| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL Requirement for Multiple Queue Managers on the same host |
« View previous topic :: View next topic » |
| Author |
Message
|
| prakashv |
 Posted: Mon Jan 22, 2007 4:54 pm Post subject: SSL Requirement for Multiple Queue Managers on the same host |
 |
|
Newbie
Joined: 22 Jan 2007
Posts: 8
|
Hi All,
I am configuring SSL for queue managers. I have two queue managers named AQM1 and AQM2 on host A. I generated request using gsk7ikm for queue manager AQM1, got back certificate from CA, imported and configured SSL for queue manager AQM1. I am trying to configure SSL for another queue manager AQM2 on the same host A. Do I need to generate another certifcate request and send it to CA for approval or can I copy the certifcate certifcates / key directory from AQM1 queue manager into this queue manager AQM2 and use it.
Please let me know.
Thanks, Prakash |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Mon Jan 22, 2007 4:59 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Certs are named for queue managers, not hosts.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Paul Mitchell |
| Posted: Fri Jan 26, 2007 6:06 am Post subject: SSL Requirement for Multiple Queue Managers on the same host |
|
|
Newbie
Joined: 26 Jan 2007
Posts: 3
|
Prakash,
Whilst in theory you could use the same certificate in multiple places (dependent on your naming convention) you're well advised to have one per queue mgr, and a naming convention that includes the queue manager name.
Otherwise, for example, you could connect the wrong queue manager to a remote host, and it would pass the (non-specific) SSLPEER check.
Regards, Paul |
|
| Back to top |
|
|
| sebastianhirt |
| Posted: Fri Jan 26, 2007 6:15 am Post subject: Re: SSL Requirement for Multiple Queue Managers on the same |
|
|
Yatiri
Joined: 07 Jun 2004
Posts: 620
Location: Germany
|
| Paul Mitchell wrote: |
Whilst in theory you could use the same certificate in multiple places (dependent on your naming convention) |
How exactly would you this?
| jefflowrey wrote: |
Certs are named for queue managers, not hosts.
|
It is always
ibmwebspheremq<QMNameInLowerCase> |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Jan 26, 2007 6:15 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
In WebSphere MQ SSL, Key Labels have fixed, defined namestandards. For a queue manager, this must include the queue manager name, otherwise the queue manager will not be able to find it.
It would, eventually, be a useful extension to have SSLKEYLABEL be an option on ALTER QMGR - but that's neither here nor there.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Paul Mitchell |
| Posted: Fri Jan 26, 2007 6:37 am Post subject: |
|
|
Newbie
Joined: 26 Jan 2007
Posts: 3
|
Well, on the mainframe, the ibmwebsphereMQxxxx is not part of the certificate - it is a label. Although I haven't tried it, I can't see why it isn't possible to have duplicate copies of a certificate, each with a label reflecting the relevant queue manager.
But at handshake, it's the validity of the certificate and the SSLPPER filtering that is checked, not the accuracy of the label.
Don't know how true this is for midrange/Windows. And also note - I am NOT IN ANY WAY advocating this! |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
