ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » ssl CA Signed certificates.

Post new topic  Reply to topic
 ssl CA Signed certificates. « View previous topic :: View next topic » 
Author Message
DeonM
PostPosted: Fri Aug 25, 2017 6:59 am    Post subject: ssl CA Signed certificates. Reply with quote

Newbie

Joined: 23 May 2008
Posts: 6

Hi,

Tested with selfsiged certificates between 2 queue managers on the same AIX Host successfully.

Now trying to use CA signed Certificates on 2 different AIX hosts.

The sender channels just stay in a binding state from both hosts. If tested without ssl it goes running.

QM1 - personal cert ibmwebspheremqqm1
- signer sertificates - the complete ca chain.
qm2 - personal cert ibmwebspheremqqm2
- signer sertificates - the complete ca chain

Can it be something with the size of the key (4096) or MTU on the network ?

Thanks in advance
Deon.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Fri Aug 25, 2017 8:14 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

What errors have you found in the error logs?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Fri Aug 25, 2017 8:56 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1230
Location: Gold Coast of Florida, USA

Something is missing in the Qmgr .kdb files or you didn't refresh security correctly.

A Qmgr KDB file needs:

  1. Personal Cert
  2. CA Signer cert chain of it's personal cert
  3. CA Signer cert chain of any Qmgr you want to trust


You only need to do a CHANNEL PING to find out if you have it right.
Back to top
View user's profile Send private message AIM Address
hughson
PostPosted: Fri Aug 25, 2017 2:57 pm    Post subject: Re: ssl CA Signed certificates. Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

DeonM wrote:
The sender channels just stay in a binding state from both hosts. If tested without ssl it goes running.

So you've looked at DISPLAY CHSTATUS and seen the field STATUS(BINDING). Can you tell us what the field SUBSTATE says? I expect SUBSTATE(SSLHANDSK).

Do you have OCSP configured? That can sometimes take a very long time to return the answer.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
DeonM
PostPosted: Sun Aug 27, 2017 11:35 pm    Post subject: Reply with quote

Newbie

Joined: 23 May 2008
Posts: 6

Hi,

I've added the following lines in the qm.ini file. All working now. Thx so much Morag.

SSL:
OCSPAuthentication=OPTIONAL
OCSPCheckExtensions=NO
CDPCheckExtensions=NO
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » ssl CA Signed certificates.
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.