| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| problem with ssl CA-signed certificate |
« View previous topic :: View next topic » |
| Author |
Message
|
| gidish |
 Posted: Sat May 31, 2008 11:31 pm Post subject: problem with ssl CA-signed certificate |
 |
|
Novice
Joined: 18 Jul 2007
Posts: 18
|
hi
i have configured a sender-reciever channel pair between two QM's.
the QM's are running on LINUX servers.
the channels use SSL.
when i use self-signed certificates , everything works fine.
when i try to use CA-sugned certificates , the channel is stuck in "retrying".
the error that i get is:
on the sender side:
AMQ9633 - bad ssl certificate for channel CHANNEL.NAME
on the reciever side:
AMQ9665 - ssl connection closed by remote end of channel ????
(not too informative !)
on both QM's repository i have:
rootCA certificate
CA1 certificate (singed by rootCA)
CA2 certificate (segned by CA1)
QM's certificate (signed by CA2)
should i do something to make enter the rootCA to the trusted CA's ?
or is it outomaticlly done when i insert it's certificae to the repository ?
eny suggestions ??? i can't find the reason to the error....
help !! 
thank you.
Gidi. |
|
| Back to top |
|
 |
| JosephGramig |
| Posted: Sun Jun 01, 2008 7:18 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
Well,
Did you read this section in the manual?
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/topic/com.ibm.mq.csqzas.doc/sy11560_.htm
Regardless of this being WebSphere MQ, wouldn't it make more sense to have the CA sign the QMGR's certs?
Self-signed or otherwise, it would be a hassle if every QMGR had to sign every other QMGR's key. So, the example in the InfoCenter for Task 1 is not an efficient way to manage keys (even though it does work).
Remember in a chain, you need to include the certs of all the signers (of the keys in intend to trust) in the keyring.
I haven't tried this exact scenario but, you could:
- Have a local CA signer get a key from the Real CA
- Have the local CA sign each QMGR key request
- Add the Real and Local CA certs to each QMGR keyring
- Receive each QMGR's key request into only that QMGR's keyring
- Highly protect the Local CA signers certs and keyring (so don't ever put this on Windows)
I start at step 2 for self signed CA certs and QMGR certs. Note that for each QMGR you only need the CA certs and the QMGR's own cert. This reduces the number of certs exchanged.
PS: Delete all other CA certs you do not intend to use.
PPS: Once you get this working, you will have limited hacking to only those that have keys signed by the CA you are trusting. What I mean is that you have more work to do. Adding SSL does not make you secure, it's how you implement it.
_________________
Joseph
Administrator - IBM WebSphere MQ (WMQ) V6.0, IBM WebSphere Message Broker (WMB) V6.1 & V6.0
Solution Designer - WMQ V6.0
Solution Developer - WMB V6.1 & V6.0, WMQ V5.3 |
|
| Back to top |
|
|
| gidish |
| Posted: Sun Jun 01, 2008 11:19 pm Post subject: |
|
|
Novice
Joined: 18 Jul 2007
Posts: 18
|
hi
thank's for your reply.
however , i think you didn't understand me well..
i'm not using self signed certificates (i used them earlier, everything worked, and then opened a new key repository and now i am using CA signed certificates).
i read the section , and done everything according to it.
i'll try to explain once again:
i have a CA (lets call it CA1) which signed both of my QMGR's cert'.
this CA is not the rootCA.
the chain is: ("a--->b" means that a signed b's certificate)
rootCA ---> CA2 ----> CA1 -----> QM1
rootCA ---> CA2 ----> CA1 -----> QM2
inside QM1 repository i have:
signer certificates: rootCA , CA2 , CA1
personal certificate: QM1 (singed by CA1)
inside QM1 repository i have:
signer certificates: rootCA , CA2 , CA1
personal certificate: QM2 (singed by CA1)
on my workstation (windows2000) , i can see that QM1 and QM2 certificates are OK , and i can see that the hole chain is OK.
but on the LINUX servers , the channels don't like the certificates..
by the way , i asked yesterday i need to put the CA's to the trust of the linux servers. well, i checked and their trey are allready trusted...
i hope this is more clear now 
so, eny suggestions ?? |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Mon Jun 02, 2008 4:09 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
Hmmm,
Your description sounds correct. You might try SupporPac MH03 to see if you can debug this further.
Without trying this exact scenario myself, I cannot offer further assistance. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Mon Jun 02, 2008 6:53 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
gidish,
please tell us your version of the iKeyman tool (gskit). In previous versions this tool could not handle version 3 extension of certificates.
And you also should tell us your MQ version and fix level.
_________________
Regards
Hubert |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
