ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » New QMGR, existing CA Cert

Post new topic  Reply to topic
 New QMGR, existing CA Cert « View previous topic :: View next topic » 
Author Message
cscheer
PostPosted: Wed Jan 31, 2007 10:45 am    Post subject: New QMGR, existing CA Cert Reply with quote

Novice

Joined: 15 Aug 2006
Posts: 13

We have a Verisign cert/key that we use in several places. I have the .key and .crt file in my ~/qmgr/QM1/ssl directory. I can not seem to get them imported. Seems I have to create a request first. Is that correct. Can't I import an existing CA cert? This is a 6.0 MQ setup on hpux. I have read through and wen through all the docs and don't see a way to import an existing cert.
Back to top
View user's profile Send private message
cscheer
PostPosted: Wed Jan 31, 2007 11:51 am    Post subject: Reply with quote

Novice

Joined: 15 Aug 2006
Posts: 13

OK, i guess this comes down to I can't figure out how to get a Verisign cert imported when the request was not generated by MQ. It just tells me that the request for the cert is not in the database. Help....
Back to top
View user's profile Send private message
mvic
PostPosted: Wed Jan 31, 2007 1:10 pm    Post subject: Reply with quote

Jedi

Joined: 09 Mar 2004
Posts: 2080

The difficulty here may come from the confusing range of verbs used in this area - eg. add, import, receive.

See if this helps: http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/topic/com.ibm.mq.csqzas.doc/c00stts2.htm
Back to top
View user's profile Send private message
cscheer
PostPosted: Wed Jan 31, 2007 1:33 pm    Post subject: Reply with quote

Novice

Joined: 15 Aug 2006
Posts: 13

OK, so I have an existing wildcard cert that our company owns. It was generated with openssl and sent to Verisign. They sent back the cert. We use this cert in several places for apache. We need to use this same cert in MQ. We don't have the money to purchase another one. What I am finding is since I did not do the Verisign request in the gsk7ikm, I can not get the key into the repository. gsk7ikm says that it can not find the request in the DB when I try to "Receive" the key. Our security department is saying that I can not use a self signed cert. So, I am stuck.....
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Wed Jan 31, 2007 1:41 pm    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

I think mvic is saying you need to ADD it rather than RECEIVE it.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
bbburson
PostPosted: Wed Jan 31, 2007 1:46 pm    Post subject: Reply with quote

Partisan

Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager

If you can export the cert in p12 format from one keystore, you can use gsk7ikm to import it into the key database for the queue manager. My disclaimer: I have done this many times, but only using gsk7ikm for both the exporting and importing.

How to do the export from a non-gsk7ikm key database I do not know. Also how to get the label into the required format "ibmwebspheremqqmgrname" I also don't know.

And...
jefflowery wrote:
I think mvic is saying you need to ADD it rather than RECEIVE it.
...if it is the certificate for the CA itself.

Last edited by bbburson on Wed Jan 31, 2007 1:51 pm; edited 2 times in total
Back to top
View user's profile Send private message
cscheer
PostPosted: Wed Jan 31, 2007 1:49 pm    Post subject: Reply with quote

Novice

Joined: 15 Aug 2006
Posts: 13

Under signer certs, there is an add. Under personal certs, there is only receive. It was my understanding that the signer certs tab was only for the certs that you download from the major CA's, the root cert. I thought that our cert, the one we purchased from Verisign, was added to the personal certs page. Maybe I am wrong. Maybe that is my problem. Is the personal certs only for the self signed certs, and all purchases certs goes into the signer certs?
Back to top
View user's profile Send private message
mvic
PostPosted: Wed Jan 31, 2007 2:47 pm    Post subject: Reply with quote

Jedi

Joined: 09 Mar 2004
Posts: 2080

jefflowrey wrote:
I think mvic is saying you need to ADD it rather than RECEIVE it.

Well actually I interpreted the manual at the URL I gave as saying to use "receive". Until that point there was some doubt because cscheer was using the word "import".

I don't get this stuff, most of the time. One day it makes sense. The next day, I forget it all and become a newbie again
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » New QMGR, existing CA Cert
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.