ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » Usng SSL on NT Client

Post new topic  Reply to topic
 Usng SSL on NT Client « View previous topic :: View next topic » 
Author Message
xmitq
PostPosted: Thu Jun 16, 2005 9:29 pm    Post subject: Usng SSL on NT Client Reply with quote

Novice

Joined: 07 Oct 2003
Posts: 16
Location: London
We have NT and the only way to import a certificate [for two-way authentication is via the PKCS#12 Certificate] is via Internet Explorer. [All you certificates are stored with RACF. The idea is for all Distributed Queue Managers and Clients we would export the certificate and required CA/Root CA to a certificate package aka PKCS#12.]

Therefore to install the certificate, the local admin guy would log on and import the certificates. However when the user logs on, he is not privee to the private certificate keys, which are stored within the registry under HKEY.CURRENT_USER. Therefore the channel will not start.

What I REALLY want to do is for the private certificate keys to be stored under HKEY.LOCAL_MACHINE. This way ANYONE using the NT desktop will have access to the private certificate keys.

The AMQMCERT documentation indicates the -h parameter

The -h parameter specifies that the command refers to the local machines' certificate stores. Windows systems allows for two sets of certificate stores, which reside in the registry. One is based on the currently logged in user [HKEY_CURRENT_USER], and the other is for all users of the local machine [HKEY_LOCAL_MACHINE]. By default, when using the -k parameter, the command refers to the current user's certificate store.


I can issue the AMQMCERT list command to list the CA [amqmcert -l -k CA] and list the J-MAN TEST CA

C:\>amqmcert -l -k CA
5724-B41 (C) Copyright IBM Corp. 1994, 2002. ALL RIGHTS RESERVED.
Using CURRENT_USER for default system stores.
Assigned MQClient Certificate:
Name: MQQACS01
CA: J-MAN TEST CA
Enumerating Certificate Stores:

System Store (CA):
------------------
14007: www.technology.jman.co.uk, J-Man Enterprise CA
14008: J-MAN E-Trust Services CA, J-MAN Root CA
14009: J-MAN TEST CA, J-MAN TEST ROOT CA
14010: Root Agency, Root Agency
14011: Thawte Premium Server CA, Root SGC Authority
14012: MS SGC Authority, Root SGC Authority
14013: GlobalSign Root CA, Root SGC Authority
14014: Microsoft Windows Hardware Compatibility, Microsoft RootAuthority
14015: SecureNet CA SGC Root, Root SGC Authority
14016: www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, Class 3 Public Primary Certification Authority
14017: VeriSign Class 2 CA - Individual Subscriber, Class 2 Public Primary Certification Authority
14018: Thawte Server CA, Root SGC Authority
14019: UTN - DATACorp SGC, Root SGC Authority
14020: VeriSign Class 1 CA Individual Subscriber-Persona Not Validated, Class 1 Public Primary Certification Authority
14021: GTE CyberTrust Root, Root SGC Authority


But when I add the -h parameter an issue the AMQMCERT list command to list
the CA [amqmcert -h -l -k CA], I can no longer list the J-MAN TEST CA

C:\>amqmcert -h -l -k CA
5724-B41 (C) Copyright IBM Corp. 1994, 2002. ALL RIGHTS RESERVED.
Using LOCAL_MACHINE for default system stores.
Assigned MQClient Certificate:
Name: MQQACS01
CA: J-MAN TEST CA
Enumerating Certificate Stores:

System Store (CA):
------------------
04001: Root Agency, Root Agency
04002: Thawte Premium Server CA, Root SGC Authority
04003: MS SGC Authority, Root SGC Authority
04004: GlobalSign Root CA, Root SGC Authority
04005: Microsoft Windows Hardware Compatibility, Microsoft Root Authority
04006: SecureNet CA SGC Root, Root SGC Authority
04007: www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, Class 3 Public Primary Certification Authority
04008: VeriSign Class 2 CA - Individual Subscriber, Class 2 Public Primary Certification Authority
04009: Thawte Server CA, Root SGC Authority
04010: UTN - DATACorp SGC, Root SGC Authority
04011: VeriSign Class 1 CA Individual Subscriber-Persona Not Validated, Class 1 Public Primary Certification Authority
04012: GTE CyberTrust Root, Root SGC Authority


Is there some environmental variable that informs the system that:

During the PKCS#12 import [via Internet Explorer], that the keys need to be for ALL USERS of this machine and NOT JUST FOR THE LOCAL user?

or

Is there some MQ environmental variable that allows for the private certificate keys to be moved from the HKEY.CURRENT_USER registry to the HKEY.LOCAL_MACHINE registry?
_________________
xmitq
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » Usng SSL on NT Client
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.