| Author |
Message
|
| Anirud |
 Posted: Thu Sep 16, 2004 1:33 pm Post subject: SSL Certificate |
 |
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
Hi,
When we do a Personal Certificate Request, do we have to be on the same machine as the qmgr to create the request, or can we create the request else where? (Say, if I have QM1 and QM2, can I create a request on QM2 for QM1?)
Thanks,
Anirud. |
|
| Back to top |
|
 |
| kman |
| Posted: Thu Sep 16, 2004 6:01 pm Post subject: |
|
|
Partisan
Joined: 21 Jan 2003
Posts: 309
Location: Kuala Lumpur, Malaysia
|
| should not be a problem. and it was not a prereq. in fact, can even be on a different machine. |
|
| Back to top |
|
|
| Anirud |
| Posted: Thu Sep 16, 2004 6:24 pm Post subject: |
|
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
Hi,
I applied for the Personal Certificate using the command
gsk6cmd -certreq -create -db key.kdb -pw password -label ibmwebshperemqqmgrname -dn "CN=..." -size 1024 -file filename
Everything was fine until this point.
I got the certificate from the CA. I did ftp that file to /var/mqm/qmgr/QMGRNAME/ssl
When I tried add the personal certificate to the key database using
gsk6cmd -cert -receive -file filename -db key.kdb -pw password -label ibmwebshperemqqmgrname -format ascii
I got the following error:
Label already exists in the key database.
I am doing this according to the manual. Am I doing this right?
Any help would be appreciated.
Thanks. |
|
| Back to top |
|
|
| kman |
| Posted: Thu Sep 16, 2004 6:29 pm Post subject: |
|
|
Partisan
Joined: 21 Jan 2003
Posts: 309
Location: Kuala Lumpur, Malaysia
|
| Quote: |
I got the following error:
Label already exists in the key database. |
Did the label already exist? The label is ibmwebsphereqmqmgrnameinlowercase. So if your qmgr is QM1, this should be ibmwebspheremqqm1.
If it is already there, why add another one? |
|
| Back to top |
|
|
| Anirud |
| Posted: Thu Sep 16, 2004 6:41 pm Post subject: |
|
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
| the label was created when I did request for personal certificate. now I am trying to add personal certificate to the key repository. |
|
| Back to top |
|
|
| kman |
| Posted: Thu Sep 16, 2004 6:52 pm Post subject: |
|
|
Partisan
Joined: 21 Jan 2003
Posts: 309
Location: Kuala Lumpur, Malaysia
|
are you adding the same label? or is it different. If it is the same, why do it twice. If it is already there, why not use it?
If you still want to add the new one even when there is already an existing label, you can remove the existing one. Then add the new one. Otherwise, just use the existing cert.
what is your exact label? |
|
| Back to top |
|
|
| Anirud |
| Posted: Thu Sep 16, 2004 6:53 pm Post subject: |
|
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
kman,
| Quote: |
| should not be a problem. and it was not a prereq. in fact, can even be on a different machine |
If I request personal certificate for QM1 on QM2 and after I get the personal certificate from CA, where should I add this personal certificate?
On QM1 or QM2?
Thanks. |
|
| Back to top |
|
|
| Anirud |
| Posted: Thu Sep 16, 2004 7:02 pm Post subject: |
|
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
| Quote: |
| what is your exact label? |
ibmwebspheremqqm1
| Quote: |
| If you still want to add the new one even when there is already an existing label, you can remove the existing one. Then add the new one. |
I tried doing this. I removed the label and tried to add the personal certificate using
gsk6cmd -cert -receive -file filename -db key.kdb -pw password -label ibmwebspheremqqm1 -format ascii
I got the follwoing error:
There is no request for personal certificate in the key database. |
|
| Back to top |
|
|
| gunter |
| Posted: Thu Sep 16, 2004 11:58 pm Post subject: |
|
|
Partisan
Joined: 21 Jan 2004
Posts: 307
Location: Germany, Frankfurt
|
The label-option is not valid for gsk6cmd -cert -receive.
Websphere MQ System Adninistration:
| Quote: |
Âcert Âreceive
Receive a certificate from a file:
-cert -receive -file filename -db filename -pw password
-format ascii | binary -default_cert yes | no
|
_________________
Gunter Jeschawitz
IBM Certified System Administrator - Websphere MQ, 5.3 |
|
| Back to top |
|
|
| Anirud |
| Posted: Fri Sep 17, 2004 11:00 am Post subject: |
|
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
Hi Gunter,
Thanks. That helps.
I got the certificate from the CA as part of the email. I copied it on to notepad, saved it as "qm1cert.arm" and ftp this file to /var/mqm/qmgrs/QM1/ssl on the server where my QM1 is.
Here is what I understand I shoule be doing...
...reveive this file on QM1 using the command
gsk6cmd -cert -receive -file qm1cert.arm -db key.kdb -pw password
-format ascii -default_cert yes
After this (if everything goes well), export the personal certificate using
gsk6cmd -cert -export -db key.kdb -pw password -label ibmwebspheremqqm1 -type cms -target servercert.cms -target_pw password -target_type cms
(I am not sure if the -type should be cms or pkcs12)
then, ftp that file (in ascii format) to the SSL Server (in this case QM2) and add it to the key database using
gsk6cmd -cert -add -db key.kdb -pw password -label ibmwebspheremqqm1 -file servercert.cms -format ascii
then, recycle the channels.
This is what I understood after reading the manual. Please correct me if I am wrong...
Thanks for your time. |
|
| Back to top |
|
|
|
|
