ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » need help in creating MQ server certifciate based on root

Post new topic  Reply to topic
 need help in creating MQ server certifciate based on root « View previous topic :: View next topic » 
Author Message
srikanthc60
PostPosted: Mon Apr 06, 2015 10:14 pm    Post subject: need help in creating MQ server certifciate based on root Reply with quote

Voyager

Joined: 21 Jul 2013
Posts: 79

Hi,

I am using below commands to create queue manager certificate.

gsk7cmd -cert -create -db key.kdb -dn "CN=DNS_NAME, OU=QMGR, O=ORG, L=Loc, ST=st, C=c" -label ibmwebspheremqqmgr -size 2048 -expire 3650

gsk7cmd -cert -extract -db key.kdb -label ibmwebspheremqqmgr -target qmgr_mq.crt -format ascii


But my client wants it to be generated in some other way (create Based on the Root certificate from MQ broker side) . He gave me four certificates named AddTrustExternalCARoot.crt , COMODORSAAddTrustCA.crt , COMODORSAOrganizationValidationSecureServerCA.crt , service-bus-np.crt

I have added these certificates to our queue manager key store by using below command.

gsk7cmd -cert -add -db key.kdb -label label_name -file file.crt -format ascii


Could any one help me , how to create MQ server certificate based on the root certificate provided by the client. Is he asking to generate MQ server certificate to be generated based on the certificates he has provided.

Thanks in advance!!!
Back to top
View user's profile Send private message
smdavies99
PostPosted: Mon Apr 06, 2015 11:21 pm    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

It would help us if you tole us what version of MQ (including the Fix Pack) you are using for this.
There are some differences in this area between V7.x and V8
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
srikanthc60
PostPosted: Mon Apr 06, 2015 11:52 pm    Post subject: Reply with quote

Voyager

Joined: 21 Jul 2013
Posts: 79

Platform is AIX

/home/mqm>dspmqver
Name: WebSphere MQ
Version: 7.0.1.12
CMVC level: p701-112-140319
BuildType: IKAP - (Production)
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Apr 07, 2015 12:33 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

You need to:

1. Create a certificate request and submit that to the CA that provided the certificates to your client, then receive the signed certificate into your queue manager key store.

Or:

2. Pass on to the CA the details of your queue manager's DN, then import the certificate they provide.

Either way there may be a cost involved if it's a commercial CA, and if you interrogate the detail of the certificates given you they'll provide the information regarding the CA, i.e. the issuer etc.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Apr 07, 2015 8:46 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

exerk wrote:
You need to:

1. Create a certificate request and submit that to the CA that provided the certificates to your client, then receive the signed certificate into your queue manager key store.

Or:

2. Pass on to the CA the details of your queue manager's DN, then import the certificate they provide.

Either way there may be a cost involved if it's a commercial CA, and if you interrogate the detail of the certificates given you they'll provide the information regarding the CA, i.e. the issuer etc.


The information was provided. The CA is Comodo...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
exerk
PostPosted: Tue Apr 07, 2015 8:59 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

fjb_saper wrote:
exerk wrote:
You need to:

1. Create a certificate request and submit that to the CA that provided the certificates to your client, then receive the signed certificate into your queue manager key store.

Or:

2. Pass on to the CA the details of your queue manager's DN, then import the certificate they provide.

Either way there may be a cost involved if it's a commercial CA, and if you interrogate the detail of the certificates given you they'll provide the information regarding the CA, i.e. the issuer etc.


The information was provided. The CA is Comodo...

I didn't want to make the assumption, and also do not most commercial CAs provide many different CA certs according to the particular usage required, or would the commercial CA ? Doh! Stupid question from me!
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
srikanthc60
PostPosted: Wed Apr 15, 2015 6:57 am    Post subject: Reply with quote

Voyager

Joined: 21 Jul 2013
Posts: 79

Thanks for the suggestions..

One more query, which might be similar.

In a server, how to create common root certificate for MQ which can be used to issue MQ server certificates based on that root certificate for all queue managers running in that server?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Apr 15, 2015 8:27 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

srikanthc60 wrote:
Thanks for the suggestions..

One more query, which might be similar.

In a server, how to create common root certificate for MQ which can be used to issue MQ server certificates based on that root certificate for all queue managers running in that server?


Bad , bad , bad juju. Each queue manager should have it's own certificate. So if you have 8 qmgrs on a single server you still need 8 certs...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
exerk
PostPosted: Wed Apr 15, 2015 9:28 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

fjb_saper wrote:
srikanthc60 wrote:
Thanks for the suggestions..

One more query, which might be similar.

In a server, how to create common root certificate for MQ which can be used to issue MQ server certificates based on that root certificate for all queue managers running in that server?


Bad , bad , bad juju. Each queue manager should have it's own certificate. So if you have 8 qmgrs on a single server you still need 8 certs...

Unless I'm reading it wrong, that's what srikanthc60 wants to do - is not "...create common root certificate..." which "...can be used to issue MQ server certificates..." synonymous with a CA signer?

srikanthc60, if that's what you mean then something like OpenSSL will give you that facility if you want to control certificates for testing purposes etc.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Apr 15, 2015 11:04 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

exerk wrote:

Unless I'm reading it wrong, that's what srikanthc60 wants to do - is not "...create common root certificate..." which "...can be used to issue MQ server certificates..." synonymous with a CA signer?

srikanthc60, if that's what you mean then something like OpenSSL will give you that facility if you want to control certificates for testing purposes etc.

It's still bad. The common root cert i.e. CA should be entreprise wide and not just server wide. Or if not enterprise wide at least MQ wide in the enterprise... and no need to get an open SSL package. MQ cert maintenance can do it all. Look at the different options of runmqckm and runmqakm (-cert -sign ...)


_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » need help in creating MQ server certifciate based on root
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.