| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Importing an SSL certificate |
« View previous topic :: View next topic » |
| Author |
Message
|
| jgooch |
 Posted: Thu Jan 13, 2005 1:32 am Post subject: Importing an SSL certificate |
 |
|
Acolyte
Joined: 29 May 2002
Posts: 63
Location: UK
|
Hi,
We need to secure the channels between one of our queue managers and a third party's queue manager. For various reasons, we're using externally provided certs (from Thawte).
Back in September, I managed to get a Windows-based MQ-channel secured using a test cert from Globalsign. Now when I follow my notes in order to use the Thawte test cert, I don't seem to be able to import the private key part into my queue manager.
Can you help?
I'm using IKeyman to generate the CSR, running graphically on UNIX.
The steps I used were:-
1. Run Ikeyman;
2. Generate and export a CSR;
3. Get test cert from Thawte's website, they also provide a test CA. These are what I'd call *.arm format;
4. Using Windows Control Panel - Internet Options - Content - Certificates, import the test cert;
5. Export it as DER X.509;
6. FTP to the UNIX server;
7. Run IKeyman;
8. Receive the personal certificate (need to import test CA as well);
9. Export as PKCS12;
10. FTP to Windows machine;
11. Double click the PKCS12 file and import to Windows - marking it as "exportable";
12. Export as PKCS12 (de-selecting all options);
13. In MQServices, import the file and attempt to assign to the QM.
However, the import to MQ brings in only the CA, not the key. Ikeyman has a "*" by the cert, telling me that it has the key. The Windows repositories don't seem to have this.
Overall, there's got to be an easier way (!!). The above, however, with all its imports, exports and conversions, was the method I previously found to get the key into shape for use by MQ. I'm sure it will cause intakes of breath for those of you who have this nut cracked 
Self-signed certs seem so much easier....
J. |
|
| Back to top |
|
 |
| mq_abcd |
| Posted: Thu Jan 13, 2005 10:31 am Post subject: |
|
|
Acolyte
Joined: 13 Jun 2004
Posts: 69
|
i'm very novice in ssl
But if this may help u
From MQ Security Manual
Transferring certificates by ftp
When you transfer certificates by ftp, you must ensure that you do so in the
correct format.
Transfer the following certificate types in binary format:
v DER encoded binary X.509
v PKCS #7 (CA certificates)
v PKCS #12 (personal certificates)
and transfer the following certificate types in ASCII format:
v PEM (privacy-enhanced mail)
v Base64 encoded X.509
I faced some problems b'cos of this. |
|
| Back to top |
|
|
| hguapluas |
| Posted: Fri Jan 14, 2005 7:25 am Post subject: |
|
|
Centurion
Joined: 05 Aug 2004
Posts: 105
Location: San Diego
|
| Are you sure that you are selecting the option to export the private key? By default, that is not selected in the second screen of the export wizard on windows. You must manually check that option. |
|
| Back to top |
|
|
| jgooch |
| Posted: Mon Jan 17, 2005 5:35 am Post subject: |
|
|
Acolyte
Joined: 29 May 2002
Posts: 63
Location: UK
|
| hguapluas wrote: |
| Are you sure that you are selecting the option to export the private key? By default, that is not selected in the second screen of the export wizard on windows. You must manually check that option. |
Funnily enough, being the paranoid person that I am, I went back and re-ran my instructions from step (9) to re-check this very point.
Lo and behold, it worked. Operator error, methinks... 
I still think that there must be an easier way to get a key into MQ but at least I now know it's me that's going mad, not the computers. 
J. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
