| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| Anyone "getting there" with WMQ 5.3 SSL? |
View previous topic :: View next topic |
| Author |
Message
|
| kolban |
 Posted: Sun Oct 13, 2002 6:44 am Post subject: Anyone "getting there" with WMQ 5.3 SSL? |
 |
|
Grand Master
Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA
|
Folks,
I am trying really, really hard to understand SSL with WMQ 5.3. Unfortunately, being new to security, its like pulling teeth.
I have read the tutorial at
http://www.mqseries.net/phpBB/viewtopic.php?t=5196&highlight=ssl and that seems fine. What I am trying to do though is actually understand SSL as used in MQ.
Is anyone else struggeling in this fashion? Anyone used "makecert" succesfully on a Windows environment?
I am mightily confused. |
|
| Back to top |
|
 |
| tjfunny1 |
| Posted: Mon Oct 14, 2002 10:17 am Post subject: Setup SSL for MQ Client applications |
|
|
Apprentice
Joined: 17 Jun 2002
Posts: 35
Location: Atlanta
|
I used the following format for makecert:
| Quote: |
makecert -sk MQKey1 -$ individual -sky 1 -eku "1.3.6.1.5.5.7.3.3" -n "CN=MQS1,T=CHP,OU=MQ,O=PA,L=FL,C=US" MQKEY.P12
Succeeded |
This created a file called MQKey.P12. I used MQ Services to add it to my key sto file. I think you can use MQSeries Services to add it also.
Of course, this only creates a self-signed certificate, it can't be used for certifying a user.
To setup the Qmgr, you must use MQSeries Services, Manage SSL Certificates. Select the certificate you created above, Then use the ASSIGN button to assign a certificate to your Qmgr. After that is done, you can create a SVRCONN channel that uses SSL.
Next, you must setup the client channel:
1) 1st, you should create a backup copy of your blank amqclchl.tab file. This file is located under your qmgr directory @ipcc. If you have already added client channels to this file, copy it to another name and copy the SYSTEM/@ipcc/amqclchl.tab file over to your qmgr directory (this doesn't cause any problems, it just gives you a blank file).
2) Next, create a SVRCONN channel that has the SSL set on, using CipherSpec = some method, like TRIPLE_DES_SHA_US. Whatever method you select, you must use the same method in the CLNTCONN channel.
3) Create a CLNTCONN channel, using the same name as you used for the SVRCONN channel name. Select the SSL CipherSpec method as used in the SVRCONN definition. (if authentication both sides, client & server, you must do the checkmark for "Always Authenticate Parties", if you don't care about the client, then uncheck the box).
4) Now, the tricky part. Copy the amqclchl.tab file from the @ipcc directory to a floppy (or some secure vehicle). This file will be installed at the client system, to the MQ client installation directory (usually, Program Files/IBM/Websphere MQ/). One footnote, the client can't invoke SSL using the MQSERVER variable, they must use the amqclchl.tab file.
5) if you can't connect, you may need to export your qmgr public key over to the client's key sto. The client can use the amqmcert command to import the key.
5a) right-click on your Internet Browser icon, select properties, then the Content tab. Press the Certificates button. Select the certificate you created above, then Export button. The export wizard walks you through the process. (don't send Private key). Select Base-64 type (.cer). Name file MQKey.cer. Use this file in step 8 below.
6) On the client system, before using amqmcert command, set the environment variable that points to the key sto file.
set MQSSLKEYR=c:\mqm\ssl\key
7) display your key sto: amqmcert -k MY -l
8) amqmcert -a -p MQKey.cer
| Quote: |
| this is the file from the Server above |
9) display your key sto again: amqmcert -k MY -l
This should work. The only thing is that if you must authenticate the client, then they must purchase a Digital Certificate & send you a public key file to install in your SSL key sto (using either amqmcert or MQ Services).
NOTE: client applications must be compiled with the MQ v5.3 libs to use the SSL methods. Old client apps (before v5.3 will not work).
Hope this helps, TJ |
|
| Back to top |
|
|
| Tibor |
| Posted: Tue Oct 15, 2002 5:23 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
TJ,
Are you working with openssl? I couldn't puchase the makecert program, so I was trying with openssl, but MQ dropped a lot of errors  .
Another question: can I handle certificates without IE? GUI is not an administration-friendly way...
