| Author |
Message
|
| kdorre |
 Posted: Mon Jul 28, 2003 9:20 pm Post subject: SSL between queue managers |
 |
|
Novice
Joined: 17 Jul 2002
Posts: 15
Location: New Zealand
|
Hi all
Has anyone set up SSL between 2 queue managers? i.e. Queue manager communications over sender/receiver channels.
I have been trying to set up the following environment.
1. Windows queue manager (W2k & MQ 5.3)
2. Linux queue manager (RH 8.0 and MQ 5.3)
I have generated 2 certificates on the Linux machine, they only key that I can seem to generate is a .p12 with the following encryption MD5withRSA. I exported these and loaded one on the windoes machine. However when it comes to configuring the channel for SSL I am not sure which cypherspec to use?
Can anyone shed some light on this?
Thanks in advance.
Keith
_________________
life, liberty and the persuit of happiness |
|
| Back to top |
|
 |
| harwinderr |
| Posted: Thu Jul 31, 2003 2:41 am Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
Yes I had a chance to work on SSL communication between two queue managers, though not on a Windows box. I tried this on a Linux-to-Linux and Linux-to-Solaris, and I believe it wont be any different for Windows either.
I would recommend you to go through the Security guide for Windows specifc implementation.
| Quote: |
| I have generated 2 certificates on the Linux machine, they only key that I can seem to generate is a .p12 with the following encryption MD5withRSA. |
I wonder how are you generating .p12 files on Linux. WMQ53 on Linux comes along with GSKit, which has iKeyman - a tool for managing certificates for the queue managers. I think you are using OpenSSL to generate the certificates. Can you give more details about this?
Regarding choosing the cipherspec, you can use any ciphersuite (depends on your application/business needs) but it has to be same on both the SDR and RCVR channels otherwise the handshake will fail.
Hope it helps 
Later,
HR |
|
| Back to top |
|
|
| kdorre |
| Posted: Fri Aug 01, 2003 4:59 pm Post subject: |
|
|
Novice
Joined: 17 Jul 2002
Posts: 15
Location: New Zealand
|
HR
Thanks for the reply
So this is what I have thus far.
I am setting up the Linux machine to be the main server that all other servers connect to for authentication and thus I want to distrubute the keys from there.
I use the gsk6ikm to generate 2 keys example
qmgrxtoqmgry & qmgrytoqmgrx
The keys generated are x509 v3, key size 1024, signature algorithm MD5withRSA
The linux queue manager has the following parameters set
AMQ8408: Display Queue Manager details.
DESCR( ) DEADQ( )
DEFXMITQ( ) CHADEXIT( )
CLWLEXIT( ) CLWLDATA( )
REPOS( ) REPOSNL( )
SSLKEYR(/var/mqm/qmgrs/XXXX/ssl/key) SSLCRLNL( )
SSLCRYP( ) COMMANDQ(SYSTEM.ADMIN.COMMAND.QUEUE)
QMNAME(SPURS) CRDATE(2002-12-17)
CRTIME(15.23.49) ALTDATE(2003-02-26)
ALTTIME(15.28.59) QMID(XXXX_2002-12-17_15.23.49)
TRIGINT(999999999) MAXHANDS(256)
MAXUMSGS(10000) AUTHOREV(DISABLED)
INHIBTEV(DISABLED) LOCALEV(DISABLED)
REMOTEEV(DISABLED) PERFMEV(DISABLED)
STRSTPEV(ENABLED) CHAD(DISABLED)
the sender channel on the linux machine to the other queue manager in set as follows
3 : dis channel(to.YYYY)
AMQ8414: Display Channel details.
