| Author |
Message
|
| rajmq |
 Posted: Sat Oct 18, 2003 5:15 am Post subject: SSL enable between Different QMGR's |
 |
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi
There is one our application requirement which described below
I have two different physical box one is linux & other one is Aix,and also Websphere MQ5.3 has installed both boxes.Now i need to Enable SSL between two boxes with different QMGRs.
Can anyone hava Documents -SSL Enable between QMGRs
Thanks in Advance
raj |
|
| Back to top |
|
 |
| EddieA |
| Posted: Sat Oct 18, 2003 3:53 pm Post subject: |
|
|
Jedi
Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
|
Try searching the forums using 'SSL'. You will find everything you need. 
Cheers,
_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0 |
|
| Back to top |
|
|
| rajmq |
| Posted: Sun Oct 19, 2003 6:59 am Post subject: |
|
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi
Thanks for ur Reply,but i am not able to find SSL Enable - two QMGR between LINUX and AIX.
Anyother Documents or pdf for above setup
thanks
raj |
|
| Back to top |
|
|
| EddieA |
| Posted: Sun Oct 19, 2003 11:11 am Post subject: |
|
|
Jedi
Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
|
|
| Back to top |
|
|
| rajmq |
| Posted: Mon Oct 20, 2003 12:19 am Post subject: |
|
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi
Again thanks ,But if u see my question -SSL Enable between QMGrs But both qmgrs are running in diff OS,(linux and AIX) -not NT.
For NT already i checked in test system, it is working fine.
Any other documents or link related with linux and AIX SSL Enable.I know this is similar to NT,But still i am new this concepts.
regards
raj |
|
| Back to top |
|
|
| mrlinux |
| Posted: Mon Oct 20, 2003 5:14 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
Well 2 differnet queue managers shouldnt be an issue the commands are the same, assuming you have both queue managers created and setup already (NON_SSL)
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| rajmq |
| Posted: Mon Oct 20, 2003 8:04 pm Post subject: |
|
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi Mrlinux
Exactly same i did full setup without SSL.I tested my Remote Communication also,it is working fine.
Now i am struggling to start SSL enable between the QMGR.
Any idea or suggestions.
thanks
raj |
|
| Back to top |
|
|
| harwinderr |
| Posted: Tue Oct 21, 2003 4:24 am Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
|
| Back to top |
|
|
| rajmq |
| Posted: Wed Oct 22, 2003 5:20 am Post subject: |
|
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
hi harwinderr
Thanks for ur Reply,
I have referred that manual.But
I need to some more explaination to 3 to 3:16 chapters.
Why i need use both openssl and ikeyman?? ..
Pls give me brief explaination about the document.
regards
raj |
|
| Back to top |
|
|
| harwinderr |
| Posted: Thu Oct 23, 2003 1:15 am Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
Yes, you dont need to use openSSL and iKeyman both. openSSL is only used (in the example) to generate Test certificates which are then assigned to the queue manager using iKeyman.
OpenSSL lets you create CA certificate, which can then be used to sign a CSR. Unfortunately this functionality is not available with iKeyman.
But you can create self signed certificates using iKeyman and avoid the openSSL. Its all upto you !!!
Hope it helps  |
|
| Back to top |
|
|
| rajmq |
| Posted: Sat Oct 25, 2003 9:59 pm Post subject: |
|
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi harwinderr
Thanks for ur Reply
Now i did the following steps
1.I created the QMGrs both the boxes Linux and AIX,and also using the Remote Connectivity procedure i am able to connet the remote QMGR(AIX).Now without SSL my connectivity is ok.
2.I am planning to use the ikeyman options for SSL enable.So can u help me out how can i proceed?? that document is showing more details about openssl and other stuffs.So i confused more,Pl help me out .......
regards
raj |
|
| Back to top |
|
|
| harwinderr |
| Posted: Sun Oct 26, 2003 9:15 pm Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
Well, I would suggest you to go through the Security book, Chapter 9
(Working with the Secure Sockets Layer (SSL) on UNIX systems)
It explains in detail the setup required for the SSL communication on UNIX systems. If you still have any problems, then shoot |
|
| Back to top |
|
|
| rajmq |
| Posted: Mon Oct 27, 2003 8:41 am Post subject: |
|
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi
Using the Security Pdf Chapter 12, i did below steps
1.After setting the JAVA_HOME Classpath,
a) For creating the keydb file :
gsk6cmd -keydb -create -db /var/mqm/qmgrs/SSL_LINUX/key.kdb -pw pwdb -type cms -expire 2048 -stash
gsk6cmd -keydb -stashpw -db /var/mqm/qmgrs/SSL_LINUX/key.kdb -pw pwdb
b)For Accessing the key db files i changed the rights as per manual
c)QMgr key repsoitory location has changed.
d) For creating the self-signed certificate :
gsk6cmd -cert -create -db /var/mqm/qmgrs/SSL_LINUX/key.kdb -pw pwdb -label ibmwebspheremqssl -dn "CN=SSL,C=DE,O=IDG" -size 1024 -x509version 3 -expire 2048
My error message is like
JCE
error message resoruce file is not well loaded
2. And also currently i am doing all changes in LINUX box only,what are the changes i need to be carried out in AIX box
thanks
raj |
|
| Back to top |
|
|
| harwinderr |
| Posted: Mon Oct 27, 2003 11:22 pm Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
Not that it matters, but I would suggest using the gsk6ikm instead of using the gsk6cmd. It gives you a GUI to work with. More simpler for you
Moreover, put the key.kdb file in the default location i.e. /var/mqm/qmgrs/SSL_LINUX/ssl.
No need for executing this
"gsk6cmd -keydb -stashpw -db /var/mqm/qmgrs/SSL_LINUX/key.kdb -pw pwdb"
The password file is already stashed by giving the -stash flag while creating the keydb file.
| Quote: |
My error message is like
JCE
error message resoruce file is not well loaded |
I am wondering why are you getting this error. I just tried this on a Linux box here and it created a self signed certificate without any problem.
The WMQ binary distribution for Linux comes with a rpm MQSeriesKeyMan-5.3.0-1.i386.rpm. Install this and point your JAVA_HOME to /opt/mqm/ssl/jre. This might help you in overcoming the problem you are facing.
After creating the certificate, extract it with
gsk6cmd -cert -extract -db filename -pw password -label label -target cert.der -format binary
Ftp it to the AIX, where you have to add it as a CA certificate into the key repository.
gsk5cmd -cert -add -db /var/mqm/qmgrs/qm2/ssl/key.kdb -pw Welcome123 -label Test -file cert.der -format binary
The same steps you have to carry on the AIX box as well.
Hope that helps |
|
| Back to top |
|
|
| rajmq |
| Posted: Thu Nov 06, 2003 3:50 am Post subject: |
|
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi harwinderr
Still i am having same problem, but i am able to understand why ??
Some of JCE (JAVA Cryptographic Extension files are not there).Using other Server- gsk4cmd i am able to create the key repostory.
So can u give me some more inforamtion for gsk6 gui or cmd part -loading what are the software i need to install?
regards
raj |
|
| Back to top |
|
|
|
|
