| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Secure authentication |
View previous topic :: View next topic |
| Author |
Message
|
| rajmq |
 Posted: Thu Nov 25, 2004 4:57 am Post subject: Secure authentication |
 |
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi All,
I would like to use SSL with mutual authentication between the windows and unix platforms qmgr.
I've 2 QManager to connect with SSL Channel. Bidirectional (one channel for each direction).
I have scucceed ssl configuration with AIX to Linux platforms.But I'm not sure the windows and unix ssl configuration.
Any one has done the above scenerio...Share your thoughts..
Cheers,
rajmq  |
|
| Back to top |
|
 |
| rajmq |
| Posted: Fri Nov 26, 2004 8:20 am Post subject: |
|
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi All,
Now i did the following steps in solaris side :
1.using the gsk6cmd i have creaed key repository ..
./gsk6cmd -keydb -create -db /var/mqm/qmgrs/SSL/ssl/key.kdb
-pw pwdb -type cms -expire 2048 -stash
2.Given rights and changed the SSLkEYR path
3.Created new selfsigned certificate
./gsk6cmd -cert -create -db /var/mqm/qmgrs/SSL/ssl/key.kdb -
pw pwdb -label ibmwebspheremqssl -dn "CN=SSL,C=DE,O=IDG" -size 1024 -x509version 3 -expire 2048
4.for extraction
gsk6cmd -cert -extract -db /var/mqm/qmgrs/SSL/ssl/key.kdb -pw pwdb -label ibmwebspheremqssl -target cert.der -format binary
How can i create the repository and selfsigned certificate in windows side ??
Thanks in Advance,
RJ
I |
|
| Back to top |
|
|
| vennela |
| Posted: Fri Nov 26, 2004 11:06 am Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
Search for windows + ssl on this tutorial and you will find lot of information.
You can add the certificate using Internet Explorer (web browser)
You can use WebSphere MQ Services and add and assign certificate to a QMGR.
There is also a SSL tutorial if you do a search |
|
| Back to top |
|
|
| kirani |
| Posted: Fri Nov 26, 2004 11:28 pm Post subject: |
|
|
Jedi Knight
Joined: 05 Sep 2001
Posts: 3779
Location: Torrance, CA, USA
|
Please post MQ related question into MQ forum.
[Moving to General MQ Support Forum]
_________________
Kiran
IBM Cert. Solution Designer & System Administrator - WBIMB V5
IBM Cert. Solutions Expert - WMQI
IBM Cert. Specialist - WMQI, MQSeries
IBM Cert. Developer - MQSeries
|
|
| Back to top |
|
|
| rajmq |
| Posted: Sun Nov 28, 2004 9:11 am Post subject: |
|
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Sorry Kiran,
Hi
Thanks for your reply,
On windows side i have done follwoing things..
1.I obtained a demo ( 30 days trail version) personal certificate from globalsign.com.
2.Added the certificate to the Queue Manager on windows using the below commands
amqmcert -k MY –l
amqmcert -a “certificate number” -m XXX
3.Assign the certificate to Queue Manager on windows
4.Now i am able to view the tick mark in the icon for my certificate
After this Now i am confused!! 
Can i get some more informations for configure the ssl ???
Thanks in Advance
RJ |
|
| Back to top |
|
|
| 007_pandi |
| Posted: Sun Nov 28, 2004 8:39 pm Post subject: |
|
|
Novice
Joined: 29 Jul 2002
Posts: 23
|
Hi Raj,
To do the things for SSL implementation on Windows, you can download MQ SSL pdf from ibm MQSeries libraray site and follow up the steps.
or the following url also may be useful for you.
http://www-128.ibm.com/developerworks/websphere/techjournal/0211_yusuf/yusuf.html
We have implemented SSL b/w Windows (MQServer is running) and Solaris (MQClient is running).
Some important steps listed below.
-------------------------------------------
on Windows side,
1. Got the personal certificate from 3rd party (eg: www.globalsign.com )
2. Install it on Internet Explorer
3. Add it to Qmgr SSL key repository using MQSeries windows explorer and assign it.
4. ftp the client side CA (public key) to windows m/c and add it to Queue manager ssl key repository.
steps to extract Queuemanager (running on Windows) CA
----------------------------------------------------------------------
5. Open IE , click contents, click certificates, click intermediate certificates,
select correponding CA for your personal certificate and export it to one file.
(we suppose to download two CA on this tab, so totally we will get two different .cer file here)
6. click Trusted root tab, select corresponding root CA and export it to one .cer file in DER format.
