| Author |
Message
|
| dextermbmq |
 Posted: Sat Nov 21, 2015 12:12 pm Post subject: Clarification regarding SSL setup in BROKER |
 |
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Dear All,
I am trying to do some R&D on SSL concepts in Broker. I am trying to understand if we can add multiple certificates under a SINGLE ALIAS in the Broker Keystore. If not , why?
I have performed the below steps :
1- Created a keystore using keytool command ::
keytool -keystore keystore -alias myalias -genkey -keyalg RSA -keysize 2048
This command asked me for keystore password and the standard certificate creation details like : Distinguished Name, Organisational Unit,Organization etc. I provided the details and a certificate chain along with Primary key setup identified by alias "myalias" was created.
Now, I tried adding one more certificate into this keystore under the same alias "myalias". I didn't have any certificate so I exported one certificate from the cacerts file (which comes as a part of MB INSTALLATION).
When I tried importing the certificate under the same alias in the same keystore I encountered the following error :
keytool -import -trustcacerts -alias myalias -file exporttest.cert -keystore keystore
Enter keystore password:
Enter key password for <myalias>:
keytool error: java.lang.Exception: Public keys in reply and keystore don't matc
h
Kindly assist |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat Nov 21, 2015 8:55 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
SSL 101: Do NEVER use the same alias for different keys in the same truststore/keystore.
At best it will just overwrite the current cert with the same label / alias.
At worst it will destroy a matching pair forcing you to recreate the matching pair... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Sun Nov 22, 2015 10:48 am Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Thanks for the clarification. One question though :
I understand the below command creates a key pair with a certificate :
keytool -keystore keystore -alias myalias -genkey -keyalg RSA -keysize 2048
If I give the command multiple times (keeping different alias names everytime) will the key pair created , every time the command is executed, be same or different ? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Nov 22, 2015 12:16 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Each key pair should be different. It should also have a different make up for the DN (Distinguished Name = name, org, loc, st, etc...)
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Tue Nov 24, 2015 10:48 pm Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Thanks for providing the useful info.
I have been reading about this SSL setup and it became clear me that we can add either a Self Signed Certificate or CA signed certificate (along with ROOT AND INTERMEDIATE) in the BROKER KEYSTORE using "keytool -import" command.
Now when we create a keystore using command
keytool -genkey -alias <broker name> -keystore <broker name>.jks -keysize 2048,
it creates a keystore along with a PUBLIC PRIVATE KEY PAIR, HOWEVER WE ARE FORCED TO CREATE A CERTIFICATE AS WELL.It would ask for DN,OU,O and location details.If we are using a CA signed certificate there is actually no need of having this forced certificate.
Why is Broker forcing us to create this Certificate ? Does it have any utility when we are using CA signed CERTIFICATES?. Can't we just create a KEYSTORE(and PUBLIC PRIVATE KEY PAIR) and then add a CA Signed certificate? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Nov 24, 2015 11:06 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| dextermbmq wrote: |
Thanks for providing the useful info.
I have been reading about this SSL setup and it became clear me that we can add either a Self Signed Certificate or CA signed certificate (along with ROOT AND INTERMEDIATE) in the BROKER KEYSTORE using "keytool -import" command.
Now when we create a keystore using command
keytool -genkey -alias <broker name> -keystore <broker name>.jks -keysize 2048,
it creates a keystore along with a PUBLIC PRIVATE KEY PAIR, HOWEVER WE ARE FORCED TO CREATE A CERTIFICATE AS WELL.It would ask for DN,OU,O and location details.If we are using a CA signed certificate there is actually no need of having this forced certificate.
Why is Broker forcing us to create this Certificate ? Does it have any utility when we are using CA signed CERTIFICATES?. Can't we just create a KEYSTORE(and PUBLIC PRIVATE KEY PAIR) and then add a CA Signed certificate? |
If it does not create a certificate, it creates a certificate request. The request needs a distinguished name. Once the request is signed by the CA you will have a certificate. BTW the CA may not accept the request because the DN does not match what is allowed for your site by the CA. So talk to your security folks!.
If it does create a self signed cert know that some form of DN information is mandatory see X509 spec...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Nov 24, 2015 11:10 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
It's easier to use ikeyman (comes with MQ) GUI.
You can have multiple personal (server) certs with different labels.
With IIB 9 you refer to the one to use in SOAP nodes with the client authentication alias name (IBM speak for certificate label) in node properties.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Wed Nov 25, 2015 1:16 am Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Got some info from ORACLE KEYTOOL DOCUMENTATION. The command
keytool -genkey -alias <broker name> -keystore <broker name>.jks -keysize 2048,
will create a PUBLIC PRIVATE KEY PAIR along with a CERTIFICATE
-genkeypair {-alias alias} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-validity valDays} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption}
Generates a key pair (a public key and associated private key). Wraps the public key into an X.509 v3 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by alias.
Below is the URL
https://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html
So IT SEEMS THERE IS NO WAY OF CREATING A KEYSTORE WITHOUT A CERTIFICATE USING KEYTOOL. It strange but , I still wonder why this mandatory certificate with Keystore  |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Nov 25, 2015 1:28 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
Use IBM's ikeyman on Windows to create keystores ....
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Nov 25, 2015 3:16 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| dextermbmq wrote: |
| So IT SEEMS THERE IS NO WAY OF CREATING A KEYSTORE WITHOUT A CERTIFICATE USING KEYTOOL. It strange but , I still wonder why this mandatory certificate with Keystore |
You don't have to. Have you tried using -certreq instead of -genkey?
Anyways the whole purpose of keytool and the other cert/key store tools are to allow you to work with SSL and X509 certs. So not creating one seems to defeat the purpose...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Wed Nov 25, 2015 4:17 am Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
CERTREQ will just create a CSR file which we can send to the CA for obtaining signed Certificate (rather than an empty Keystore)
Although I think I got the significance of the default self signed certificate created while giving "keytool -genkey" command. As per ORACLE KEYTOOL DOCUMENTATION it says that the "keytool -certreq" command would create a CSR request using the Distinguished Name present in the default self signed certificate along with the PRIVATE KEY of the KEYSTORE. When the CA signed certificate is received , the "Keytool -import" command would replace the existing certificate chain with the CA signed one
A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
Hope the interpretation by me is right  |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Nov 25, 2015 9:26 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| dextermbmq wrote: |
CERTREQ will just create a CSR file which we can send to the CA for obtaining signed Certificate (rather than an empty Keystore)
Although I think I got the significance of the default self signed certificate created while giving "keytool -genkey" command. As per ORACLE KEYTOOL DOCUMENTATION it says that the "keytool -certreq" command would create a CSR request using the Distinguished Name present in the default self signed certificate along with the PRIVATE KEY of the KEYSTORE. When the CA signed certificate is received , the "Keytool -import" command would replace the existing certificate chain with the CA signed one
A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
Hope the interpretation by me is right |
Strictly speaking yes and no. When using certreq you don't have a selfsigned cert. What you do is generate a key pair and a certificate request that includes the public key, for signature by a CA, (internal or external).
With the genkey option you do create a selfsigned cert.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
