| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| *SOLVED* Problem with SSL/GSKit7 on HP-UX |
« View previous topic :: View next topic » |
| Author |
Message
|
| Kristoffer |
 Posted: Tue Dec 05, 2006 12:47 am Post subject: *SOLVED* Problem with SSL/GSKit7 on HP-UX |
 |
|
Novice
Joined: 21 Nov 2006
Posts: 15
Location: Sweden
|
Hi,
I have run into annoying problems when trying to add SSL certificates to a queue manager. I'm using WMQ 6.0.1.0 on a HP-UX 11 IA64 server.
I'm logged in as mqm, and working in the /var/mqm/qmgrs/<qmgr>/ssl directory. All files in there has ownership mqm:mqm
Here's the approach I've taken:
Set up env. variable for the IBM Java:
export PATH=/opt/mqm/java/sdk/bin/:$PATH
Create a new key database:
gsk7cmd_64 -keydb -create -db key -pw <mypassword> -type cms -expire 730 -stash
Works like a charm. I kan list the certificates in key.kdb (contains the default CA certs).
Now I want to import my private key and trusted certificate to key.kdb:
gsk7cmd_64 -cert -import -file <my jks> -type jks -pw <mypassword> -target key.kdb -target_pw <mypassword> -target_type cms -label ibmwebspheremq<qmgrname>
This fails with the following error: An unrecognized private key type was found.
I can list the certificate in my jks file and can also view the details:
| Code: |
Label: ibmwebspheremq<MyQueueManagerName>
Key Size: 2048
Version: X509 V1
Serial Number: 02
Issued By: <MyRootCertName>
<MyDepartement>
<MyCompany>
SE
Subject: <MyQueueManagerName>
<MyDepartement>
<MyCompany>
SE
Valid From: Monday, December 4, 2006 3:37:12 PM CET To: Thursday, December 4, 2008 3:37:12 PM CET
Fingerprint: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Signature Algorithm: 1.2.840.113549.1.1.2
Trust Status: enabled
|
I can add my trusted certificate from a .cer file to the key.kdb store but that does not affect my ability to import the private queue manager certificate to the key.kdb store.
Since MQ6 has been out there for some time now, and SSL is widely spread I'm sure that a lot of you people in this forum use it. Has anyone had the same problem? Any advices?
Thanks!
Last edited by Kristoffer on Thu Dec 14, 2006 6:42 am; edited 1 time in total |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Tue Dec 05, 2006 2:34 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
...
Are you sure you're using the right JDK?
The Support Pack MO04 is very handy for these kinds of things.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Kristoffer |
| Posted: Tue Dec 05, 2006 4:26 am Post subject: |
|
|
Novice
Joined: 21 Nov 2006
Posts: 15
Location: Sweden
|
| jefflowrey wrote: |
...
Are you sure you're using the right JDK?
The Support Pack MO04 is very handy for these kinds of things. |
I'm not sure about which Java to use. I tried using the one located in /opt/mqm/ssl/jre/bin/ instead, but I got the same error.
If I use any of the Javas other than the two I've tried above I receive an error telling me that Java Cryptographic Extension files are missing. So I guess I'm using the right Java? |
|
| Back to top |
|
|
| Kristoffer |
| Posted: Thu Dec 14, 2006 6:44 am Post subject: |
|
|
Novice
Joined: 21 Nov 2006
Posts: 15
Location: Sweden
|
This has been solved. The problem was that the key inside the JKS file didn't have the same password as the key store itself.
The tool I use (KeyStore Explorer) to manage certificates automaticly sets the password for all keys to "password" when converting a pkcs12 store to JKS. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
