| Author |
Message
|
| askeggs |
 Posted: Mon Feb 28, 2005 8:31 pm Post subject: gsk6cmd -cert -export on Solaris. eh? |
 |
|
Novice
Joined: 30 Dec 2004
Posts: 14
|
Trying to get and SSL channel going on Solaris 8. MQ 5.3. Just between 2 local QMs.
I am trying to follow the security manual in "Exporting a personal certificate from a key repository".
In the example given: gsk6cmd -cert -export -db filename -pw password -label label -type cms -target filename -target_pw password -target_type pkcs12
The -target seems to suggest a destination file for the key but after failing to create a file ("Invalid file name" - which really meant "no such file"), a truss of gsk6cmd shows that the program expects a key repository since (after I manually created fun.cms to get the program to go a bit furthur):
18931: open("/data/home/admin/c824039/ssl/fun.cms", O_RDONLY|O_LARGEFILE) = 5
18931: fstat64(5, 0xFFBEDB50) = 0
18931: stat64("/data/home/admin/c824039/ssl/fun.cms", 0xFFBEDBE0) = 0
18931: stat64("/data/home/admin/c824039/ssl/fun.rdb", 0xFFBEDBE0) Err#2 ENOENT
18931: stat64("/data/home/admin/c824039/ssl/fun.crl", 0xFFBEDBE0) Err#2 ENOENT
The matching command to import the resultant "file" is:
gsk6cmd -cert -import -file filename -pw password -type pkcs12 -target filename -target_pw password -target_type cms
and I am now not sure if this wants a key repository or a key file. It makes no sense to me to export a key to an intermediate key repository.
So the question is: how is this really done?
Adam.
_________________
Adam. |
|
| Back to top |
|
 |
| Anirud |
| Posted: Tue Mar 01, 2005 8:37 am Post subject: |
|
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
The following command worked for me.
Note: QM1 is the queue manager name and I was working under /var/mqm/qmgrs/QM1/ssl directory.
| Code: |
| gsk6cmd -cert -export -db key.kdb -pw password -label ibmwebspheremqqm1 -type cms -target qm1.p12 -target_pw password -target_type pkcs12 |
To import this cert into the key database of a different queue manager, say QM2, ftp the cert "qm1.p12" to the machine where your queue manager QM2 is and use the following command (assuming that you are under /var/mqm/qmgrs/QM2/ssl directory)
| Code: |
| gsk6cmd -cert -import -file qm1.p12 -pw password -type pkcs12 -target key.kdb -target_pw password -target_type cms |
Hope this helps. |
|
| Back to top |
|
|
| askeggs |
| Posted: Tue Mar 01, 2005 3:30 pm Post subject: |
|
|
Novice
Joined: 30 Dec 2004
Posts: 14
|
| Anirud wrote: |
The following command worked for me.
Note: QM1 is the queue manager name and I was working under /var/mqm/qmgrs/QM1/ssl directory.
| Code: |
| gsk6cmd -cert -export -db key.kdb -pw password -label ibmwebspheremqqm1 -type cms -target qm1.p12 -target_pw password -target_type pkcs12 |
To import this cert into the key database of a different queue manager, say QM2, ftp the cert "qm1.p12" to the machine where your queue manager QM2 is and use the following command (assuming that you are under /var/mqm/qmgrs/QM2/ssl directory)
| Code: |
| gsk6cmd -cert -import -file qm1.p12 -pw password -type pkcs12 -target key.kdb -target_pw password -target_type cms |
Hope this helps. |
Indeed it did. gsk6cmd does not deal well with paths. Given a fully qualified path to the key database, truss shows that it prepends the pathname with the user's home directory and I can't think why it would do that; especially as it does it in -import mode and not -export and other modes - bug I'm thinking. It seems best to cd to the ssl directory and work locally as you have done.
Next question! You -import without changing the label to the required value for qm2. As I understand it the label should be ibmwebspheremqmqqm2 or it won't be matched by the queue manager.
How is the label changed to the new value?
The label can't be changed on -import and gsk6cmd -cert -modify won't do it either.
Adam.
_________________
Adam. |
|
| Back to top |
|
|
| kkelleher |
| Posted: Tue Sep 27, 2005 9:25 am Post subject: error message when importing certificate |
|
|
Newbie
Joined: 27 Sep 2005
Posts: 1
|
Hi Adam/Anirud,
I followed the command you suggested to import a cert into an existing key database.
I got the following message
"An error occurred while creating the specified key database. Please check the output media."
I'm confused by this message as I am not "creating" a key database... it's there already.
I used gsk6ikm to look into the key database and the cert has actually been imported.
So, can I ignore this error message? or is my cert in the key db but corrupted in some way?
Any help appreciated,
Kevin |
|
| Back to top |
|
|
| xxx |
| Posted: Tue Sep 27, 2005 9:34 am Post subject: |
|
|
Centurion
Joined: 13 Oct 2003
Posts: 137
|
there is a -cert list command and you can verify with that,
check the admin guide for correct syntax |
|
| Back to top |
|
|
| hopsala |
| Posted: Tue Sep 27, 2005 10:24 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| kkelleher wrote: |
| Hi Adam/Anirud, |
p.s I wouldn't bother asking specific people questions here, or expect them to answer, especially if the last post is more than a week's old... |
|
| Back to top |
|
|
|
|
