| Author |
Message
|
| hguapluas |
 Posted: Wed Apr 27, 2005 2:26 pm Post subject: SSL and DEC using VMS |
 |
|
Centurion
Joined: 05 Aug 2004
Posts: 105
Location: San Diego
|
Hi,
I tried searching the forum and IBM's site for answers but didn't get any matches and I am not a mainframe expert. Excuse if I am using any wrong terminology as I'm the one who's been tasked to find the answer. I have the MQ Security in an Enterprise Environment Redbook but can't find an answer in the book and other redbooks on hand.
Question:
Can the MQ Client for DEC Alpha or Itanium systems running VMS as OS be configured to use SSL?
If so, can anyone point me in direction of where to look for reference and samples?
Thanks. |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed Apr 27, 2005 3:03 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
According to the Quick Beginnings Guide for HP OpenVMS
| Quote: |
| SSL If you want to use SSL support, you need HP SSL version 1.1-B Kit for Alpha. This can be downloaded from the HP site: http://h71000.www7.hp.com/openvms/products/ssl/ssl.html For the latest information about the download location of HP SSL 1.1-B for IPF refer to the readme file. |
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| harwinderr |
| Posted: Thu Apr 28, 2005 8:25 pm Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
Check the Chapter 7 of the Systems Administration Guide for OpenVMS "Working with the Secure Sockets Layer (SSL) on OpenVMS systems"
Location http://publibfp.boulder.ibm.com/epubs/pdf/amqqag01.pdf
For SSL communications, you will need the latest 5.3 MQ client for VMS, which is available for download as a support pac. |
|
| Back to top |
|
|
| z1fbergm |
| Posted: Tue Jul 05, 2005 4:41 am Post subject: VMS MQ 5.3 and ssl |
|
|
Newbie
Joined: 05 Jul 2005
Posts: 3
|
Have anyone tested VMS MQ 5.3 and ssl on a
channel ?
I can't get it to work.
examples ?
Reagreds,
Fredrik |
|
| Back to top |
|
|
| harwinderr |
| Posted: Tue Jul 05, 2005 7:37 pm Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
Fredrik,
Can you please give more details on what are you trying to do? What are the steps you have followed?
Are you using a SVRCONN channel or is it a SDR-RCVR channel? Is the communication between UNIX/VMS or VMS/VMS channels?
Answers to the above will help me in giving the correct response.
Later,
HR |
|
| Back to top |
|
|
| z1fbergm |
| Posted: Wed Jul 06, 2005 12:51 am Post subject: MQ SSL VMS |
|
|
Newbie
Joined: 05 Jul 2005
Posts: 3
|
Hi,
Thanks for your reply.
I'm pretty familar with MQ and SSL. I have connected lots of unic windows and mainframe systems in MQ with SSL enabled.
This connection is a SDR -> RCVR from VMS to UNIX
I have created a ssl directory. Here is teh files in the directory:
CERT.PEM (The priv key and the pub key)
CERT.PWD (the password to priv key))
ROOTCA.PEM (The root ca)
I have altered the qmgr s so the SSLKEYR attribute is pointing to
/mqs_root/mqm/qmgrs/QM1/ssl/CERT
The error I get in the errorlog is that the VMS is not providing a
private key.
I think a have configured everything according to the admin manual for
MQ 5.3 OpenVMS
Regards,
Fredrik |
|
| Back to top |
|
|
| harwinderr |
| Posted: Wed Jul 06, 2005 4:24 am Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
Hi,
I am assuming that you are using the SSL certificate tool to generate the self-signed certificate on VMS. (Option 4)
This will generate a certificate file with the extension .CRT and a private key file with the extension .KEY (CERT.CRT and CERT.KEY). For generating the certificate in PEM format, follow the following steps:
$ COPY CERT.KEY CERT.PEM
$ APPEND CERT.CRT CERT.PEM
Then you need to use the CRYPTPASSWD utility to encrypt the password for accessing the private key.
$ CRYPTPASSWD <password> CERT
| Quote: |
I have altered the qmgr s so the SSLKEYR attribute is pointing to
/mqs_root/mqm/qmgrs/QM1/ssl/CERT |
This step is correct. Make sure that you have CERT.PEM, CERT.PWD and CACert.PEM (more info on this file below) in mqs_root:[mqm.qmgrs.QM1.ssl]. The ROOTCA.PEM file is not required.
For successful SSL communication it is very important to export and import the self-signed certificates, so that both the partners
trust each other.
Please follow the steps below to export/import certificates between VMS and UNIX
1. Copy the "CERT.CRT" (generated on VMS using the OpenSSL tool) to the UNIX system.
2. On the UNIX system, start the IBM key management tool (using gsk6ikm) and load the key database file for the queue manager. Add the "CERT.CRT" to the list of the signer certificates and assign an appropriate label.
3. Now, extract the personal certificate for the queue manager on the UNIX system. The certificate gets extracted to the default file "cert.arm".
4. Copy the "cert.arm" to the VMS system and rename it as CACert.PEM. The CACert.PEM file should be in the same directory as CERT.PEM and CERT.PWD
This completes the setup for exporting/importing certificates between VMS and UNIX. Please also note that the certificate files should be carefully copied across the two systems. To ensure that the certificate file has been copied properly, issue the following command on VMS:
$ OPENSSL X509 -in CERT.ARM -NOOUT -TEXT
Hope this helps.
Later,
HR |
|
| Back to top |
|
|
| z1fbergm |
| Posted: Fri Jul 08, 2005 4:20 am Post subject: |
|
|
Newbie
Joined: 05 Jul 2005
Posts: 3
|
Hi,
Thanks for all your help !
When a run openssl i realized there was a formating error
in the CERT file. After manualy editing in ed everything
worked fine!
have a nice summer !
Regards,
Fredrik |
|
| Back to top |
|
|
|
|
