| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Can JMS client use SSL CMS keystores via means of CCDT? |
« View previous topic :: View next topic » |
| Author |
Message
|
| longnguk |
 Posted: Sat Aug 03, 2013 8:14 am Post subject: Can JMS client use SSL CMS keystores via means of CCDT? |
 |
|
Novice
Joined: 16 Aug 2006
Posts: 19
Location: Phoenix
|
Can JMS client use SSL CMS keystores via means of CCDT or the client still needs to use JSSE JKS?
I am hoping somebody may be able to tell me if that is possible,
Here's my scenario:
Configure the queue manager to use SSL. No issues there.
Setup a client/server connection channels with the appropriate SSL options.
Send the AMQCLCHL.TAB to the WMQ Client.
On the client side:
- Configure the JNDI using JMSAdmin on the client.
- Export the MQSSLKEYR to point to the CMS keystore location on the client
- etc.
- When attempt to use a JMS sample to connect over the SSL, I would get SSL errors.
- Turning on the SSL debug and the output indicates that WMQ client is using JSSE, e.g.
| Code: |
keyStore is: /opt/mqc/java/jre64/jre/lib/security/cacerts
keyStore type is: jks
keyStore provider is:
init keystore
init keymanager of type IbmX509
trustStore is: /opt/mqc/java/jre64/jre/lib/security/cacerts
trustStore type is: jks
...
|
Is there something that I should do (missing environment variables?) to use CMS keystores for the JMSclient?
Anyone? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat Aug 03, 2013 4:09 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Sadly you cannot use a CMS keystore with Java... (you could but it deviates enough from the standard JKS that nobody bothers...)
So you just copy your CMS client store to JKS (using ikeyman) and you're good to access the qmgr with Java.
The channel table only serves to set up the correct connection parameters.
Have fun. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| longnguk |
| Posted: Sun Aug 04, 2013 9:26 am Post subject: |
|
|
Novice
Joined: 16 Aug 2006
Posts: 19
Location: Phoenix
|
| fjb_saper wrote: |
Sadly you cannot use a CMS keystore with Java... (you could but it deviates enough from the standard JKS that nobody bothers...)
So you just copy your CMS client store to JKS (using ikeyman) and you're good to access the qmgr with Java.
The channel table only serves to set up the correct connection parameters.
Have fun. |
Thank you fjb_saper!
I did convert CMS to JKS using runmqckm and everything seemed to work, exchanging of certificates fine and I could connect etc. Although I used the highest CipherSpec (TLS_RSA_WITH_AES_256_CBC_SHA) and that meant I have to turn on FIPS!
Although the solution seems to work with FIPS enabled, I am a bit concerned since the the command runmqckm does not support -fips option and I do not know if that would cause problems down the road. BTW, working with FIPS, I have always been using runmqakm.
Any thoughts, anyone? |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun Aug 04, 2013 4:00 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| longnguk wrote: |
| Any thoughts, anyone? |
The fips option means "only allow FIPS compliant processing of certificates and cipherspecs". You are quite welcome to use the gskit tools or MQ without the option as long as the cipherspecs are acceptable to your own business or business partners using SSL.
There are no fundamental objections to using runmqckm, runmqakm or any other gskit tool. They have different features and limitations, use whatever tool is needed to achieve the desired result.
_________________
Glenn |
|
| Back to top |
|
|
| longnguk |
| Posted: Mon Aug 05, 2013 6:00 pm Post subject: |
|
|
Novice
Joined: 16 Aug 2006
Posts: 19
Location: Phoenix
|
Thanks everyone, I really appreciate your inputs, especially to fjb_saper, I was really in need of a confirmation and you provided it, in regard to my original question;-:
Maybe I am a bit over-cautious here in being wary of using the runmqckm - when it indicates that -fips is not supported? Perhaps the documentation/manual could be a bit more clear as to indicate something in the line mentioned by Glenn....
Talking about Glenn, how are you my friend? You have my email, please keep in touch. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
