ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ SecurityPublic & private key in Queue Manager keystores

Post new topicReply to topic
Public & private key in Queue Manager keystores View previous topic :: View next topic
Author Message
Mangesh1187
PostPosted: Sun Nov 19, 2017 5:18 am Post subject: Public & private key in Queue Manager keystores Reply with quote

Centurion

Joined: 23 Mar 2013
Posts: 101

Have a query about SSL certificates and keys.

We ususally follow the below steps to prepare the MQenvironment for SSL/TLS (using GSK utility) :

#1. Create keydb
It will crete qm.kdb , qm.rdb , qm.crl , qm.req files . (qm. is the QM in ths example)
#2. Create certificate request
#3. Send the cert request file to the CA
#4. Receive the Signed Certificate from the CA.
#5. Import that CA signed certificate using 'import' option & add CA root and intermadiate certificates using 'add' option.
#6. COnfigure the QM & SSL attibutes to use SSL.

I am really querious about :
In step #4 we received the signed certificate from CA. At the bottom its mentioned the section under the heads ,
BEGIN CERTIFICATE & END CERTIFICATE . Is this the Public key of QM or tis this the public key of CA who signed the certificate ?

Where we can see the private key of QM that will be used for the Decryption?
Back to top
View user's profile Send private message
tczielke
PostPosted: Sun Nov 19, 2017 6:08 am Post subject: Reply with quote

Yatiri

Joined: 08 Jul 2010
Posts: 663
Location: Illinois, USA

In #4, you are receiving a personal certificate that includes your public key and is signed by the CA's private key.

I am not aware of a runmqakm/runmqckm command that can print the private key, but I am pretty sure you could display it by using the "runmqakm -cert -export" command to export your personal cert/private key to a .p12 file and then using a tool like openssl to display the private key from the .p12 file. However, you should for the most part never do this (display your private key) unless this is some kind of sandbox, as you never want your private key exposed in this way. If anyone gets your private key, you no longer have a secure system.
_________________
MQ administrator since 2010.
Back to top
View user's profile Send private message
Mangesh1187
PostPosted: Mon Nov 20, 2017 10:14 pm Post subject: Reply with quote

Centurion

Joined: 23 Mar 2013
Posts: 101

Thanks tczielke for yoru reply.

I have a query related to the same.
When does the private & public keys are created :

Is it when we created the cert store (as in step #1) ?
OR
Is it when we create a certificate request (as in step #2) ?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Nov 21, 2017 5:50 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19424
Location: LI,NY

Mangesh1187 wrote:
Thanks tczielke for yoru reply.

I have a query related to the same.
When does the private & public keys are created :

Is it when we created the cert store (as in step #1) ?
OR
Is it when we create a certificate request (as in step #2) ?

In step 2 when you create the request the key pair is being created.
The public key is then sent to the CA for signing. You upload the signed key when accepting the X509 cert signed by the CA.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
tczielke
PostPosted: Tue Nov 21, 2017 5:55 am Post subject: Reply with quote

Yatiri

Joined: 08 Jul 2010
Posts: 663
Location: Illinois, USA

I am pretty sure the private/public key pair is created when you run the "runmqakm -certreq -create" command. The creation of the private/public key is based on the "-size" argument that you pass into that command.
_________________
MQ administrator since 2010.
Back to top
View user's profile Send private message
tczielke
PostPosted: Tue Nov 21, 2017 6:22 am Post subject: Reply with quote

Yatiri

Joined: 08 Jul 2010
Posts: 663
Location: Illinois, USA

The other thing that might be helpful to note is that each "-certreq -create" command is creating a separate private/public key pair. So if you have five personal certificates in your key.kdb, you have five unique private/public key pairs for each of these personal certificates.
_________________
MQ administrator since 2010.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Nov 21, 2017 6:35 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19424
Location: LI,NY

tczielke wrote:
The other thing that might be helpful to note is that each "-certreq -create" command is creating a separate private/public key pair. So if you have five personal certificates in your key.kdb, you have five unique private/public key pairs for each of these personal certificates.

You meant to say:
So if you have five personal certificates in your key.kdb, you have five unique private/public key pairs, one pair for each of these personal certificates.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
tczielke
PostPosted: Tue Nov 21, 2017 6:38 am Post subject: Reply with quote

Yatiri

Joined: 08 Jul 2010
Posts: 663
Location: Illinois, USA

fjb_saper wrote:
tczielke wrote:
The other thing that might be helpful to note is that each "-certreq -create" command is creating a separate private/public key pair. So if you have five personal certificates in your key.kdb, you have five unique private/public key pairs for each of these personal certificates.

You meant to say:
So if you have five personal certificates in your key.kdb, you have five unique private/public key pairs, one pair for each of these personal certificates.


Yes.

I was trying to reword that last sentence and then typed something misleading/incorrect. I was trying to say "So if you have five personal certificates in your key.kdb, you have five unique private/public key pairs. One pair for each of these personal certificates."
_________________
MQ administrator since 2010.
Back to top
View user's profile Send private message
Mangesh1187
PostPosted: Mon Nov 27, 2017 3:26 am Post subject: Reply with quote

Centurion

Joined: 23 Mar 2013
Posts: 101

Thanks all.

Again back to the same question.
In cert request we can see the public key. Where can & how can we see the private key ?

As of now I am aware that we should not play with the private keys. But out of curiosity , if there any chance if we can view the Priavate key as well given that we have all access to the kdb. ?
Back to top
View user's profile Send private message
tczielke
PostPosted: Mon Nov 27, 2017 7:47 am Post subject: Reply with quote

Yatiri

Joined: 08 Jul 2010
Posts: 663
Location: Illinois, USA

The following worked for me to see the private key:

Code:
runmqakm -cert -export -db key.kdb -label ibmwebspheremqQM1 -type cms -target QM1.p12 -target_type pkcs12
openssl pkcs12 -in QM1.p12 -out QM1.pem
openssl rsa -text -in QM1.pem


NOTE: This is an RSA key example.
_________________
MQ administrator since 2010.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ SecurityPublic & private key in Queue Manager keystores
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.