| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Problems with SSL |
« View previous topic :: View next topic » |
| Author |
Message
|
| ttechsavvy |
 Posted: Wed Sep 09, 2020 6:04 am Post subject: Problems with SSL |
 |
|
Novice
Joined: 09 Sep 2020
Posts: 10
|
Hello!
I started two months ago at a new job and one of my first "task" is to set up IBM MQ for other companies to send us messages. This is my first time that I've touched and configured IBM MQ.
I've set up MQ on one node for basic configuration (local queue, channel, listener) in test environment. Later on, when messages and connection to our partner is up, I'am planning to configure RDMQ.
The problem what I have is with certificates. Our parter sent us Root and Intermediate certs which I added to queue manager keystore. Added SSLCIPH to channels and refreshed security like the documentation says. Will add commands how I did it at the end of the post.
Now when partner pings our channel he gets this error:
| Code: |
AMQ9665: SSL connection closed by remote end of channel
EXPLANATION:
The SSL or TLS connection was closed by the remote host '******
(******)(***)' during the secure socket handshake. The channel is
'*********'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start. |
Does anybody have a clue what can be wrong our misconfigured?
Commands how I added certificates to qmgr keystore:
| Code: |
/runmqckm -cert -add -db ---.kdb -stashed -file root.cer -label "****"
/runmqckm -cert -add -db ---.kdb -stashed -file intermediate.cer -label "****"
|
As there are so much to learn and read about IBM MQ, I might have missed something..
Thanks |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Sep 09, 2020 10:01 am Post subject: Re: Problems with SSL |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ttechsavvy wrote: |
| I might have missed something. |
Where are the commands to set up a personal certificate for the queue manager that it can exchange with the remote queue manager?
How will the remote queue manager know to trust your one?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ttechsavvy |
| Posted: Thu Sep 10, 2020 10:19 pm Post subject: |
|
|
Novice
Joined: 09 Sep 2020
Posts: 10
|
Thanks for the reply!
I managed to get it working in my localhost "playground" with self-signed certificates. Created two keystores, two personal certificates and added the public part to valid keystore. Messages are coming through so everything seems fine with that.
But with the partner - I have to also set up personal certificate signed with CA and sent root and intermediate certs to partner?
Process connecting with partner, correct me if I am getting something wrong:
1. Create CSR request form keystore
| Code: |
runmqakm -certreq -create -db ---.kdb -stashed -label mylabel -san_dnsname dnsname -dn "CN=example, O=mycompany, L=Utah, C=US" -size 2048 -file cert.csr
|
2. Order and get certificates from CA with CSR
3. Receive CA certificate to keystore
| Code: |
runmqakm -cert -receive -db ---.kdb -stashed -file CA.crt
|
4. Add Root and Intermediate certs to keystore
| Code: |
runmqakm -cert -add -db ---.kdb -stashed -label "ROOT" -file ROOT.crt -format ascii
runmqakm -cert -add -db ---.kdb -stashed -label "INTERMEDIATE" -file INTERMEDIATE.crt -format ascii
|
5. Send these Intermediate and Root certificate to partner
6. Set up also a sender channel
7. Refresh security
Again, I am pretty new a this so my apologies.
Thanks |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 11, 2020 5:16 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ttechsavvy wrote: |
| But with the partner - I have to also set up personal certificate signed with CA and sent root and intermediate certs to partner? |
Unless they happen to trust the same CA.
This is SSL rather than MQ. The only difference is that in HTTPS, a lot of the work is done out of sight of humans by the browser and the web server. You'll notice most modern web browsers put a little padlock on the URL address bar when they've worked this out, and throw a variety of warning pages ("This connection is not secure") if they can't verify the address of the web server or it's verified by a CA they don't trust.
| ttechsavvy wrote: |
Process connecting with partner, correct me if I am getting something wrong:
...
|
Try it. If it works, you're not getting something wrong. Experience is the best teacher.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Sep 11, 2020 8:48 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Does the label on your certificate match that of the channel?
From the Knowledge Centre:
| Quote: |
The QMGR CERTLABL is still checked and validated, even if CHANNEL CERTLABL is being used. The channel program needs to access a certificate with the label name, ibmwebspheremq, appended with the name of the queue manager, all in lowercase. For example, with a queue manager named QM1, the default certificate label is ibmwebspheremqqm1.
This rule applies even when you are using the CERTLABL attribute on the channel to tell the queue manager to use a different certificate from ibmwebspheremq appended with the queue manager name all in lowercase. |
My emphasis on that last part...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
