| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL on z/OS Questions |
« View previous topic :: View next topic » |
| Author |
Message
|
| fordcam |
 Posted: Mon Apr 02, 2007 9:22 am Post subject: SSL on z/OS Questions |
 |
|
Apprentice
Joined: 28 Mar 2002
Posts: 35
Location: MGIC
|
We haven't used SSL w/MQSeries until recently. But I have begun using MQSeries V6's certificate authority capabilities. I created key DBs for all of our distributes qmgrs in dev, requested certs, signed them on our CA, and added the certs to the DBs. It works just fine.
I also worked with a RACF admin to create a keyring for our dev z/OS qmgr, requested a cert, had the CA sign it, and then added the certs. That worked too, and all of our dev qmgrs are SSL capable.
Next, I moved on to our QA environment. Again, I had no problems setting up key DBs for the distributed environments. But when I tried to do the z/OS QA qmgr (MQSQ), adding the cert failed. The commands I ran were:RACDCERT ID(MQSQCHIN) ADDRING(MQSQKEYRING)
PE IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(MQSQCHIN) ACCESS(READ)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(MQSQCHIN) ACCESS(READ)
RACDCERT ID(MQSQCHIN) CONNECT(CERTAUTH LABEL('MQSeries Certificate') RING(MQSQKEYRING) USAGE(CERTAUTH))
RACDCERT ID(MQSQCHIN) GENCERT SUBJECTSDN(CN('MQSQ') O('company name') OU('MQSeries') L('city') C('US')) WITHLABEL('ibmWebSphereMQMQSQ')
RACDCERT ID(MQSQCHIN) GENREQ(LABEL('ibmWebSphereMQMQSQ')) DSN(MQSQ.REQ)
ftp'd MQSQ.REQ to our CA's machine, where I signed it in the normal way, creating MQSQ.CER.
ftp'd MQSQ.CER to z/Os.
RACDCERT ID(MQSQCHIN) ADD(MQSQ.CER) WITHLABEL('ibmWebSphereMQMQSQ') Everything went smootlhy until the last command. This command failed with IRRD109I (the certificate is already defined). The IRR message says that a profile already exists, and that profile is "serial#.issuer's cn". "Serial number" is the cert's 16 digit serial number, and the issuer's CN is the CN of our certificate authority. It looks like RACF combines these two things, and tries to define a RACF profile for them (I'm not sure in what class, though).
But all of the certs issued by the CA have the same serial number, and they all have the same issuer's CN of course. So the profile can't be defined. While the new cert is different from the dev qmgr's cert, this profile name is the same. And we're stuck.
I'm no expert at SSL or RACF (can you tell?), but I've done a whole lot of research. Yet I'm not getting anywhere. What am I missing here?
<< edited to correct syntax of gencert >> |
|
| Back to top |
|
 |
| fordcam |
| Posted: Mon Apr 09, 2007 1:45 pm Post subject: |
|
|
Apprentice
Joined: 28 Mar 2002
Posts: 35
Location: MGIC
|
Apparently, what I was missing is that runmqckm and/or ikeyman are not supposed to be used as a certificate signer. Even though they document this feature.
I did a lot of digging and asking at IBM's support site, and eventually found this:
| Quote: |
| These command-line programs document a certificate signing capability. However, they do not provide a full-featured certificate authority implementation and they lack critical features such as a serial number registry. Third-party software should be used to implement a certificate authority and perform key signing. |
Which completely matches what I see... everybody gets the same serial number. So they document a "feature," but then when you eventually hit a wall with it they tell you not to use it. Nice. |
|
| Back to top |
|
|
| fordcam |
| Posted: Tue Apr 10, 2007 7:44 am Post subject: |
|
|
Apprentice
Joined: 28 Mar 2002
Posts: 35
Location: MGIC
|
I got in contact with one of IBM's GSKit people, and was told:
| Quote: |
iKeycmd was never intended as a PKI substitute so you should manage serial numbers manually for the certs you sign. If you generate certificate requests using RACF and then sign them using gsk7cmd/runmqckm on Windows you can end up with the duplicate serial numbers which causes RACF to assume both are the same certificate, making one of them unusable by WebSphere MQ. To manually set serial numbers use:
runmqckm -cert -sign -file <certreq file> -db <db file> -pw <password>
-label <label> -target <cert file> -format ASCII -expire <expire days>
-sernum <serial number>
This implies that you need a central serial number authority (most likely the certificate authority itself) and a number naming convention. |
So using runmqckm of iKeycmd as a CA has an admitted serious limitation, and also a way around that limitation. But it seems to me to be the sort of thing that you can't depend on. So we're not going to. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
