| Author |
Message
|
| catacomb |
 Posted: Sun Dec 10, 2006 10:13 pm Post subject: Creating and using SSL cert |
 |
|
Novice
Joined: 16 Nov 2006
Posts: 10
|
I have read up some articles but somehow still having problems creating a client cert. Everytime I try to create one I got "The specified database has been corrupted". I have already created the key database with the following command :-
runmqckm -keydb -create -db " my folder\EDCMQ.QMT.kdb" -pw [password] -type cms -expire 365 -stash
and didn't face any issues but when I try to create the client certificate using :-
runmqckm -cert -create -db " my folder\EDCMQ.QMT.kdb" -pw [password] -label test.qmt -dn " CN=mycompany.com, OU=mycompany, O=my unit, L=Singapore, ST=Singapore, C=SG" -expire 365
it prompts "The specified database has been corrupted". Where can I get a detail error on this as when I creating the key database there is no such issue. Only while I wanted to create the cert, the error came out. Thanks alot for the help |
|
| Back to top |
|
 |
| mvic |
| Posted: Mon Dec 11, 2006 2:30 am Post subject: Re: Creating and using SSL cert |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Dec 11, 2006 4:35 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
The Suppot Pack MO04 is very handy in these kinds of situations.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| aboggis |
| Posted: Tue Jan 09, 2007 3:08 pm Post subject: Problems with configuring SSL channels... |
|
|
Centurion
Joined: 18 Dec 2001
Posts: 105
Location: Auburn, California
|
Using the "HOWTO:..." PDF doc in the preceding post, I'm having some problems. I get to step 2.7, then get the error:
| Quote: |
An attempt to store the certificate has failed.
All the signer certificates must exist in the key database. |
I'm gonna plug away some more, but does anyone have any suggestions? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Jan 09, 2007 3:33 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| jefflowrey wrote: |
| The Suppot Pack MO04 is very handy in these kinds of situations. |
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| aboggis |
| Posted: Tue Jan 09, 2007 10:48 pm Post subject: |
|
|
Centurion
Joined: 18 Dec 2001
Posts: 105
Location: Auburn, California
|
Definitely a very useful tool, and I think it taught me a few lessons too.
I have two queue managers, TEST1 & TEST2. As you might expect, each queue manager has a pair of SDR/RCVR channels for exchanging messages (these are not clustered queue managers).
So, if I have things correct, I need to essentially run the tool twice, once for the TEST1 to TEST2 direction (TEST1 is the "client", TEST2, with the RCVR channel is the "server") and once more for the other direction (TEST2 to TEST1). In my case I only need to secure the channel between the queue managers because the application(s) connecting to the queue managers will be running locally on each queue manager's host machine.
On a related note, in the instructions for updating the queue manager's RCVR channel's attributes (TEST1.TO.TEST2), it states:
| Quote: |
| ALTER CHANNEL(TEST1.TO.TEST2) CHLTYPE(RCVR) SSLCAUTH(OPTIONAL) |
If I'm performing this process in order to set up SSL across the channel, shouldn't this read:
| Quote: |
| ALTER CHANNEL(TEST1.TO.TEST2) CHLTYPE(RCVR) SSLCAUTH(REQUIRED) |
|
|
| Back to top |
|
|
| mvic |
| Posted: Wed Jan 10, 2007 1:55 am Post subject: Re: Problems with configuring SSL channels... |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| Quote: |
An attempt to store the certificate has failed.
All the signer certificates must exist in the key database. |
Looks, at first sight, like the certificate you are trying to "Add" is signed by some other certificate that isn't already in your key repository. How did you create the certificate you wish to Add ? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Jan 10, 2007 2:23 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I think you only need to run the tool once, not twice. You're going to create a certficate for each queue manager, add that to the queue manager itself, extract the public key part of the cert and then add that to the OTHER queue manager.
You should start with SSLCAUTH(OPTIONAL). Once that's working, then you can set it to required and troubleshoot any issues that come up. Small steps.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| aboggis |
| Posted: Wed Jan 10, 2007 11:01 am Post subject: |
|
|
Centurion
Joined: 18 Dec 2001
Posts: 105
Location: Auburn, California
|
Well, I've left (for now) SSLCAUTH(OPTIONAL) and the channel gets started successfully. However, I don't see any indication in the event log (this is on Windows) that the SSL negotiation was successful (or otherwise).
But, since, when I check the channel's status (using either MQ Explorer or runmqsc) I see values in SSLCERTI and SSLPEER, can I assume that SSL is now enabled on this channel? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Jan 10, 2007 11:17 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Those seem like reasonable indicators to me.
You can also look at enabling SSL security events and see if that reports anything.
Or try snooping the network traffic ... 
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| aboggis |
| Posted: Wed Jan 10, 2007 11:26 am Post subject: |
|
|
Centurion
Joined: 18 Dec 2001
Posts: 105
Location: Auburn, California
|
Now that I've changed SSLCAUTH(REQUIRED) on the RCVR channel, things are *not* working.
I get the following in the event log:
| Quote: |
Channel is lacking a certificate.
The channel is lacking a certificate to use for the SSL handshake. The channel name is 'QM1.TO.QM2' (if '????' it is unknown at this stage in the SSL processing). The channel did not start.
Make sure the appropriate certificates are correctly configured in the key repositories for both ends of the channel. &P If you have migrated from WebSphere MQ V5.3 to V6, it is possible that the missing certificate is due to a failure during SSL key repository migration. Check the relevant error logs. If these show that an orphan certificate was encountered then you should obtain the relevant missing certification authority (signer) certificates and then import these and the orphan certificate into the WebSphere MQ V6 key repository, and then re-start |
In order to create the certs used, I used SupportPac MO04 (as recommended) and followed it's instructions. Did I perhaps miss something?
I have a simple test case of QM1 and QM2, with a remote queue def in QM1, sending to a local queue on QM2, via the xmit queue TO.QM2 over the SDR channel, QM1.TO.QM2.
On a side note, what's the real point in setting SSLCAUTH(OPTIONAL)? It seems to me that if you set up SSL, you want it to be used... |
|
| Back to top |
|
|
| aboggis |
| Posted: Wed Jan 10, 2007 1:36 pm Post subject: |
|
|
Centurion
Joined: 18 Dec 2001
Posts: 105
Location: Auburn, California
|
I'll reply to my own message as some one else reading this might run into the same issue...
In my case I simply was using the wrong sequence of steps... If you're trying to secure and SDR/RCVR channel between queue managers then when using the SSL wizard, you need to specify (check) the "Auth. Client" check box. This then generates the sequence of "runmqckm" commands needed. |
|
| Back to top |
|
|
| catacomb |
| Posted: Thu Jan 11, 2007 8:50 pm Post subject: |
|
|
Novice
Joined: 16 Nov 2006
Posts: 10
|
| Thanks all. Am not sure what the exact problem was but after trying to delete the keydatabase and cert and recreate it all over again seems to solved the problem. Thanks again |
|
| Back to top |
|
|
|
|