CHANNEL(TO.YYYYY) CHLTYPE(SDR)
TRPTYPE(TCP) DESCR( )
XMITQ(YYYY) MCANAME( )
MODENAME( ) TPNAME( )
BATCHSZ(50) DISCINT(6000)
SHORTRTY(10) SHORTTMR(60)
LONGRTY(999999999) LONGTMR(1200)
SCYEXIT( ) SEQWRAP(999999999)
MAXMSGL(4194304) CONVERT(NO)
SCYDATA( ) USERID( )
PASSWORD( ) MCATYPE(PROCESS)
CONNAME(YYYY) HBINT(300)
BATCHINT(0) NPMSPEED(FAST)
SSLCIPH(TRIPLE_DES_SHA_US) BATCHHB(0)
LOCLADDR( ) KAINT(AUTO)
MCAUSER( ) ALTDATE(2003-07-30)
ALTTIME(14.30.17) SSLPEER()
MSGEXIT( )
SENDEXIT( )
RCVEXIT( )
MSGDATA( )
SENDDATA( )
RCVDATA( )
CHADEV(DISABLED) CLWLLEN(100)
MAXMSGL(20000000) CCSID(819)
MAXPRTY(9) CMDLEVEL(530)
PLATFORM(UNIX) SYNCPT
DISTL(YES)
the receiver channel on the linux machine is set up as follows
4 : dis channel(to.XXXX)
AMQ8414: Display Channel details.
CHANNEL(TO.SPURS) CHLTYPE(RCVR)
TRPTYPE(TCP) DESCR( )
BATCHSZ(50) SCYEXIT( )
SEQWRAP(999999999) MAXMSGL(4194304)
PUTAUT(DEF) SCYDATA( )
MREXIT( ) MRDATA( )
MRRTY(10) MRTMR(1000)
HBINT(300) NPMSPEED(FAST)
SSLCIPH(TRIPLE_DES_SHA_US) SSLCAUTH(REQUIRED)
KAINT(AUTO) MCAUSER( )
ALTDATE(2003-07-30) ALTTIME(12.14.49)
SSLPEER()
MSGEXIT( )
SENDEXIT( )
RCVEXIT( )
MSGDATA( )
SENDDATA( )
RCVDATA( )
On the windows machine the following is set up
AMQ8408: Display Queue Manager details.
DESCR( ) DEADQ( )
DEFXMITQ( ) CHADEXIT( )
CLWLEXIT( ) CLWLDATA( )
REPOS( ) REPOSNL( )
SSLKEYR(C:\Program Files\IBM\WebSphere MQ\qmgrs\YYYY\ssl\key)
SSLCRLNL( ) COMMANDQ(SYSTEM.ADMIN.COMMAND.QUEUE)
QMNAME(YYYY) CRDATE(2003-06-05)
CRTIME(14.54.24) ALTDATE(2003-06-05)
ALTTIME(14.54.24) QMID(YYYY_2003-06-05_14.54.24)
TRIGINT(999999999) MAXHANDS(256)
MAXUMSGS(10000) AUTHOREV(DISABLED)
INHIBTEV(DISABLED) LOCALEV(DISABLED)
REMOTEEV(DISABLED) PERFMEV(DISABLED)
STRSTPEV(ENABLED) CHAD(DISABLED)
CHADEV(DISABLED) CLWLLEN(100)
MAXMSGL(4194304) CCSID(437)
MAXPRTY(9) CMDLEVEL(530)
PLATFORM(WINDOWSNT) SYNCPT
DISTL(YES)
The sender channel to the Linux machine is set up
AMQ8414: Display Channel details.
CHANNEL(TO.XXXX) CHLTYPE(SDR)
TRPTYPE(TCP) DESCR( )
XMITQ(XXXX) MCANAME( )
MODENAME( ) TPNAME( )
BATCHSZ(50) DISCINT(6000)
SHORTRTY(10) SHORTTMR(60)
LONGRTY(999999999) LONGTMR(1200)
SCYEXIT( ) SEQWRAP(999999999)
MAXMSGL(4194304) CONVERT(NO)
SCYDATA( ) USERID( )
PASSWORD( ) MCATYPE(PROCESS)
CONNAME(XXXX) HBINT(300)
BATCHINT(0) NPMSPEED(FAST)
SSLCIPH(TRIPLE_DES_SHA_US) BATCHHB(0)
LOCLADDR( ) KAINT(AUTO)
MCAUSER( ) ALTDATE(2003-08-01)
ALTTIME(16.08.26) SSLPEER()
MSGEXIT( )
SENDEXIT( )
RCVEXIT( )
MSGDATA( )
SENDDATA( )
RCVDATA( )
The receiver channel from the linux machine is set up like this
AMQ8414: Display Channel details.
