| Author |
Message
|
| srikanthc60 |
 Posted: Mon Apr 06, 2015 10:14 pm Post subject: need help in creating MQ server certifciate based on root |
 |
|
Voyager
Joined: 21 Jul 2013
Posts: 79
|
Hi,
I am using below commands to create queue manager certificate.
gsk7cmd -cert -create -db key.kdb -dn "CN=DNS_NAME, OU=QMGR, O=ORG, L=Loc, ST=st, C=c" -label ibmwebspheremqqmgr -size 2048 -expire 3650
gsk7cmd -cert -extract -db key.kdb -label ibmwebspheremqqmgr -target qmgr_mq.crt -format ascii
But my client wants it to be generated in some other way (create Based on the Root certificate from MQ broker side) . He gave me four certificates named AddTrustExternalCARoot.crt , COMODORSAAddTrustCA.crt , COMODORSAOrganizationValidationSecureServerCA.crt , service-bus-np.crt
I have added these certificates to our queue manager key store by using below command.
gsk7cmd -cert -add -db key.kdb -label label_name -file file.crt -format ascii
Could any one help me , how to create MQ server certificate based on the root certificate provided by the client. Is he asking to generate MQ server certificate to be generated based on the certificates he has provided.
Thanks in advance!!!  |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Mon Apr 06, 2015 11:21 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
It would help us if you tole us what version of MQ (including the Fix Pack) you are using for this.
There are some differences in this area between V7.x and V8
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| srikanthc60 |
| Posted: Mon Apr 06, 2015 11:52 pm Post subject: |
|
|
Voyager
Joined: 21 Jul 2013
Posts: 79
|
Platform is AIX
/home/mqm>dspmqver
Name: WebSphere MQ
Version: 7.0.1.12
CMVC level: p701-112-140319
BuildType: IKAP - (Production) |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Apr 07, 2015 12:33 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
You need to:
1. Create a certificate request and submit that to the CA that provided the certificates to your client, then receive the signed certificate into your queue manager key store.
Or:
2. Pass on to the CA the details of your queue manager's DN, then import the certificate they provide.
Either way there may be a cost involved if it's a commercial CA, and if you interrogate the detail of the certificates given you they'll provide the information regarding the CA, i.e. the issuer etc.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 07, 2015 8:46 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| exerk wrote: |
You need to:
1. Create a certificate request and submit that to the CA that provided the certificates to your client, then receive the signed certificate into your queue manager key store.
Or:
2. Pass on to the CA the details of your queue manager's DN, then import the certificate they provide.
Either way there may be a cost involved if it's a commercial CA, and if you interrogate the detail of the certificates given you they'll provide the information regarding the CA, i.e. the issuer etc. |
The information was provided. The CA is Comodo... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Apr 07, 2015 8:59 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| exerk wrote: |
You need to:
1. Create a certificate request and submit that to the CA that provided the certificates to your client, then receive the signed certificate into your queue manager key store.
Or:
2. Pass on to the CA the details of your queue manager's DN, then import the certificate they provide.
Either way there may be a cost involved if it's a commercial CA, and if you interrogate the detail of the certificates given you they'll provide the information regarding the CA, i.e. the issuer etc. |
The information was provided. The CA is Comodo... |
I didn't want to make the assumption, and also do not most commercial CAs provide many different CA certs according to the particular usage required, or would the commercial CA ? Doh! Stupid question from me! 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| srikanthc60 |
| Posted: Wed Apr 15, 2015 6:57 am Post subject: |
|
|
Voyager
Joined: 21 Jul 2013
Posts: 79
|
Thanks for the suggestions..
One more query, which might be similar.
In a server, how to create common root certificate for MQ which can be used to issue MQ server certificates based on that root certificate for all queue managers running in that server? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Apr 15, 2015 8:27 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| srikanthc60 wrote: |
Thanks for the suggestions..
One more query, which might be similar.
In a server, how to create common root certificate for MQ which can be used to issue MQ server certificates based on that root certificate for all queue managers running in that server? |
Bad  , bad , bad juju. Each queue manager should have it's own certificate. So if you have 8 qmgrs on a single server you still need 8 certs...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Apr 15, 2015 9:28 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| srikanthc60 wrote: |
Thanks for the suggestions..
One more query, which might be similar.
In a server, how to create common root certificate for MQ which can be used to issue MQ server certificates based on that root certificate for all queue managers running in that server? |
Bad , bad , bad juju. Each queue manager should have it's own certificate. So if you have 8 qmgrs on a single server you still need 8 certs... |
Unless I'm reading it wrong, that's what srikanthc60 wants to do - is not "...create common root certificate..." which "...can be used to issue MQ server certificates..." synonymous with a CA signer?
srikanthc60, if that's what you mean then something like OpenSSL will give you that facility if you want to control certificates for testing purposes etc.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Apr 15, 2015 11:04 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| exerk wrote: |
Unless I'm reading it wrong, that's what srikanthc60 wants to do - is not "...create common root certificate..." which "...can be used to issue MQ server certificates..." synonymous with a CA signer?
srikanthc60, if that's what you mean then something like OpenSSL will give you that facility if you want to control certificates for testing purposes etc. |
It's still bad. The common root cert i.e. CA should be entreprise wide and not just server wide. Or if not enterprise wide at least MQ wide in the enterprise... and no need to get an open SSL package. MQ cert maintenance can do it all. Look at the different options of runmqckm and runmqakm (-cert -sign ...)
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
