| Author |
Message
|
| jeevan |
 Posted: Mon Aug 18, 2008 11:10 am Post subject: setting up SSL in MQ (some questinos and clarifications) |
 |
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
After going through the various posts and documents, I understand implementing SSL much better now. However, I still have a few questions which I could not get answered by the docs or posts.
My summary understanding of SSL implementation in MQ are as follows:
MQ installation creates two directories : gskit and gsk7
we can use : GSK7CMD, IKEYMAN,OR RUNMQCKM commands.
In fact, IKEYMAN, OR RUNMQCKM are the wrapper of the GSK7CMD command. Assuming I have one queue manager and a java application ( client) I need to do
As qmgr admin, I have to do
1. Create a key Repository
2. Create a Certificate Request and send to CA
3. When signed certificate is received back, receive it in repository
4. add ( why not import) Ca certificate ( not sure why) to KR
(key Repository)
changes in qmgr
1. create/modified SSL channel
2. change the SSLKEYR indating the certificate repository
3. change CIPHER attribute to ( one of the 5 ciphers)
As CA, I have to do the following,
1. create a key Repository
2. create a certificate
3. extracted the certificate ( why not export) and send to the qmgr and
Client
4. Signed the certificate request received from QMGR and client and
send back to them
As a client, I have to do the following:
1. Create a Certificate Repository ( using keytool not runmqckm?)
2. Create a Certificate Request and send to CA
3. When signed certificate is received back, received it in the repository
4. add ( why not import) Ca certificate ( not sure why) to CR
(certificate Repository)
Are the above steps correct( enough)? How does the client know that the queue manager is the one it is willing to connect without a certificate from queue manager?
why do we need a certificate from the CA on the top of the requested certificate?
I would be really grateful, if someone can clarify these questinos
Thanks a lot in advance
Last edited by jeevan on Thu Aug 28, 2008 9:11 am; edited 1 time in total |
|
| Back to top |
|
 |
| Tibor |
| Posted: Fri Aug 22, 2008 5:55 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
|
| Back to top |
|
|
| exerk |
| Posted: Tue Aug 26, 2008 12:10 am Post subject: Re: Some questinos on Setting up SSL |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| jeevan wrote: |
| ...why do we need a certificate from the CA on the top of the requested certificate?... |
Because use of self-signed certificates outside of a test environment is both insecure and unmanageable, and you need the signer certificate from the CA so other certificates 'flowed' to you can be authenticated.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| jeevan |
| Posted: Tue Aug 26, 2008 3:40 pm Post subject: Re: Some questinos on Setting up SSL |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| exerk wrote: |
| jeevan wrote: |
| ...why do we need a certificate from the CA on the top of the requested certificate?... |
Because use of self-signed certificates outside of a test environment is both insecure and unmanageable, and you need the signer certificate from the CA so other certificates 'flowed' to you can be authenticated. |
Going through a various ibm publications and example on net and mqsereis.net I am stil not sure about the follwoing :
Lets talk about a scenario where we use signed certificate ( regardless whether signed by outsider or insider CA).
QMGR makes a certificate request to CA
CA signs my certificate using his certificate ( is it one for each company or one for a CA?)
qmgr receives it ( why not add or import ?)
also qmgr add the CA certificate( why not import )
The client
add the CA certificate ( understandable)
where is the public key of qmgrq1?
where is the private of qmgr1?
does the CA signed certificate has private key and the CA certificate has public key? if so, does a CA have a certificate for each company it signes certificate?
FYI, i get ssl enabled communication ( one way) working follwing - WebSphere MQ V6, WebSphere Message Broker V6, and SSL
I would be really grateful if some one can help to understand this
thanks a lot |
|
| Back to top |
|
|
| zhanghz |
| Posted: Tue Aug 26, 2008 8:27 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
CA's certs (root cert and may have intermediate cert(s) too) are the same for each QGMR (if a CA got different certs to sign customer's certs, that really beats one of the purposes of using CA signed certs). Each QGMR need to add CA's certs into its key store (or key database, whatever name you call it) if it is to authenticate any cert signed by the CA. CA's certs will also expire, then the CA certs need to be renewed.
