ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Question config ssl connect between two different platform

Post new topic  Reply to topic
 Question config ssl connect between two different platform « View previous topic :: View next topic » 
Author Message
gaorenwei
PostPosted: Sun Jun 10, 2018 10:47 pm    Post subject: Question config ssl connect between two different platform Reply with quote

Apprentice

Joined: 16 May 2018
Posts: 29

Currently,I have tow platform,and I try to config the ssl between two platform.One is linux platform,Another is MF platform.
Linux is sender side.MF is reciver side.

On linux side
1.Create key.kdb on Linux side
runmqakm -keydb -create -db key.kdb -pw 12345 -type cms -expire 365 -stash
2.Create a self signed certificate
runmqakm -cert -create -db key.kdb -pw 12345 -label ibmwebspheremqtest1 -dn "CN=MANOJ,O=ABC,C=US" -size 1024 -x509version 3 -expire 365
3.Extract the self signed certificate from the key.kdb which is public cert of TEST1
runmqakm -cert -extract -db key.kdb -pw 12345 -label ibmwebspheremqtest1 -target test1.arm -format ascii

The last thing is import the .arm file of linux platform into MF's key.kdb?

The process is right?
Thanks a lot
Back to top
View user's profile Send private message
Vitor
PostPosted: Mon Jun 11, 2018 4:55 am    Post subject: Re: Question config ssl connect between two different platfo Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

gaorenwei wrote:
The last thing is import the .arm file of linux platform into MF's key.kdb?

The process is right?


Conceptually, yes but if you're talking to MF that's running z/OS not zLinux then the key store is more likely to be held by RACF / ACF2 / whatever's running security on z/OS.

Speak to your MF sys progs for details.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
gaorenwei
PostPosted: Tue Jun 12, 2018 5:50 pm    Post subject: Reply with quote

Apprentice

Joined: 16 May 2018
Posts: 29

Hi Vitor,Thank you for reply me.
Currently.I think my process is not right.I generate key .I have send my cert to IBMCA.I get three root cert,intermediate cert.crt three files
I have use runmqakm add root cert,intermediate in keydb.I check docs.But I can't recieve cert.crt in keydb.
I use command runmqakm -cert -receive -db key.kdb -stashed -file cert.crt
But the feedback is :CTGSK3034W The certificate request created for the certificate is not in the key database.
Which part is wrong?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Jun 12, 2018 8:50 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

gaorenwei wrote:
Hi Vitor,Thank you for reply me.
Currently.I think my process is not right.I generate key .I have send my cert to IBMCA.I get three root cert,intermediate cert.crt three files
I have use runmqakm add root cert,intermediate in keydb.I check docs.But I can't recieve cert.crt in keydb.
I use command runmqakm -cert -receive -db key.kdb -stashed -file cert.crt
But the feedback is :CTGSK3034W The certificate request created for the certificate is not in the key database.
Which part is wrong?

Do not generate a key. Use runmqckm/runmqakm to generate a certificate request. Have the request signed. Generating the cert request will generate a key that will be hidden in the keystore.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
gaorenwei
PostPosted: Tue Jun 12, 2018 10:53 pm    Post subject: Reply with quote

Apprentice

Joined: 16 May 2018
Posts: 29

Thanks fjb_saper.
I have use runmqakm -certreq to generate a cert.
Currently.I get caintermediatecert.der carootcert.der cert.crt from IBMCA.
I have use command runmqakm -cert -add caintermediatecert.der and carootcert.der into key.kdb.
What should I do with cert.crt?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Jun 13, 2018 2:52 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

gaorenwei wrote:
Thanks fjb_saper.
I have use runmqakm -certreq to generate a cert.
Currently.I get caintermediatecert.der carootcert.der cert.crt from IBMCA.
I have use command runmqakm -cert -add caintermediatecert.der and carootcert.der into key.kdb.
What should I do with cert.crt?

runmqakm -cert -receive -file cert.crt ....
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
gaorenwei
PostPosted: Wed Jun 13, 2018 5:18 am    Post subject: Reply with quote

Apprentice

Joined: 16 May 2018
Posts: 29

Thanks fjb_saper.
I have run the command runmqakm -cert -receive -file cert.crt
But the feedback is CTGSK3034W The certificate request created for the certificate is not in the key database.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Jun 13, 2018 1:12 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

gaorenwei wrote:
Thanks fjb_saper.
I have run the command runmqakm -cert -receive -file cert.crt
But the feedback is CTGSK3034W The certificate request created for the certificate is not in the key database.

So you need to verify that the DN on the cert matches the DN on your request...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
gaorenwei
PostPosted: Wed Jun 13, 2018 10:37 pm    Post subject: Reply with quote

Apprentice

Joined: 16 May 2018
Posts: 29

Thanks fjb_saper.
But If I run the command runmqakm -cert -add -db key.kdb -stashed -file cert.crt .The feedback is A duplicate certificate already exists in the database.

The key have already exists in the database.Why I can't use receive for it?I'm very confuse.
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Jun 13, 2018 11:30 pm    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

gaorenwei wrote:
Thanks fjb_saper.
But If I run the command runmqakm -cert -add -db key.kdb -stashed -file cert.crt .The feedback is A duplicate certificate already exists in the database.

The key have already exists in the database.Why I can't use receive for it?I'm very confuse.

List all the certs and post the result here.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
gaorenwei
PostPosted: Wed Jun 13, 2018 11:51 pm    Post subject: Reply with quote

Apprentice

Joined: 16 May 2018
Posts: 29

Thanks exerk
When I use ls -al
-rw-r--r--. 1 mqm mqm 1294 May 16 01:11 caintermediatecert.der
-rw-r--r--. 1 mqm mqm 1001 May 16 01:10 carootcert.der
-rw-------. 1 mqm mqm 1532 Jun 12 02:03 cert.crt
-rw-------. 1 mqm mqm 997 Jun 11 22:58 dst1.csr
-rw-------. 1 mqm mqm 88 Jun 11 22:37 key.crl
-rw-------. 1 mqm mqm 15088 Jun 14 01:17 key.kdb
-rw-------. 1 mqm mqm 88 Jun 12 01:30 key.rdb
-rw-------. 1 mqm mqm 129 Jun 11 22:37 key.sth

-bash-4.1$ runmqakm -cert -list -db key.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! rootcert
! intermediatecert
- ibmwebspheremqdst1
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Jun 14, 2018 12:07 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Looks like you did a receive, however, I suggest you list the details of the personal cert to be sure.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Jun 14, 2018 2:05 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

You have to be careful with the signed personal cert. You should never add it to the truststore, instead always receive it to the keystore.

Use IBM's graphical key management utility and check if you have a cert request in the keystore. Potentially same result as
runmqakm -certreq -list

If you see an entry there for your qmgr i.e. ibmwebspheremqdst1 then you need to delete the certificate from your truststore (you did an add instead of receive) and run runmqakm -cert -receive.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Question config ssl connect between two different platform
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.