Tibor |
|
| Back to top |
|
|
| tjfunny1 |
| Posted: Tue Oct 15, 2002 9:06 am Post subject: |
|
|
Apprentice
Joined: 17 Jun 2002
Posts: 35
Location: Atlanta
|
not working with Open-SSL. The makecert was located in my \Program Files\Microsoft Office\Office directory (guess it came with MS office).
I'm still working through issues myself getting things to work w/SSL. I'm trying to get the digital certificate issue taken care of also. I don't understand why it takes so much setup to get the SSL thing to work.
I'm open for answers myself. |
|
| Back to top |
|
|
| kolban |
| Posted: Tue Oct 15, 2002 10:15 am Post subject: |
|
|
Grand Master
Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA
|
TJ,
I ran the makecert command you listed and it created a MQKey.P12 file as expected. I then used the MQSeries Services, Manage SSL and added it to my key.sto file.
Great,
When I tried to assign it using the ASSIGN button, it wouldn't show up on my list and I was unable to assign this to the queue manager |
|
| Back to top |
|
|
| dmj |
| Posted: Fri Oct 18, 2002 4:07 am Post subject: |
|
|
Novice
Joined: 09 Apr 2002
Posts: 19
Location: London
|
Kolban,
I also have the same problem assigning certificates. I have tried openSSL certificates that I have used for MQ Security Exits, they wont allow me to assign them. I was careful to make sure that the certificates had exportable keys as the Security manual state.
Then using tjfunny1's MAKECERT example I created new certificates but I cannot assign them. 
The only certificate I have managed to assign is a very old one I have from some previous SSL testing and I cannot remember what the difference between that and my current certificates are.
Has anyone else managed to create and assign certificates?
Cheer
D |
|
| Back to top |
|
|
| Tibor |
| Posted: Fri Oct 18, 2002 4:35 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
Yeeeeah!
Finally I did it!  OK, SSL channels hasn't work, yet, but qmgr has got a valid certificate. Look my steps:
1. creating a new CA certificate with openssl:
| Code: |
| openssl req -new -x509 -days 365 -text -nodes -out mqssl.pem -keyout mqssl.pem |
2. exporting to the PKCS#12 format
| Code: |
| openssl pkcs12 -export -in mqssl.pem -out mqssl.p12 |
3. importing into IE with wizard
4. adding to store with amqmcert, because "SSL tutorial" wrote about it: "For you first ever certificate into the MQSeries installation (before CSD1), you must use the command line interface to issue the following commands...".
5. assigning to the qmgr this certificate.
Tibor |
|
| Back to top |
|
|
| dmj |
| Posted: Fri Oct 18, 2002 5:50 am Post subject: |
|
|
Novice
Joined: 09 Apr 2002
Posts: 19
Location: London
|
Woo hoo.
Thanks Tibor, using your instructions I also managed to assign the certificate.
Next step is to test the implementation.
Cheers
D
|
|
| Back to top |
|
|
| Tibor |
| Posted: Sat Oct 19, 2002 6:34 pm Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
| Tibor wrote: |
...
3. importing into IE with wizard
4. adding to store with amqmcert, because "SSL tutorial" wrote about it: "For you first ever certificate into the MQSeries installation (before CSD1), you must use the command line interface to issue the following commands...".
5. assigning to the qmgr this certificate.
...
|
If someone is interesting in a "totally IE&MMC-free" SSL key handling in these steps:
3,4. importing and adding key to a store (this function is available only on Win2000)
| Code: |
C:\>amqmcert -a -p c:\temp\mqssl.p12 -z 12345678 -k MY -m TH2
5724-B41 (C) Copyright IBM Corp. 1994, 2002. ALL RIGHTS RESERVED.
Using CURRENT_USER for default system stores.
Certificate imported successfully. |
-- looking the certificates to identify the needed handle
| Code: |
C:\>amqmcert -l -k MY -m TH2
5724-B41 (C) Copyright IBM Corp. 1994, 2002. ALL RIGHTS RESERVED.
Using CURRENT_USER for default system stores.
