| Author |
Message
|
| slate |
 Posted: Fri Nov 19, 2004 8:02 am Post subject: using openssl unix generated cert on a Windows qmgr |
 |
|
Newbie
Joined: 05 Aug 2004
Posts: 9
|
We are currently using SSL enabled channels on UNIX without issue(Solaris 2.8 and MQ 5.3 CSD07). Now we want to incorporate windows into the mix. When I generate the certificates on UNIX and transfer them up to Windows, they get loaded in the qmgr store fine, but I am unable to assign any certificates to the qmgr because none of these certs have a private key. Has anybody successully generated certs on UNIX and gotten them to work on windows( win2000, mq 5.3 csd08).
Any help would be greatly appreciated.
Regards,
Scott |
|
| Back to top |
|
 |
| Anirud |
| Posted: Fri Nov 19, 2004 8:35 am Post subject: |
|
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
| Are you trying to create a certificate on a UNIX system for a Windows queue manager and trying to assign it to the Windows queue manager? |
|
| Back to top |
|
|
| slate |
| Posted: Fri Nov 19, 2004 10:00 am Post subject: |
|
|
Newbie
Joined: 05 Aug 2004
Posts: 9
|
Yes.
Openssl generated certificates are supposed to be platform independant.
The certs load into the store fine. They just cannot be assigned to the qmgr.
Thanks... |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Nov 19, 2004 10:22 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
It sounds to me like you are not exporting the private certificate/key as well as the public.
If you need to move an entire cert to another machine, you need to export both pieces.
I don't have instructions for doing this with openssl, but I'm sure they're easy to find.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| slate |
| Posted: Mon Nov 22, 2004 8:14 am Post subject: |
|
|
Newbie
Joined: 05 Aug 2004
Posts: 9
|
Can you explain what you mean by both pieces? Here is my scenario. I have a QM on Solaris, QM1,and QM on Windows QM2. I created two set of certificates on the Solaris box, one for each queue manager. I then did the export for the windows QM2 certs. I used the following command:
gsk6cmd -cert -export -db <db> -pw <pw> -label ibmwebs..... -type pkcs12 -target <filename>
This appeared to work since I was able to load and assign the certs to the windows queue manager. I still get an authentication error when trying to start the channels. It says the public key cannot validate the certificate. One of the things we are doing on the unix side is converting the certs to x509 certs (PEM format) before we load them into the key repository. I'm not sure if this has any effect on windows, but I am not a digital certificat expert by any stretch of the means.
Any guidance would be greatly appreciated.
Thanks,
Scott |
|
| Back to top |
|
|
| slate |
| Posted: Mon Nov 22, 2004 12:27 pm Post subject: - updated |
|
|
Newbie
Joined: 05 Aug 2004
Posts: 9
|
OK. I got the certificate exported correctly, and loaded the root certificate in the windows key store first and now I have a valid certificate.
Now a new problem. I have the cipherspec set to TRIPLE_DES_SHA_US on all 4 channels (both pairs). The channel from Solaris to windows now works fine, but the channel from windows to solaris will only work with encryption turned off altogether. Has anyone else seen this behavior?
Thanks,
Scott |
|
| Back to top |
|
|
|
|
