| Author |
Message
|
| MQWays |
 Posted: Thu May 01, 2008 11:46 pm Post subject: SSL & Certificates troubling issue |
 |
|
Acolyte
Joined: 20 Jan 2008
Posts: 61
|
hi,
With the below set of entries, I am experiencing
"All the signer certificates must exist in the key database" error.
Steps executed
1. Created key db
gsk7cmd -keydb -create -db /var/mqm/qmgrs/QMGRA/ssl/key.kdb -pw test -type cms -expire 7300 -stash
2. Created certificate request
gsk7cmd -certreq -create -db /var/mqm/qmgrs/QMGRA/ssl/key.kdb -pw test -label ibmwebspheremqqmgra -dn "CN=ONE, O=TWO, C=US" -file /var/mqm/qmgrs/QMGRA/ssl/certreq_QMGRA.arm"
3. Submitted the request in Microsoft IIS & issued the certificate via Microsoft Certificate Authortity. Downloaded the CA & CA-signed certificate (Base64)
4. Added the CA certificate
gsk7cmd -cert -add -db /var/mqm/qmgrs/QMGRA/ssl/key.kdb -pw test -label certnew -file /var/mqm/qmgrs/QMGRA/ssl/certnew.cer -format ascii
5. Added the CA signed certificate
gsk7cmd -cert -receive -file /var/mqm/qmgrs/QMGRA/ssl/ibmwebspheremqqmgra.cer -db /var/mqm/qmgrs/QMGRA/ssl/key.kdb -pw test -format ascii
Response: "All the signer certificates must exist in the key database"
Overview: I had successfully enabled MQ SSL on different machine before with exactly the above steps. Now I am trying to set it up on a new machine but to fail. On the new box, I have used the same Q Mgr name, same label and same distinguished name.
Then I thought it may be a duplication issue in the Microsoft Certificate Authority. So I changed the distinguished name in step 2. Yet the same error. The only thing left is that I change the label name in case Certificate Authority keeps track of the previously submitted Label. But then the label should be named after the Q Mgr and I have to maintain the Q Manager name.
Seek your advise....
Thanks. |
|
| Back to top |
|
 |
| Gaya3 |
| Posted: Fri May 02, 2008 12:20 am Post subject: Re: SSL & Certificates troubling issue |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
| MQWays wrote: |
2. Created certificate request
gsk7cmd -certreq -create -db /var/mqm/qmgrs/QMGRA/ssl/key.kdb -pw test -label ibmwebspheremqqmgra -dn "CN=ONE, O=TWO, C=US" -file /var/mqm/qmgrs/QMGRA/ssl/certreq_QMGRA.arm"
|
Change the Value of CN, and try out.
Dont give the same name as that of the certificates
Regards
Gayathri
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
| MQWays |
| Posted: Fri May 02, 2008 12:59 am Post subject: |
|
|
Acolyte
Joined: 20 Jan 2008
Posts: 61
|
I had tried changing the whole DN before and it gave the same error.
Are you suggesting to change only the CN and keep O= & C= mandatorily the same as before. |
|
| Back to top |
|
|
| Gaya3 |
| Posted: Fri May 02, 2008 1:03 am Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
| MQWays wrote: |
I had tried changing the whole DN before and it gave the same error.
Are you suggesting to change only the CN and keep O= & C= mandatorily the same as before. |
keep O= & C= mandatorily the same as before.
Regards
Gayathri
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
| MQWays |
| Posted: Sun May 04, 2008 10:47 pm Post subject: |
|
|
Acolyte
Joined: 20 Jan 2008
Posts: 61
|
I tried changing the CN only but now the response is
"An error occurred while receiving the certificate from the given file."
Any clues.... |
|
| Back to top |
|
|
| MQWays |
| Posted: Mon May 05, 2008 7:38 am Post subject: |
|
|
Acolyte
Joined: 20 Jan 2008
Posts: 61
|
|
| Back to top |
|
|
| MQWays |
| Posted: Mon May 05, 2008 8:01 am Post subject: |
|
|
Acolyte
Joined: 20 Jan 2008
Posts: 61
|
I am getting error code 194 on gsk7cmd -cert -receive command
GENERAL_KEYSTORE_MANAGER _ERROR
194
Internal - error using KeyStoreManager object |
|
| Back to top |
|
|
| MQWays |
| Posted: Mon May 05, 2008 9:59 am Post subject: |
|
|
Acolyte
Joined: 20 Jan 2008
Posts: 61
|
| Its working now. Adjusted the system clock. |
|
| Back to top |
|
|
|
|
