| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL configuration in MQ client |
« View previous topic :: View next topic » |
| Author |
Message
|
| srikanthc60 |
 Posted: Thu Mar 03, 2016 6:59 pm Post subject: SSL configuration in MQ client |
 |
|
Voyager
Joined: 21 Jul 2013
Posts: 79
|
Our client wants to connect to MQ server using MQ client over SSL using CA certs.
On MQ client side, they generated CSR and received signed certificates from CA.
They have added CA certs under Signer Certificate section . After that when trying to 'Receive' the official signed certificate under Personal Certificate section , They are getting error like Certificate request not found.
I noticed that they have generated the CSR file using the label name has CAPS in it, as 'ibmwebspheremqABCSDSS' (ABCSDSS is the service account of the server). Where as I asked them to generate CSR with label in all lowercase before generating CSR.
Is that the reason because the label name is in UPPERCASE, why he was not able 'Receive' the official signed certificate ?
Any help is appreciated!!
Thanks to all in advance!!  |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Mar 04, 2016 6:03 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The label name should have nothing to do with the action of Ikeyman to handle certificates.
It's only used by MQ to identify which certificate in a keystore should be used.
MQ will never be able to find a certificate with a label in all caps, so you were right to get them to change it.
They will need to receive the certificate in the same keystore that they generated the CSR in.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| srikanthc60 |
| Posted: Fri Mar 04, 2016 6:31 am Post subject: |
|
|
Voyager
Joined: 21 Jul 2013
Posts: 79
|
Thanks for the reply mqjeff!!!
They are receiving the certificate to the same key store where he generated CSR. Yet they are getting error as no certificate request found.
I will ask them to regenerate CSR with label name all in lower case. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Mar 04, 2016 9:22 am Post subject: Re: SSL configuration in MQ client |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| srikanthc60 wrote: |
Our client wants to connect to MQ server using MQ client over SSL using CA certs.
On MQ client side, they generated CSR and received signed certificates from CA.
They have added CA certs under Signer Certificate section . After that when trying to 'Receive' the official signed certificate under Personal Certificate section , They are getting error like Certificate request not found.
I noticed that they have generated the CSR file using the label name has CAPS in it, as 'ibmwebspheremqABCSDSS' (ABCSDSS is the service account of the server). Where as I asked them to generate CSR with label in all lowercase before generating CSR. |
There are a few things that strike me as strange here.
Let's keep using naming conventions from before MQ8.
For the client cert I would expect the cert label to be (all lower case) ibmwebspheremqclientid. So using the service account on the server begs the question which server and which service account?
If it is the client application's service account on which ever server the client application is running, this would be the expected thing. Also make sure the CSR is generated with an appropriate size key. Anything to do with FIPS should have a 2048 key as a minimum these days.
However queue managers running on an obsolete and non supported version may not be able to handle a keysize > 1024... or the more exotic Elliptic Curve cryptography algorithms ... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