As for add or import, extract or export, I kind of use them interchangably, which seems not correct. I checked the "runmqckm" command that comes with WMQ v6 for Windows, it has the following formats regarding cert operations. It seems import and export will include the private key but add and extract will not (please correct me if I am wrong). "Receive" is specially used for including CA's signed personal cert into the key store. "Receive" operation will verify you must have the original cert-request, otherwise the "receive" will fail.
| Code: |
...
-cert -add Add a CA Certificate
-create Create a self-signed certificate
-delete Delete a certificate
-details Show the details of a specific certificate
-export Export a personal certificate and associated private key
into a PKCS12 file or a key database
-extract Extract a certificate from a key database
-getdefault Show the default personal certificate
-import Import a certificate from a key database or a PKCS12 file
-list List certificates in a key database
-modify Modify a certificate (NOTE: the only field that my be
modified is the trust field)
-receive Receive a certificate
-setdefault Set the default personal certificate
-sign Sign a certificate
-certreq -create Create a certificate request
-delete Delete a certificate request from a certificate request
...
|
For CA signed cert, I guess (I believe I'm logically guessing here) the private key is with the cert itself and the public key is with the CA's cert(s). |
|
| Back to top |
|
|
| jeevan |
| Posted: Wed Aug 27, 2008 8:16 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| zhanghz wrote: |
For CA signed cert, I guess (I believe I'm logically guessing here) the private key is with the cert itself and the public key is with the CA's cert(s). |
I agree with this. I think so too but sometime consusing.
My confusion is here. Lets say, when CA uses one certificate say ' CACert' to sings our certificate request for 3 qmgrs. If we agree our qmgrs' public key is in the CA certificate, that means all of our qmgrs have the same public key.
Does this mean all of our qmgrs have same private key too? or can there be more than one private key for a public key (PK)?
or the CA uses three different certificate ( public key) to sing the request for cert from 3 qmgrs?
| Quote: |
The certificate authority is like an online passport bureau - a trusted entity that makes the PKI system work. The private key is securely generated by Bob, and after verifying Bob's identity, the certificate authority signs Bob's public key with its own private root key. The combination of Bob's public key and the signature of the certificate authority completes Bob's digital certificate.Bob's digital certificate is his online passport, validated by the certificate authority's watermark.
Let's look at how all this works together in a simple transaction. Bob wants to send Alice a confidential e-mail. Bob would use Alice's public key, stored in her certificate, to scramble the message. When Alice receives the message, she uses her private key to unscramble it. Because no one else possess Alice's private key, only she can unscramble the message.
|
The above paragraphs gives an example, which says that each certificate reuqest has a private key and CA will signs ( generates a public key for other along with varifying the company domain).
My still query is:
using ikeyman, a singed certificate contains only private key or both private as well as public key?
The CA certificate is necessary at the client side to varify the signature of the server.
Can some one clarify this doubt.
http://www.networkworld.com/news/64452_05-17-1999.html
http://www.youdzone.com/signature.html
|
|
| Back to top |
|
|
| zhanghz |
| Posted: Thu Aug 28, 2008 2:19 am Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
| jeevan wrote: |
...
My confusion is here. Lets say, when CA uses one certificate say ' CACert' to sings our certificate request for 3 qmgrs. If we agree our qmgrs' public key is in the CA certificate, that means all of our qmgrs have the same public key.
Does this mean all of our qmgrs have same private key too? or can there be more than one private key for a public key (PK)?
or the CA uses three different certificate ( public key) to sing the request for cert from 3 qmgrs?
...
|
I went through some powerpoint on SSL for WebSphere MQ, I realised I was wrong quite a bit about CA signed certs.
