| Author |
Message
|
| gaorenwei |
 Posted: Sun Jun 10, 2018 10:47 pm Post subject: Question config ssl connect between two different platform |
 |
|
Apprentice
Joined: 16 May 2018
Posts: 29
|
Currently,I have tow platform,and I try to config the ssl between two platform.One is linux platform,Another is MF platform.
Linux is sender side.MF is reciver side.
On linux side
1.Create key.kdb on Linux side
runmqakm -keydb -create -db key.kdb -pw 12345 -type cms -expire 365 -stash
2.Create a self signed certificate
runmqakm -cert -create -db key.kdb -pw 12345 -label ibmwebspheremqtest1 -dn "CN=MANOJ,O=ABC,C=US" -size 1024 -x509version 3 -expire 365
3.Extract the self signed certificate from the key.kdb which is public cert of TEST1
runmqakm -cert -extract -db key.kdb -pw 12345 -label ibmwebspheremqtest1 -target test1.arm -format ascii
The last thing is import the .arm file of linux platform into MF's key.kdb?
The process is right?
Thanks a lot |
|
| Back to top |
|
 |
| Vitor |
| Posted: Mon Jun 11, 2018 4:55 am Post subject: Re: Question config ssl connect between two different platfo |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| gaorenwei wrote: |
The last thing is import the .arm file of linux platform into MF's key.kdb?
The process is right?
|
Conceptually, yes but if you're talking to MF that's running z/OS not zLinux then the key store is more likely to be held by RACF / ACF2 / whatever's running security on z/OS.
Speak to your MF sys progs for details.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| gaorenwei |
| Posted: Tue Jun 12, 2018 5:50 pm Post subject: |
|
|
Apprentice
Joined: 16 May 2018
Posts: 29
|
Hi Vitor,Thank you for reply me.
Currently.I think my process is not right.I generate key .I have send my cert to IBMCA.I get three root cert,intermediate cert.crt three files
I have use runmqakm add root cert,intermediate in keydb.I check docs.But I can't recieve cert.crt in keydb.
I use command runmqakm -cert -receive -db key.kdb -stashed -file cert.crt
But the feedback is :CTGSK3034W The certificate request created for the certificate is not in the key database.
Which part is wrong? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jun 12, 2018 8:50 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| gaorenwei wrote: |
Hi Vitor,Thank you for reply me.
Currently.I think my process is not right.I generate key .I have send my cert to IBMCA.I get three root cert,intermediate cert.crt three files
I have use runmqakm add root cert,intermediate in keydb.I check docs.But I can't recieve cert.crt in keydb.
I use command runmqakm -cert -receive -db key.kdb -stashed -file cert.crt
But the feedback is :CTGSK3034W The certificate request created for the certificate is not in the key database.
Which part is wrong? |
Do not generate a key. Use runmqckm/runmqakm to generate a certificate request. Have the request signed. Generating the cert request will generate a key that will be hidden in the keystore. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gaorenwei |
| Posted: Tue Jun 12, 2018 10:53 pm Post subject: |
|
|
Apprentice
Joined: 16 May 2018
Posts: 29
|
Thanks fjb_saper.
I have use runmqakm -certreq to generate a cert.
Currently.I get caintermediatecert.der carootcert.der cert.crt from IBMCA.
I have use command runmqakm -cert -add caintermediatecert.der and carootcert.der into key.kdb.
What should I do with cert.crt? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jun 13, 2018 2:52 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| gaorenwei wrote: |
Thanks fjb_saper.
I have use runmqakm -certreq to generate a cert.
Currently.I get caintermediatecert.der carootcert.der cert.crt from IBMCA.
I have use command runmqakm -cert -add caintermediatecert.der and carootcert.der into key.kdb.
What should I do with cert.crt? |
runmqakm -cert -receive -file cert.crt ....
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gaorenwei |
| Posted: Wed Jun 13, 2018 5:18 am Post subject: |
|
|
Apprentice
Joined: 16 May 2018
Posts: 29
|
Thanks fjb_saper.
I have run the command runmqakm -cert -receive -file cert.crt
But the feedback is CTGSK3034W The certificate request created for the certificate is not in the key database. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jun 13, 2018 1:12 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| gaorenwei wrote: |
Thanks fjb_saper.
I have run the command runmqakm -cert -receive -file cert.crt
But the feedback is CTGSK3034W The certificate request created for the certificate is not in the key database. |
So you need to verify that the DN on the cert matches the DN on your request...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gaorenwei |
| Posted: Wed Jun 13, 2018 10:37 pm Post subject: |
|
|
Apprentice
Joined: 16 May 2018
Posts: 29
|
Thanks fjb_saper.
But If I run the command runmqakm -cert -add -db key.kdb -stashed -file cert.crt .The feedback is A duplicate certificate already exists in the database.
The key have already exists in the database.Why I can't use receive for it?I'm very confuse. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jun 13, 2018 11:30 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| gaorenwei wrote: |
Thanks fjb_saper.
But If I run the command runmqakm -cert -add -db key.kdb -stashed -file cert.crt .The feedback is A duplicate certificate already exists in the database.
The key have already exists in the database.Why I can't use receive for it?I'm very confuse. |
List all the certs and post the result here.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| gaorenwei |
| Posted: Wed Jun 13, 2018 11:51 pm Post subject: |
|
|
Apprentice
Joined: 16 May 2018
Posts: 29
|
Thanks exerk
When I use ls -al
-rw-r--r--. 1 mqm mqm 1294 May 16 01:11 caintermediatecert.der
-rw-r--r--. 1 mqm mqm 1001 May 16 01:10 carootcert.der
-rw-------. 1 mqm mqm 1532 Jun 12 02:03 cert.crt
-rw-------. 1 mqm mqm 997 Jun 11 22:58 dst1.csr
-rw-------. 1 mqm mqm 88 Jun 11 22:37 key.crl
-rw-------. 1 mqm mqm 15088 Jun 14 01:17 key.kdb
-rw-------. 1 mqm mqm 88 Jun 12 01:30 key.rdb
-rw-------. 1 mqm mqm 129 Jun 11 22:37 key.sth
-bash-4.1$ runmqakm -cert -list -db key.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! rootcert
! intermediatecert
- ibmwebspheremqdst1 |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jun 14, 2018 12:07 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Looks like you did a receive, however, I suggest you list the details of the personal cert to be sure.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jun 14, 2018 2:05 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You have to be careful with the signed personal cert. You should never add it to the truststore, instead always receive it to the keystore.
Use IBM's graphical key management utility and check if you have a cert request in the keystore. Potentially same result as
runmqakm -certreq -list
If you see an entry there for your qmgr i.e. ibmwebspheremqdst1 then you need to delete the certificate from your truststore (you did an add instead of receive) and run runmqakm -cert -receive.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
