| Author |
Message
|
| ashokt |
 Posted: Thu Dec 01, 2022 12:38 am Post subject: CLIENT TO MQ SERVER ONE WAY SSL-Need Clarification. |
 |
|
Novice
Joined: 09 Oct 2022
Posts: 18
|
Hi Guys,
I Need clarification between Client and MQ Server for One-way SLL.
What i did:
From client matchine side.
-------------------------------
->Created kdb file
->Cteated personal certificate and created self signed certificate
->Extracted self sign and given client.arm file to mq server side .
MQ Server side.
-----------------
->Created KDB file
->added client.arm file to kdb file (signer certificate)
->stopped the SVRCONN CHL
->alter the server connection channel with SSLCAUTH(optional) sslciph(required algoritham)
->altered client connection channel with SSLCIPH(same code as svrconn chl)
->ALTER QMGR SSLKEYR ('')
start the svrconn chl ->showing inactive mode.
->Refresh the security
->given tab file to client team
Client side:
=======
copy the tab file respective location and write the below commands for temparory
SET MQSLLKEYR=C:\Users\testmq\temp\work\ssl\ckey
SET MQCHLLIB=C:\Users\testmq\temp\work
SET MQCHLTAB=AMQCLCHL.TAB
SET MQSERVER=
when i used amqsputc MQSVR.QL
getting 2537 and SSL Repository error.
MQ SERVER SIDE ERROR LOG:
AMQ9639E: Remote channel 'TESTS.SVRCONN' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'TESTS.SVRCONN' did not specify a CipherSpec when the local
channel expected one to be specified.
The remote host is 'XXX (172.XXX)'.
The channel did not start.
ACTION:
Change the remote channel 'TESTS.SVRCONN' on host 'XXXX'
(172.XXX.XX)' to specify a CipherSpec so that both ends of the channel have
Kindly advise.
NOTE:
===
when i install the mq server certificate in client machine (without installing client certificate in MQ server) it's working fine as choosen SSLCAUTH(OPTIONAL) in svrconn chl property.(This is also single way -mq server cert installed in client side(not installed client cert in mq server side)
->When i tried two-way certs exchanged between client and MQ server and choosen SSLCAUTH(REQUIRED) at svrconn chl its working.
Regards, |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Dec 01, 2022 1:35 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Quote: |
| ALTER QMGR SSLKEYR ('') |
How does the queue manager know the location of the key store to be used?
See this earlier post...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ashokt |
| Posted: Thu Dec 01, 2022 4:08 am Post subject: |
|
|
Novice
Joined: 09 Oct 2022
Posts: 18
|
| exerk wrote: |
| Quote: |
| ALTER QMGR SSLKEYR ('') |
How does the queue manager know the location of the key store to be used?
See this earlier post... |
This means -ALTER QMGR SSLKEYR ('given the path')
Want to know why connection was not accepting by the mq server , after installing the CLIENT Cert in MQ server.?
Please advise ..
Regards,
Ashok |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Dec 01, 2022 5:49 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| ashokt wrote: |
| This means -ALTER QMGR SSLKEYR ('given the path') |
Please don't make us guess as to what you have tried. Did you specify the SSLKEYR location? Then what happened?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Dec 01, 2022 12:37 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| ashokt wrote: |
NOTE:
===
when i install the mq server certificate in client machine (without installing client certificate in MQ server) it's working fine as choosen SSLCAUTH(OPTIONAL) in svrconn chl property.(This is also single way -mq server cert installed in client side(not installed client cert in mq server side)
->When i tried two-way certs exchanged between client and MQ server and choosen SSLCAUTH(REQUIRED) at svrconn chl its working.
Regards,
|
Working as designed!
Don't know what you are complaining about. If you are using a client, the qmgr will always act as a server, and there is no oneway SSL possible where the only cert would be the client cert. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Thu Dec 01, 2022 4:32 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
Self signed certificates are OK to demonstrate MQ SSL, but they not a good idea in an enterprise situation or if there are many queue managers or channels. It creates a maintenance nightmare.
You should be using CA signed certificates, using a public CA or internal CA.
_________________
Glenn |
|
| Back to top |
|
|
|
|
