| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL Configuration on AIX |
« View previous topic :: View next topic » |
| Author |
Message
|
| guest |
 Posted: Mon Nov 29, 2004 4:10 pm Post subject: SSL Configuration on AIX |
 |
|
Acolyte
Joined: 11 Aug 2003
Posts: 52
|
I would like to have a mutual authentication between two queue managers using Self signed certificates through gsk6cmd command line utility.
I tried to make them work by using following steps , but i misreably failed for quite a few times. WMQ security manual is not elaborate in terms of command line utility ( i have limitiation of running x windows on this servers) , so looking for directions here. I read the posts and document available at the forum , it doesnt describe about self signed certificate.
Two qmgrs are called QM1 & QM2 .
On QM1 ,
| Code: |
gsk6cmd -keydb -create -db QM1.kdb -pw qm1 -type cms -stash
gsk6cmd -cert -create -db QM1.kdb -pw qm1 -label ibmwebspheremqqm1 -dn CN=XXX,O=YYY,OU=test,C=US -size 512 |
On QM2,
| Code: |
gsk6cmd -keydb -create -db QM2.kdb -pw qm2 -type cms -stash
gsk6cmd -cert -create -db QM2.kdb -pw qm2 -label ibmwebspheremqqm2 -dn CN=XXX,O=YYY,OU=test,C=US -size 512 |
Now on QM1 , i tried it in two ways ( will be glad to know , what is the difference between extract/add to export/import )
| Code: |
| gsk6cmd -cert -extract -db QM1.kdb -pw qm1 -label ibmwebspheremqqm1 -target QM1.ca -format ascii |
After than on QM2 ,
| Code: |
| gsk6cmd -cert -add -db QM2.kdb -pw qm2 -label ibmwebspheremqqm1 -file QM1.ca -format ascii |
As i mentioned above instead of extract/add , i also used the export/import combination as below
on QM1,
| Code: |
| gsk6cmd -cert -export -db QM1.kdb -pw qm1 -label ibmwebspheremqqm1 -type cms -target QM1.p12 -target_pw test123 -target_type pkcs12 |
on QM2,
| Code: |
| gsk6cmd -cert -import -file QM1.p12 -pw test123 -type pkcs12 -target QM2.kdb -target_pw qm2 -target_type cms |
I also did the above procedures for enabling the authentication from QM2 to QM1 , but SSL wouldnt work. It works oneway for strange reasons (QM1 to QM2) and fails the other way.
Also the WMQ security manual , Chapter 15 , testing with SSL using self-signed certificate suggests that on UNIX system you add QM1 certificate to QM2 as a "signer" certificate ... How do you do that in command line interface ???? ..
I see a keyword -sign is that what supposed to be used. If somebody can outline the steps out of your prior experience that would help.
Also how does the self signed certifciate differs from globally/3rd party signed certificate , interms of working . What is the advantage & disadvantages ??
Sorry abt the length ... |
|
| Back to top |
|
 |
| guest |
| Posted: Tue Nov 30, 2004 7:13 am Post subject: |
|
|
Acolyte
Joined: 11 Aug 2003
Posts: 52
|
Wonder why no hits & response ?? - Does it have to be in different section ??
Have anybody successfully dealt with self signed certificates using command line interface on any UNIX platform , especially AIX ? . If could outline those steps , that would help. |
|
| Back to top |
|
|
| Anirud |
| Posted: Tue Nov 30, 2004 8:04 am Post subject: |
|
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
You got the commands right. For more details on the commands read Chapter 18 in the System Admin., guide.
| Quote: |
| Also how does the self signed certifciate differs from globally/3rd party signed certificate , interms of working . What is the advantage & disadvantages ?? |
If you are using the certificate for the test environment, you are good with Self Signed Certificate (that's my knowledge). If these certificates are for Productin servers and you have external customers connecting to your queue managers then, you are better off with 3rd party certificates. You can get lots of information here (this forum) if you do a search on this topic.
After creating a Self Signed Certificate on QM1 (for communication between QM1 and QM2), you will have to assign this certificate on QM2 as a Signer Certificate. To complete this task, extract the certificate on QM1 and you can only add this certificate on QM2 as a Signer Certificate (you cannot import a signer certificate to the key database).
Assuming you have created a Personal Certificate Request on QM1 and after you get the certificate from the CA, you will have to Receive this certificate as a Personal Certificate. Then, export this certificate on QM1 to a file and after transfering that file to QM2, import it into the key database as a Personal Certificate (the label should be ibmwebspheremq<queuemanagername>) on QM2.
Regards,
Anirud. |
|
| Back to top |
|
|
| guest |
| Posted: Tue Nov 30, 2004 2:13 pm Post subject: |
|
|
Acolyte
Joined: 11 Aug 2003
Posts: 52
|
Thanks anirud for clarification.
Finally i got it working bidirectionally and got past the BAD SSL certificate error on QM2 communicating from QM2 to QM1 ,when QM1 to QM2 used to work just fine, now i have to find out which one of the below made it work ...
1) I made changes to my -extract command to have the filename extension as .arm ( previously i was using .ca extension , didnt understand the significance of the naming convention! )
2) I restarted the queue managers .
At this point of time , i am not spending time on this , am proceeding with other tests. Will let you know what , when i find. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