7. Ftp the above .cer file to unix m/c and import it into new file (this is trusted keystoore file).
8. The keystore file which is having client side personal certificate is the different one from the above one.
9. Now you can run your program.
----------------------
If you struck in any steps, then reply. |
|
| Back to top |
|
|
| rajmq |
| Posted: Mon Nov 29, 2004 7:09 am Post subject: |
|
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi Pandi,
My Requirement is slightlydiffers from below setup ...Required some information !!!
We have implemented SSL b/w Windows (MQServer is running) and Solaris ( MQ Server) is running).
on Windows side,
------------------------------------------
1. Got the personal certificate from 3rd party (eg: www.globalsign.com )
done
2. Install it on Internet Explorer
done
3. Add it to Qmgr SSL key repository using MQSeries windows explorer and assign it.
done
4. ftp the client side CA (public key) to windows m/c and add it to Queue manager ssl key repository.
My case i have to ftp the solaris mqserver cert.der file......... is it correct ?? if not!! what is file name i have to transfer from solaris mqserver
I did the following steps in solaris for creating the cert.der
using the gsk6cmd i have creaed key repository ..
./gsk6cmd -keydb -create -db /var/mqm/qmgrs/xxx/ssl/key.kdb
-pw pwdb -type cms -expire 2048 -stash
2.Given rights and changed the SSLkEYR path
3.Created new selfsigned certificate
./gsk6cmd -cert -create -db /var/mqm/qmgrs/xxxx/ssl/key.kdb -
pw pwdb -label ibmwebspheremqssl -dn "CN=SSL,C=DE,O=IDG" -size 1024 -x509version 3 -expire 2048
4.for extraction
gsk6cmd -cert -extract db /var/mqm/qmgrs/xxxx/ssl/key.kdb -pw pwdb -label ibmwebspheremqxxx -target cert.der -format binary
steps to extract Queuemanager (running on Windows) CA
----------------------------------------------------------------------
5. Open IE , click contents, click certificates, click intermediate certificates, select correponding CA for your personal certificate and
export it to one file. Which CA file needs to be export ?? need more info (we suppose to download two CA on this tab, so totally we will get two different .cer file here)
6. click Trusted root tab, select corresponding root CAWhich CA file..need more info ( and export it to one .cer file in DER format.
7. Ftp the above .cer file to unix m/c and import it into new file (this is trusted keystoore file).
I have used the below command .. is it correct ??
gsk6cmd -cert -import -file /var/mqm/qmgrs/XXX/ssl/key.kdb -type DER -pw pwdb -target /tmp/xxx.cer -target_pw [color=blue]? ?what is password for target file [/color]
8. The keystore file which is having client side personal certificate is the different one from the above one.
Finally change ths ssl configuration in both sides of channels and start
Thanks in Advance
RJ |
|
| Back to top |
|
|
| 007_pandi |
| Posted: Mon Nov 29, 2004 9:28 pm Post subject: |
|
|
Novice
Joined: 29 Jul 2002
Posts: 23
|
Raj,
We have used java keytool to generate personal certificate on solaris m/c.
Because you are using gsk6icmd command, you can very well follow Ibm mq ssl pdf to clear your doubts.
1. for point 4, you can get the clear information on mq ssl pdf, chapter 12, page 105 (managing certificates), read the heading "Extracting CA from key repository"
once you extracted , just ftp to windows m/c in binary mode and add it to Qmgr key repo (no need of assign, only add is enough)
It seems cert.der is correct file. Anyhow just verify with IBM pdf information.
2. for point 5, if you click personal tab, select your certificate, then click on view button available in bottom side. it will show you the certificate chanin structure.
it is easy to explain with figure instead of explaining by words. so you just refer this site for the files to be exported.
ref site:
http://www-128.ibm.com/developerworks/websphere/techjournal/0211_yusuf/yusuf.html
3. for point 7, again ref mq ssl pdf page no 106 (adding CA into a key repository).
But in our case we have used different keystore file to store Windows side CA certificate (called trusted key store, because client program in unix m/c will initiate the ssl conversation).
4. point 8 is must to configure SSLCIPH attribute of channel .
The problem we have faced is:
java VM , defaulty took the keystore file from OS and we have got the exception "can not find key exception" or 2059 (not able to make SSLconnection). We have added the following lines in the program and it is working.
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
javax.net.ssl.SSLContext sslContext = javax.net.ssl.SSLContext.getInstance("SSLv3");
System.setProperty"javax.net.ssl.keyStore","/var/mqm/ssl/QMTEST1/QMTEST1KEYSTORE");
System.setProperty("javax.net.ssl.keyStorePassword","changeit");
ref sun java page for more info for the above lines.
by
Pandiarajan.J |
|
| Back to top |
|
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
