| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Securing client channel for Config Manager |
« View previous topic :: View next topic » |
| Author |
Message
|
| fschwarz |
 Posted: Mon Nov 13, 2006 9:29 am Post subject: Securing client channel for Config Manager |
 |
|
Newbie
Joined: 31 Oct 2006
Posts: 7
|
Hi all,
we are running WMB V6.0 on Solaris 9.
In order to provide a more secure environment we would like to secure the channel SYSTEM.BKR.CONFIG with SSL (certificates from local machine only, we are trying to not allow remote connections).
Will the mqsi* commands (using a client channel?) still work? Is there a guideline you know on how to set up this kind of configuration for Message Broker V6?
Thanks a lot in advance |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Mon Nov 13, 2006 9:46 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I think if you do this, then you must pass a connection file to the mqsi* commands that talk to the configmgr, rather than using the -host -qmgr -port options.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| fschwarz |
| Posted: Fri Nov 17, 2006 2:56 am Post subject: SSL working - CMS stash question |
|
|
Newbie
Joined: 31 Oct 2006
Posts: 7
|
Hi all,
after some days reading and testing I managed to get the configuration working with Java Key Store files (created by GSK7) under windows (for testing).
In order to have the commands like mqsicreateexecutiongroup working, I had to manually call the java classes (as the .bat file does) including the password for the keystore.
I tried to use CMS files with stashed password (in .sth file) in order to not have to provide the password on the commandline or in the environment of the process.
Unfortunately this does not seem to work since the connection can not be established in this case. Any ideas?
Here is the command line I use for jks store:
"C:\Program Files\IBM\WMB\60\bin\..\jre\bin\java" -Djavax.net.ssl.keyStorePassword=<XXX> com.ibm.broker.config.util.ExecutionGroupControl -create -n c:\workspace\Server\LOCAL.configmgr -b <Broker> -e <Exec>
The LOCAL.configmgr file is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<configmgr crlNameList="" domainName="<CfgManager>" host="localhost" listenerPort="<Port>" queueManager="<QueueManager>" securityExit="" securityExitJar="" sslCipherSuite="SSL_RSA_WITH_RC4_128_MD5" sslDistinguishedNames="" sslKeyStore="C:\Program Files\IBM\WebSphere MQ\Qmgrs\<QueueManager>\ssl\client.kdb" sslTrustStore="C:\Program Files\IBM\WebSphere MQ\Qmgrs\<QueueManager>\ssl\client.kdb"/>
I would like to be able to simply call the command without specifying the kestore password - which is what the stash file is ment for, right
Thanks @all |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
