Joined: 14 Apr 2002
Posts: 61
|
Hi,
We have just double checked in the from and to servers, the CMS and pk12 database and the 'issued by' & 'issued to' values all match upto the root. So the certs are present including the root CA, in the pk12 database and are correctly chained.
Any further suggestions, will be much appreciated.
Many thanks. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jan 23, 2013 7:14 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Last gasp suggestion - export each certificate from the original key file, then ADD the CA certificates starting with the Root CA first, then IMPORT the queue manager personal certificate. If that doesn't work, try using the original, i.e. old files with the new queue manager.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ALCSALCS |
| Posted: Thu Jan 24, 2013 4:21 am Post subject: |
|
|
Acolyte
Joined: 14 Apr 2002
Posts: 61
|
We tried both suggestions with no success.
Many Thanks |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Jan 24, 2013 4:27 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Why not join me in the 21st century and use the MQ key management GUI? |
|
| Back to top |
|
|
|
|
