| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Strange problem with SSL, MO71 and MQ Explorer |
« View previous topic :: View next topic » |
| Author |
Message
|
| LMD |
 Posted: Thu Jun 05, 2008 7:36 am Post subject: Strange problem with SSL, MO71 and MQ Explorer |
 |
|
Acolyte
Joined: 30 Oct 2002
Posts: 56
Location: Paris - France
|
hello all,
we are faced a strange problem setting up secured administration for Qmgrs.
Situation :
AIX with WMQ 6.0.2.3 server
WinXPSP2 with WMQ 6.0.2.3 client and Explorer
OpenSSL
Run 1:
- With OpenSSL, creation of CA Version 1, personnal certificates for QMgr and user.
- on Aix, creation of certificate store, changes on Qmgr (SSLKEYR), ALTER CHANNEL to use CIPHER
- on Windows, creation of a CMS certificate store, MO71 configuration to use certificate store
Result : OK
- on windows, creation of a JKS certificate store, WMQ Explorer config to use certificate store and a CHLTAB
--> Result : OK
Run 2:
- With OpenSSL, creation of CA version 2, personnal certificates for QMgr and user.
Version 2 certificates have more complex DN setting, to use SSLPEER filtering.
- on Aix, creation of certificate store V2, changes on Qmgr (SSLKEYR), ALTER CHANNEL to use CIPHER
- on Windows, creation of a CMS certificate store V2, MO71 configuration to use certificate store
--> Result : OK
- on windows, creation of a JKS certificate store V2, WMQ Explorer config to use certificate store and a CHLTAB
--> Result : KO :
- error 4043 on explorer
- not any error message on server side, nor in errors/AMQERR01.LOG or qmgrs/<QMName>/errors/AMQERR01.LOG.
On the last two days, we have tried this on two workstations, with 4 sets of CA, certificates, with 2 differents Qmgrs, with different settings of CHLTAB ...
We have tested the chltab with an amsputc on the client side, no problem. So AMQCHLTAB should not be the culprit.
We have also build chltab from server side and MO72 on client side.
Same certificates run OK with MO71 and a CMS store, so certificates should be ok.
The JKS store have been created with STRMQIKM, both from scratch and "save as JKS" from a the CMS version. So the JKS store should be ok also.
The problem is the "silent failure" of the Explorer, exactly like he don't like certificates and/or store.
Is there any way to put this one in "debug mode" to have more detail on the offending parameter ?
Thanks in advance, LMD.
_________________
lmd_at_demey-consulting.fr - http://demey-consulting.fr - Paris, France.
WMQ, WAS & IIB Certified.
#IBMChampion |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Jun 05, 2008 2:32 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Are you starting the Windows MQ Explorer with the requisite java flags? -vmargs -D <keystorevar>=<keystorefile> -D<certstorevar>=<certstorefile> etc....
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| LMD |
| Posted: Thu Jun 05, 2008 11:26 pm Post subject: |
|
|
Acolyte
Joined: 30 Oct 2002
Posts: 56
Location: Paris - France
|
| fjb_saper wrote: |
Are you starting the Windows MQ Explorer with the requisite java flags? -vmargs -D <keystorevar>=<keystorefile> -D<certstorevar>=<certstorefile> etc....
Enjoy |
No.
With version 1 certificates, MQ Exporer work without these flags.
But if there is any solutioin to pass the JKS store password with these flags, I'am interested !
I also have to mention that Version 2 certificates works with MO71 to Qmgr and Qmgr to Qmgr.
_________________
lmd_at_demey-consulting.fr - http://demey-consulting.fr - Paris, France.
WMQ, WAS & IIB Certified.
#IBMChampion |
|
| Back to top |
|
|
| jsware |
| Posted: Thu Jun 05, 2008 11:48 pm Post subject: |
|
|
Chevalier
Joined: 17 May 2001
Posts: 455
|
| LMD wrote: |
| But if there is any solutioin to pass the JKS store password with these flags, I'am interested ! |
I'm new to all this but was playing around with SSL connections from the Message Broker Toolkit to a config manager. The RedPaper I was reading says you must use
| Code: |
| -Djavax.net.ssl.keyStorePassword=yourpassword |
if your password for the JKS store is anything other than "changeit".
Very secure 
_________________
Regards
John
The pain of low quaility far outlasts the joy of low price. |
|
| Back to top |
|
|
| frodon |
| Posted: Fri Jun 06, 2008 2:02 pm Post subject: |
|
|
Newbie
Joined: 06 Jun 2008
Posts: 4
Location: Luxemburg
|
Hi fellows,
First certificates were generated with an email address. Later certificates don't contain this field.
MQ Explorer is a Java application.. and Java is suspect to request this field to be able to work with the cerificates !!!
In fact after re-generating the certificates with a fullfilled email adress field, MQ Explorer is able to handle the certificates and ssl is working perfectly ! 
Regards |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
