| Author |
Message
|
| DeonM |
 Posted: Fri Aug 25, 2017 6:59 am Post subject: ssl CA Signed certificates. |
 |
|
Newbie
Joined: 23 May 2008
Posts: 6
|
Hi,
Tested with selfsiged certificates between 2 queue managers on the same AIX Host successfully.
Now trying to use CA signed Certificates on 2 different AIX hosts.
The sender channels just stay in a binding state from both hosts. If tested without ssl it goes running.
QM1 - personal cert ibmwebspheremqqm1
- signer sertificates - the complete ca chain.
qm2 - personal cert ibmwebspheremqqm2
- signer sertificates - the complete ca chain
Can it be something with the size of the key (4096) or MTU on the network ?
Thanks in advance
Deon. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Fri Aug 25, 2017 8:14 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
What errors have you found in the error logs?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Fri Aug 25, 2017 8:56 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
Something is missing in the Qmgr .kdb files or you didn't refresh security correctly.
A Qmgr KDB file needs:
- Personal Cert
- CA Signer cert chain of it's personal cert
- CA Signer cert chain of any Qmgr you want to trust
You only need to do a CHANNEL PING to find out if you have it right. |
|
| Back to top |
|
|
| hughson |
| Posted: Fri Aug 25, 2017 2:57 pm Post subject: Re: ssl CA Signed certificates. |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| DeonM wrote: |
| The sender channels just stay in a binding state from both hosts. If tested without ssl it goes running. |
So you've looked at DISPLAY CHSTATUS and seen the field STATUS(BINDING). Can you tell us what the field SUBSTATE says? I expect SUBSTATE(SSLHANDSK).
Do you have OCSP configured? That can sometimes take a very long time to return the answer.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| DeonM |
| Posted: Sun Aug 27, 2017 11:35 pm Post subject: |
|
|
Newbie
Joined: 23 May 2008
Posts: 6
|
Hi,
I've added the following lines in the qm.ini file. All working now. Thx so much Morag.
SSL:
OCSPAuthentication=OPTIONAL
OCSPCheckExtensions=NO
CDPCheckExtensions=NO |
|
| Back to top |
|
|
|
|
