ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » CLIENT TO MQ SERVER ONE WAY SSL-Need Clarification.

Post new topic  Reply to topic
 CLIENT TO MQ SERVER ONE WAY SSL-Need Clarification. « View previous topic :: View next topic » 
Author Message
ashokt
PostPosted: Thu Dec 01, 2022 12:38 am    Post subject: CLIENT TO MQ SERVER ONE WAY SSL-Need Clarification. Reply with quote

Novice

Joined: 09 Oct 2022
Posts: 18

Hi Guys,

I Need clarification between Client and MQ Server for One-way SLL.

What i did:

From client matchine side.
-------------------------------
->Created kdb file
->Cteated personal certificate and created self signed certificate
->Extracted self sign and given client.arm file to mq server side .

MQ Server side.
-----------------
->Created KDB file
->added client.arm file to kdb file (signer certificate)
->stopped the SVRCONN CHL
->alter the server connection channel with SSLCAUTH(optional) sslciph(required algoritham)

->altered client connection channel with SSLCIPH(same code as svrconn chl)
->ALTER QMGR SSLKEYR ('')

start the svrconn chl ->showing inactive mode.

->Refresh the security

->given tab file to client team

Client side:
=======
copy the tab file respective location and write the below commands for temparory

SET MQSLLKEYR=C:\Users\testmq\temp\work\ssl\ckey
SET MQCHLLIB=C:\Users\testmq\temp\work
SET MQCHLTAB=AMQCLCHL.TAB
SET MQSERVER=

when i used amqsputc MQSVR.QL

getting 2537 and SSL Repository error.

MQ SERVER SIDE ERROR LOG:

AMQ9639E: Remote channel 'TESTS.SVRCONN' did not specify a CipherSpec.

EXPLANATION:
Remote channel 'TESTS.SVRCONN' did not specify a CipherSpec when the local
channel expected one to be specified.

The remote host is 'XXX (172.XXX)'.

The channel did not start.
ACTION:
Change the remote channel 'TESTS.SVRCONN' on host 'XXXX'
(172.XXX.XX)' to specify a CipherSpec so that both ends of the channel have


Kindly advise.


NOTE:
===
when i install the mq server certificate in client machine (without installing client certificate in MQ server) it's working fine as choosen SSLCAUTH(OPTIONAL) in svrconn chl property.(This is also single way -mq server cert installed in client side(not installed client cert in mq server side)

->When i tried two-way certs exchanged between client and MQ server and choosen SSLCAUTH(REQUIRED) at svrconn chl its working.

Regards,
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Dec 01, 2022 1:35 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Quote:
ALTER QMGR SSLKEYR ('')

How does the queue manager know the location of the key store to be used?

See this earlier post...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
ashokt
PostPosted: Thu Dec 01, 2022 4:08 am    Post subject: Reply with quote

Novice

Joined: 09 Oct 2022
Posts: 18

exerk wrote:
Quote:
ALTER QMGR SSLKEYR ('')

How does the queue manager know the location of the key store to be used?

See this earlier post...


This means -ALTER QMGR SSLKEYR ('given the path')

Want to know why connection was not accepting by the mq server , after installing the CLIENT Cert in MQ server.?

Please advise ..

Regards,
Ashok
Back to top
View user's profile Send private message
bruce2359
PostPosted: Thu Dec 01, 2022 5:49 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

ashokt wrote:
This means -ALTER QMGR SSLKEYR ('given the path')

Please don't make us guess as to what you have tried. Did you specify the SSLKEYR location? Then what happened?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Dec 01, 2022 12:37 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

ashokt wrote:
NOTE:
===
when i install the mq server certificate in client machine (without installing client certificate in MQ server) it's working fine as choosen SSLCAUTH(OPTIONAL) in svrconn chl property.(This is also single way -mq server cert installed in client side(not installed client cert in mq server side)

->When i tried two-way certs exchanged between client and MQ server and choosen SSLCAUTH(REQUIRED) at svrconn chl its working.

Regards,

Working as designed!
Don't know what you are complaining about. If you are using a client, the qmgr will always act as a server, and there is no oneway SSL possible where the only cert would be the client cert.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
gbaddeley
PostPosted: Thu Dec 01, 2022 4:32 pm    Post subject: Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2492
Location: Melbourne, Australia

Self signed certificates are OK to demonstrate MQ SSL, but they not a good idea in an enterprise situation or if there are many queue managers or channels. It creates a maintenance nightmare.

You should be using CA signed certificates, using a public CA or internal CA.
_________________
Glenn
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » CLIENT TO MQ SERVER ONE WAY SSL-Need Clarification.
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.