CHANNEL(TO.YYYY) CHLTYPE(RCVR)
TRPTYPE(TCP) DESCR( )
BATCHSZ(50) SCYEXIT( )
SEQWRAP(999999999) MAXMSGL(4194304)
PUTAUT(DEF) SCYDATA( )
MREXIT( ) MRDATA( )
MRRTY(10) MRTMR(1000)
HBINT(300) NPMSPEED(FAST)
SSLCIPH(TRIPLE_DES_SHA_US) SSLCAUTH(OPTIONAL)
KAINT(AUTO) MCAUSER( )
ALTDATE(2003-07-30) ALTTIME(14.23.15)
SSLPEER()
MSGEXIT( )
SENDEXIT( )
RCVEXIT( )
MSGDATA( )
SENDDATA( )
RCVDATA( )
The above configuration works with out the SSL option set so I know there is no problem there.
This is what I did next and I'm not sure if its right.
1. I export the two keys that I have generated using the gsk6ikm tool. I create two files qmgrxtoqmgry.p12 & qmgrytoqmgrx.p12
2. I copy these two files to the windows machine (in binary of course)
3. Using the the Internet options function I add the two keys
4. As I am not really sure what is required here I assign both keys to the Windows queue manager.
and then I start the channels and they go into retrying. the MQ log shows that there have been an ssl error.
Any tips
I think I am going to start from scratch.
_________________
life, liberty and the persuit of happiness |
|
| Back to top |
|
|
| interactivechannel |
| Posted: Tue Aug 05, 2003 1:47 am Post subject: |
|
|
Voyager
Joined: 20 May 2003
Posts: 94
Location: uk
|
UNIX
Creating a key repository
1. Start iKeyman on UNIX.
export DISPLAY=my_pc:0
export JAVA_HOME=/usr/mqm/ssl/jre or /opt/mqm/ssl
gsk6ikm &
2. Create a key repository. The key repository is known as a key database on UNIX.
Click Key database File -> New
3. Select the key database type CMS and input your file name and location (E.g. /var/mqm/qmgrs/QMNAME/ssl/key.kdb); the file name must have an extension of .kdb.
4. Set the password. Select Stash the password to a file. The key database and password stash files are created in your directory.
/var/mqm/qmgrs/QMNAME/ssl/key.kdb
/var/mqm/qmgrs/QMNAME/ssl/key.sth
Storing certificates
1. Remove unwanted default signer certificates.
2. Add the self-signed certificates for communicating queue managers.
Click Signer Certificates-> Add
Enter the certificate file name and the label. For example a file name QMNAME.der and the label ibmwebspheremq<qmname>
3. Ensure Set the certificate as a trusted root is checked in View/Edit.
4. Add the self-signed certificate containing the private key.
Click Personal Certificates-> Import
Enter the certificate file name and the label. For example a file name QMNAME.p12 and the label ibmwebspheremq<qmname>
MQ configuration
1. Set your key repository name to the queue manager's attribute SSLKEYR.
2. Alter the channel attributes for SSL.
Specify SSLCIPH, such as 'NULL_MD5'
Ensure SSLCAUTH is set to 'REQUIRED' where applicable
Consider using SSLPEER for additional security filtering
3. Cluster considerations.
When migrating from a non-SSL cluster to an SSL cluster, each CLUSRCVR change must be fully reflected around the cluster before changing the next one. Alter the definition of the cluster sender channel to the full repository that you define explicitly so it has the correct SSL parameters.
Windows
Creating a key repository
WebSphere MQ provides MQ Explorer/Services and the amqmcert command to manage the key repository. The amqmcert command is useful for the Client environment, because it does not have the WebSphere MQ GUI-based interface. The key repository is known as the key store on Windows and has a suffix .sto.
The default location for the key store is
'C:\Program Files\IBM\WebSphere MQ\Qmgrs\<QMNAME> \ssl\MyKey.sto'
Storing certificates
On Windows 2000 and above, use the following procedure to add a personal certificate to a queue manager certificate store using WebSphere MQ Explorer.
