| Author |
Message
|
| pintrader |
 Posted: Sat Aug 30, 2014 8:18 pm Post subject: using self signed certs for mutual authentication |
 |
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
hi
Am trying to figure out client (C1) and SVRCONN (QM1) mutual SSL authentication according to the docs.
At C1:
1) created a key db
- runmqakm -keydb -create -db c1.kdb -pw pswd -type cms -stash
2) created a self sign cert
- runmqakm -cert -create -db c1.kdb -stashed -label myclient -dn "CN=solaris" -size 2048
3) extract public part
- runmqakm -cert -extract -db c1.kdb -pw pswd -label myclient -target client.pub
4) add the public part of QM1 self sign to kdb
- runmqakm -cert -add -db c1.kdb -pw pswd -label myqm1 -file qm1.pub
At QM1:
1) created a key db
- runmqakm -keydb -create -db qm1.kdb -pw pswd -type cms -stash
2) create self sign cert
- runmqakm -cert -create -db qm1.kdb -pw pswd -label ibmwebspheremqqm1 -dn "CN=qm1" -size 2048
3) extract public part
- runmqakm -cert -extract -db qm1.kdb -pw pswd -label ibmwebspheremqqm1 -target qm1.pub
4) add the client public cert to kdb
- runmqakm -cert -add -db qm1.kdb -pw pswd -label clientselfsign -file client.pub
5) configured SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA) and SSLPEER('CN=solaris') on SVRCONN channel.
6) refresh security type(SSL)
When i connect to the SVRCONN channel at C1, using this:
amqssslc -x '10.10.10.10(1414)' -c SVRCONN -k '/var/mqm/ssl/c1' -s 'TLS_RSA_WITH_AES_256_CBC_SHA' -o http://dummy.OCSP.responder
it gives me:
| Code: |
AMQ9637: Channel is lacking a certificate.
EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel name is 'SVRCONN' (if '????' it is unknown at this stage in the SSL processing).
.....
The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key repositories for both ends of the channel.
|
What have I configured wrongly? (could it be I did not add root cert?)
thanks. |
|
| Back to top |
|
 |
| exerk |
| Posted: Sun Aug 31, 2014 12:55 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
See the link I put in your other post in regard to client userid certificate labels.
Export your client userid's self-signed certificate, delete the copy in the key store, then import the previously exported certificate and on the import give it a label name of ibmwebspheremq<your client name>, e.g. ibmwebspheremquser1.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Aug 31, 2014 9:04 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20697
Location: LI,NY
|
Nice to work with self signed certs, the exchange of certs however gets old quickly if you have more than a few keystores to set up.
I'd rather set up my own (internal) CA, (find the corresponding MQ security redbook) and ibm's implementation of SSL allows you to do that....
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| pintrader |
| Posted: Mon Sep 01, 2014 12:52 am Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
thanks exerk and fjb for your replies. I manage to get it to work.
With respective to this, if now my QM1 is being signed by an external CA, I would get back about 3 certs from them
1) Root cert
2) Chained cert if any
3) Signed cert
For this case, on C1, I need to add the QM1's root cert and chained cert. But what about the Signed cert? Do I need to extract out the public part of this Signed cert to be added to C1's keystore? Or just add the whole Signed cert.? I think the concept is the same as what's done when both C1 and QM1 are self signed?
thanks |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Sep 01, 2014 3:48 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20697
Location: LI,NY
|
| pintrader wrote: |
thanks exerk and fjb for your replies. I manage to get it to work.
With respective to this, if now my QM1 is being signed by an external CA, I would get back about 3 certs from them
1) Root cert
2) Chained cert if any
3) Signed cert
For this case, on C1, I need to add the QM1's root cert and chained cert. But what about the Signed cert? Do I need to extract out the public part of this Signed cert to be added to C1's keystore? Or just add the whole Signed cert.? I think the concept is the same as what's done when both C1 and QM1 are self signed?
thanks |
Not quite. With self signed certs you only have the equivalent of root certs.
This means you have to exchange all certs.
With CA signed certs (indifferent whether internal or external CA) all you need is the chain to the root cert. You don't actually need the pubilc cert of the partner but you need all the other certs in it's cert chain.
So say qmgr1 has root, int1, int2 and qmgr1 cert. As a client you will need in your truststore root, int1 and int2.
Makes maintenance of the stores much easier. If using and internal CA to sign all qmgr certs all you need is the signer cert and it's chain (typically only one cert) in the truststore and all qmgrs having a cert signed by this CA can communicate via SSL...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| pintrader |
| Posted: Mon Sep 01, 2014 5:01 am Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
| fjb_saper wrote: |
| pintrader wrote: |
thanks exerk and fjb for your replies. I manage to get it to work.
With respective to this, if now my QM1 is being signed by an external CA, I would get back about 3 certs from them
1) Root cert
2) Chained cert if any
3) Signed cert
For this case, on C1, I need to add the QM1's root cert and chained cert. But what about the Signed cert? Do I need to extract out the public part of this Signed cert to be added to C1's keystore? Or just add the whole Signed cert.? I think the concept is the same as what's done when both C1 and QM1 are self signed?
thanks |
Not quite. With self signed certs you only have the equivalent of root certs.
This means you have to exchange all certs.
With CA signed certs (indifferent whether internal or external CA) all you need is the chain to the root cert. You don't actually need the pubilc cert of the partner but you need all the other certs in it's cert chain.
So say qmgr1 has root, int1, int2 and qmgr1 cert. As a client you will need in your truststore root, int1 and int2.
Makes maintenance of the stores much easier. If using and internal CA to sign all qmgr certs all you need is the signer cert and it's chain (typically only one cert) in the truststore and all qmgrs having a cert signed by this CA can communicate via SSL...
Have fun :innocent: |
thanks for the explanation. clearer now. appreciate it. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Sep 01, 2014 5:42 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20697
Location: LI,NY
|
Be careful though and do use SSLPEER on the channels.
Otherwise anybody having a cert signed by the CA can access the channel.
When looking at a group, multiple OU's in the DN are your friends
They need to be specified to the channel in the same order they appear in the cert...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