Enumerating Certificate Stores:
WebSphere MQ Store (TH2):
-------------------------
00001: For VeriSign authorized testing only. No assurances (C)VS1997, For Ver
iSign authorized testing only. No assurances (C)VS1997
00002: Class 3 Public Primary Certification Authority, Class 3 Public Primary
Certification Authority
00003: www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, Clas
s 3 Public Primary Certification Authority
00004: Class 2 Public Primary Certification Authority, Class 2 Public Primary
Certification Authority
00005: VeriSign Class 2 CA - Individual Subscriber, Class 2 Public Primary Ce
rtification Authority
00006: Class 1 Public Primary Certification Authority, Class 1 Public Primary
Certification Authority
00007: VeriSign Class 1 CA Individual Subscriber-Persona Not Validated, Class
1 Public Primary Certification Authority
00008: Thawte Server CA, Thawte Server CA
00009: Thawte Premium Server CA, Thawte Premium Server CA
00010: Thawte Personal Premium CA, Thawte Personal Premium CA
00011: Thawte Personal Freemail CA, Thawte Personal Freemail CA
00012: Thawte Personal Basic CA, Thawte Personal Basic CA
00013: Secure Server Certification Authority, Secure Server Certification Aut
hority
00014: * myCert, myCert
24: No certificate has been assigned to this WebSphere MQ queue manager. |
5. assigning by handle
| Code: |
C:\>amqmcert -m TH2 -d "00014"
5724-B41 (C) Copyright IBM Corp. 1994, 2002. ALL RIGHTS RESERVED.
Using CURRENT_USER for default system stores.
Enumerating Certificate Stores:
WebSphere MQ queue manager assigned certificate (TH2):
Name: myCert
CA: myCert
Certificate assigned successfully. |
System Administration Guide, amqmcert: http://publibfp.boulder.ibm.com/epubs/html/amqzag03/amqzag033r.htm
----
On AIX I can make certificates only with iKeyman. If anyone knows a better solution, tell me.
Tibor |
|
| Back to top |
|
|
| kolban |
| Posted: Sun Oct 20, 2002 6:46 pm Post subject: |
|
|
Grand Master
Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA
|
Tibor,
VERY nice posting. You may have created something that will live on a long time. Can you confirm that at the end of your recipe, you had encrypted links? IE were you able to form a pair of secure channels? |
|
| Back to top |
|
|
| Tibor |
| Posted: Sun Oct 20, 2002 10:07 pm Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
| kolban wrote: |
Tibor,
VERY nice posting. You may have created something that will live on a long time. Can you confirm that at the end of your recipe, you had encrypted links? IE were you able to form a pair of secure channels? |
Neil,
Yes, like a charm. Channel settings was the simplest step in this @#&! procedure... I had just set same SSLCIPH value to both SDR/RCVR and channels worked very well. Channel Status 'Binding' seemed slower, but I didn't measure the network performance.
Tibor |
|
| Back to top |
|
|
| TonyD |
| Posted: Thu Oct 24, 2002 9:55 pm Post subject: |
|
|
Knight
Joined: 15 May 2001
Posts: 540
Location: New Zealand
|
You HAVE to use the command line interface when setting up SSL for an MQClient as there no MQExplorer support (that I know of anyway). Here is the setup for Windows NT or 2K if anyone is interested (with grateful acknowledgement to Kevin Tobin's original SSL Functionality download); it is assumed you have obtained a certificate from a CA or created one:
1. Define a Client Connection channel and matching Server Connection channel in the normal way. SSL for the MQClient only works with Client Connection channels.
2. Set the environment variable 'MQSSLKEYR=drive:\<path>\key'. This is the Client Store for certificates. The actual file will be '<path\key.sto' and will be created the first time you use the 'amqmcert' command. Do not include the '.sto' bit in the variable.
3. Run the command 'amqmcert -k MY -l'. This will list your own certificate(s) under 'SYSTEM STORE (MY)'. Each has a numeric 'handle' (nnnnn) alongside it.
4. Run the command 'amqmcert -a nnnnn' where 'nnnnn' is the handle you found in Step 3. This adds the certificate to the Client Store.
5. Run 'amqmcert -k CA -l' to find the handle(s) for the Intermediate CA Certificates for the authority that issued your certificate. You can use 'Tools/Internet Options/Content/Certificates', select your certificate and the 'Certification Path' tab to find the name of the certificate(s) for the Intermediate CA and also for the Root CA which you will need.
6. Add the Intermediate CA certificate(s) also to the Client Store with 'amqmcert -a nnnnn' where 'nnnnn' is the handle you found in Step 5.
7. Run 'amqmcert -k ROOT -l' to find the handle for the Root CA certificate.
8. Add the Root CA certificate with 'amqmcert -a nnnnn'.
9. Find the handle of your certificate in the Client Store by running 'amqmcert -l'. It will be listed under the heading 'WebSphere MQ Client Store' and will have an '*' alongside it. This is the certificate you added in Step 4.