1. Open WebSphere MQ Explorer and expand the Queue Managers folder.
2. Right-click the queue manager and select Properties.
3. Select the SSL page and click the Manage SSL Certificates button.
4. Remove unwanted default signer certificates.
5. Click Add in the Manage SSL Certificates window.
6. In the Import from a file field, type the fully qualified name, or find using browse, of the file containing the personal certificate.
7. Click Add in the Add Certificate window.
This process needs to be repeated for the self-signed certificates of communicating queue managers.
Assign certificate to queue manager
Assigning a certificate is a special procedure for WebSphere MQ on Windows. The certificates must be in the queue manager store before they can be used by MQ.
1. Open WebSphere MQ Explorer and expand the Queue Managers folder.
2. Right-click the queue manager and select Properties.
3. Select the SSL page and click Manage SSL Certificates.
4. Click Assign.
5. Select the certificate you intend to use and click Assign again.
MQ configuration
1. Set your key repository name to the queue manager's attribute SSLKEYR, either in the Location field of the SSL tab of the queue manager Properties.
ALTER QMGR SSLKEYR('C:\Program Files\IBM\WebSphere MQ\Qmgrs\<QMNAME>\ssl \MyKey.sto')
2. Alter the channel attributes for SSL as in UNIX.
3. Cluster considerations as in UNIX. |
|
| Back to top |
|
|
| kdorre |
| Posted: Tue Aug 05, 2003 8:08 pm Post subject: |
|
|
Novice
Joined: 17 Jul 2002
Posts: 15
Location: New Zealand
|
Thanks everyone thus far for the help.
I think that I have got my head around it, however.
1. Ikeyman only gives me 3 options when it comes to defining a new key database file. jks, jceks and pkcs12
2. The 'stash password' options is not avaliable, its grayed out and not selectable.
From reading the MQ administration quide
"Select the Stash the password to a file check box.
Note:
If you do not stash the password, attempts to start SSL channels fail because they cannot obtain the password required to access the key repository. "
Thus I'm stuck
I am running MQ 5.3 CSD04 on RedHat Linux 8.0
any suggestions ? am I missing something really obvious?
Thanks in advance.
Keith
_________________
life, liberty and the persuit of happiness |
|
| Back to top |
|
|
| interactivechannel |
| Posted: Wed Aug 06, 2003 12:54 am Post subject: |
|
|
Voyager
Joined: 20 May 2003
Posts: 94
Location: uk
|
| If you can't select a CMS key database type, you're stuffed. Try downloading HTTP server from IBM. |
|
| Back to top |
|
|
| harwinderr |
| Posted: Wed Aug 06, 2003 8:44 pm Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
The gsk6ikm does not gives the option to create the CMS key database type. Not of much help!! Is there some kind of configuration I am missing 
BTW, the gsk5ikm does gives the option to create the CMS key database and I successfully tested the SSL communication between W2K/Linux queue managers using that.
Later,
HR |
|
| Back to top |
|
|
| jcastaldo |
| Posted: Mon May 16, 2005 6:56 am Post subject: Windows 2003 Clustering with Certificates and SSL |
|
|
Newbie
Joined: 16 May 2005
Posts: 1
Location: New York
|
Has anyone clustered IBM MQ 5.3 with Windows 2003 (MSCS, not IBM clustering) using Certificates and SSL. I created a ceritficate on one of the nodes, then exported both the private and public key to the other nodes. Assigned the cert to the QM, and it works. But you fail the node over, SSL fails. It generates a SSL Key error for the QM.
The errors generated are
#1
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x80090016.
#2
An SSL security call failed during SSL handshaking.
An SSPI call to the Secure Channel (Schannel) SSL provider failed during SSL handshaking. The failure has caused WebSphere MQ channel name '0001.01.01' to be closed. If the name is '????' then the name is unknown.
Consult the Windows Schannel reference manual to determine the meaning of status 0x8009030D (The credentials supplied to the package were not recognized ) for SSPI call AcquireCredentialsHandle. Correct the failure and if necessary re-start the channel.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
------------------------------------------------------
-------------------------------------------------------
The weird thing is if I disable the SSL for the QM on the node I failed ver to, I can reenable SSL for that QM using the same certificate.
I have the QM set to use the key repository on shared disk so the QM all use the same key files. |
|
| Back to top |
|
|
|
|
