| Author |
Message
|
| BBM |
 Posted: Tue Aug 22, 2006 9:47 am Post subject: SSL and MSCS |
 |
|
Master
Joined: 10 Nov 2005
Posts: 217
Location: London, UK
|
Hi,
Does anyone have any experience with MQ + SSL +MSCS?
I asked this question a few months back but did not get any repsonses.
IBM I'm afraid to say has drawn a blank also.
Thanks
BBM |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Tue Aug 22, 2006 10:01 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
MSCS shouldn't affect SSL.
As long as your keyrings are in the failover resource group.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| BBM |
| Posted: Tue Aug 22, 2006 10:07 am Post subject: |
|
|
Master
Joined: 10 Nov 2005
Posts: 217
Location: London, UK
|
Hi,
I'm not sure what you mean by that. I'm using MQ 5.3 and you are forced to use the Windows certificate management store.
When I fail the cluster over the queue manager goes over fine but loses its certificate assignment - so the SSL enabled channels will not start until the certificate on the new node is assigned to the queue manager.
The little information I have had from IBM has stated that the keystore canot reside on a shared drive in 5.3 by the way.
Thanks
BBM |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Aug 22, 2006 10:48 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Oh, well.
v5.3.
Yes, that might be an issue.
You should be able to import all the certs into the keystores on both systems.
That is, each keystore needs to have all certs. But the running queue manager will only pick up it's certs.
Seems like a good business reason to upgrade to v6, too.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| BBM |
| Posted: Tue Aug 22, 2006 10:56 am Post subject: |
|
|
Master
Joined: 10 Nov 2005
Posts: 217
Location: London, UK
|
Great - thanks.
Does this mean that I need to use the same private certificate across both nodes?
I've tried using different physical certs with the same filenames and distinguished names but this doesn't work.
I guess the only way is to request the cert for one node (our CA issues certs based on physical node name) and then copy it to the keystore on the other node.
I would dearly love to upgrade to v.60 - unfortunately its not in the plan (yet).
cheers
BBM |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Aug 22, 2006 11:16 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You should have one cert for the virtual address. The public and private parts of that same cert should be in both keystores.
Well, actually, it's a cert for the queue manager, not the virtual address. Right? The cert is named ibmwebspheremqblahblah etc. or something.
Then any time you need to add a client/external party cert, you need to add it to both keystores.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| BBM |
| Posted: Tue Aug 22, 2006 11:37 am Post subject: |
|
|
Master
Joined: 10 Nov 2005
Posts: 217
Location: London, UK
|
Hi,
Thanks for that. I can't request for virtual names unfortunately but I can use a physical node's cert on both nodes. Our cert names are currently in the format QMNAME.DNSNAME.cer. So I guess using one of the node names on both nodes wouldn't bother MQ either way.
I'll let you know how I get on - and I really appreciate the help - you have answered what IBM could not!
thanks
BBM |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Aug 22, 2006 11:43 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| BBM wrote: |
| You have answered what IBM could not! |
I guess it depends on who you talk to.
Also, I haven't answered anything until it actually works, right?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| BBM |
| Posted: Tue Aug 29, 2006 5:31 am Post subject: |
|
|
Master
Joined: 10 Nov 2005
Posts: 217
Location: London, UK
|
Hi,
Quick update:
We managed to get SSL working over MSCS by copy the same private certificate over both nodes - not very private huh!
Thanks jefflowrey for helping out where IBM couldn't.
All the same the SSL implementation across MSCS in 5.3 is a bodge - better we upgrade to 6.0 asap.
Cheers
BBM |
|
| Back to top |
|
|
|
|