10. Assign the certificate to the MQClient with 'amqmcert -d nnnnn'.
12. Check the assignment with 'amqmcert -l'. If all has gone well you will see:
Assigned MQClient Certificate:
Name: <CertName>
CA: <CAName>
11. Set the SSL Cipher for the Client Connection and Server Connection channels using the SSL tab in MQExplorer Channel Properties or 'SSLCIPH()' under runmqsc. The cipher must be the same for both channels
12. You should now be able to send SSL messages between the MQClient and the queue manager. You can use the Port Sniffer in Kevin's download to view the encrypted message traffic.
13. If you have problems recheck that the handles you have added form the correct Certificate Path and also that the certificate is assigned to the Client (and also that the Client Channel variables/definitions are correct). Note that a certificate has different handles when it is in multiple stores.
14. 'amqmcert -l' is the same as 'amqmcert -k <path>\key -l'. '-k' specifies the store and the 'MQSSLKEYR' value is used as the default if '-k' is not included in the command.
15. You can delete the file '<path>\key.sto' and start again if you need to. It will be recreated the next time you use 'amqmcert'. |
|
| Back to top |
|
|
| tjfunny1 |
| Posted: Fri Oct 25, 2002 6:53 am Post subject: Certificate Request |
|
|
Apprentice
Joined: 17 Jun 2002
Posts: 35
Location: Atlanta
|
Thanks to TonyD for the excellent instructions, these work great.
Now, my biggest problem, getting the right kind of certificate. I'm trying to use Thawte.com to get the certificate. They require a Certificate Request (.crt) file, that should be created by the product you want the certificate for. MQSeries interfaces (Explorer or Services) don't have any option to create this certificate request file. So, just how do we do it from the Windows interface?
Also, I'm not sure what type certificate is needed. I've gotten a test certificate from GlobalSign.com, which was tied to my email address. I didn't need a Certificate Request for that (don't understand why). That certificate came with 'Server Authentication' and 'Email Authentication'. It works fine as a assigned certificate for the Qmgr (SSL to client works great). I've also received a free email certificate from Thawte.com, but that certificate only has 'client authentication', not Server.
Thawte.com offers something called a SuperCert 128. Their documentation states it's for a Web Server. They also offer Digital Signatures for applications, and email certificates. I can't get the SuperCert-128 without a certificate request file (.crt).
This is my big problem. I would like to get a Server authentication certificate for the Qmgr. How do we do it?
Another issue is the two-way authentication scenario, where both the client and Qmgr have certificates. How does this work? Is it required to export the client certificate, then import it to the Qmgr? Does the Qmgr export it's certificate to the client store? This is a puzzle that isn't quite covered in the MQ documentation.
While I'm hot and on my soap box, one more little item, amqmcert documentation sucks! For example, it really doesn't give you the clear context of how to delete a certificate from the key.sto file. After experimenting, I found I could use:
| Quote: |
| amqmcert -d handle -r handle |
I hope IBM will provide a clearer document on how to use the amqmcert command (with lots of examples).
That's all for now, hope this helps everyone with this new SSL bugger. |
|
| Back to top |
|
|
| Tibor |
| Posted: Sat Oct 26, 2002 1:54 pm Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
TJ
| Quote: |
| Now, my biggest problem, getting the right kind of certificate. |
Why are you insisting on a web-based certificates when you can create these by openssl or makecert?
I don't know your environment but my compony have a special organization to issue certificates and handle any security-context problems. After all I made CA certificate for testing with openssl - that was faster
I think IBM dropped this under-documented SSL solution to rouse all lazy MQ admins  |
|
| Back to top |
|
|
| kolban |
| Posted: Tue Oct 29, 2002 6:24 pm Post subject: Adding, deleting, readding certificates on windows ... |
|
|
Grand Master
Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA
|
| During the testing of SSL functions, I created a pair of certificates. One certificate was to be used as a “certificate authority” and the other as a certificate for a queue manager. I installed these certificates and all worked as expected. Later, I deleted these certificates to “clean up” my tests and then re-added them to the Windows certificate stores in exactly the same manner as before. What I found was that they would not define as they had previously. It appears that once you install a certificate, some trace of that certificate remains after it has been deleted. Attempting to re-install the exact same certificate failed. I was forced to recreate the certificates from scratch and all worked. I could use the same distinguished names, but the serial numbers of the certificates had to change. |
|
| Back to top |
|
|
|
|
|
  |
Goto page 1, 2 Next |
Page 1 of 2 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