My new understanding now is, CA certs we receive from CA will contain CA certs' public key only. CA signed certs will contain the certs' own public key (from cert-request) and also CA's signature for the cA signed cert (encrypted using CA's private key). CA's signature is used during SSL handshake to authenticate the server and/or client. CA signed certs are used to establish a secret key that is to be used during the SSL session.
Now back to your questions. All QMGRs have their own private keys. CA uses its private key to sign all QMGRs' certs.
| jeevan wrote: |
...
My still query is:
using ikeyman, a singed certificate contains only private key or both private as well as public key?
...
|
A CA signed cert contains only the cert's public key (and other information of course). The private key is stored in the QMGR's key database.
Recommend 2 reading materials on SSL for WMQ. One is "sslweb.pdf" and the other is "Just_SSL.pdf". Both are IBM presentation. Should be able to find them in google.. Brief yet comprehensive enough.. |
|
| Back to top |
|
|
| ranganathan |
| Posted: Thu Aug 28, 2008 8:11 am Post subject: |
|
|
Centurion
Joined: 03 Jul 2008
Posts: 104
|
Requesting a Cert from the CA for MQ QMs
Using ikeyman --> New Certificate Request
1. In the key label -- 'ibmwebspheremq****' followed by the name of the QM (in lowercase)
2. Type Common Name, Organization and all the relevant fields.
3. Point a file certreq.arm (default) to store the request info.
4. We can send this request either by sending the file to a CA or by copying the file into the request form on the website of CA.
4a. Using CLI 'runmqckm/gsk7cmd' specify the above filename and all the details including the keysize (512 or 1024)
5. When your ikeyman generates your certificate request, it also generates your private key (which is kept secret) so only DN and your public key will be sent to the CA.
Selfsigned Certificates - Created and signed by the Certificate management tool your system uses. It cannot be used to authenticate certificates outside your organization.
How to obtain a cert from CA.
1. you need to send your DN and public key with user identification to CA
2. CA verifies user identification
3. Builds certificate for the user.
4. Sends you the certificate (which contains the public key (you've sent), CA's identification, User Identification)
What is there in a Digital Certificate from the CA?
The owner's (that is you) public key and Distinguished name
The DN of the CA that is issuing the certificate
Validity and Expiry date
Version number, Serial Number
Digital certificates does not contain your private key (which is secret kept in private by you)
Things to be done from our end
1. Prepare the key repos on each QM (that you want to communicate using SSL)
2. Request CA signed certificate for each QM (see above)
3. Add the CA's certificate to the key repos.
4. Add CA signed Certificate to the key repos
5 Configure SSL attributes in your Sender/receiver channels and start them.
Please refer to the Security redbook for more details specific to MQ
From Verisign
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR230
Check this for a detailed study on SSL
http://www2.rad.com/networks/2001/ssl/index.htm
Hope this helps... 
Last edited by ranganathan on Thu Aug 28, 2008 9:12 am; edited 1 time in total |
|
| Back to top |
|
|
| jeevan |
| Posted: Thu Aug 28, 2008 8:46 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
|
| Back to top |
|
|
| ranganathan |
| Posted: Thu Aug 28, 2008 9:16 am Post subject: |
|
|
Centurion
Joined: 03 Jul 2008
Posts: 104
|
|
| Back to top |
|
|
| jeevan |
| Posted: Thu Aug 28, 2008 2:34 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
now, I am moving into general jms client ( tibco in our case). I send the CA certificate to tibco as I did for mq client. They import that in the BW pallete and configured the connection. We are getting the follwoing error.
AMQ9665: SSL connection closed by remote end of channel '????'.
Any idea? not much help in googling |
|
| Back to top |
|
|
| ranganathan |
| Posted: Fri Aug 29, 2008 1:34 am Post subject: |
|
|
Centurion
Joined: 03 Jul 2008
Posts: 104
|
An SSL connection fails if there is a failure in the SSL Handshake.. So if there is a problem in any of the attributes the Certificate (both ends), i meant if the client couldn't verify the validity of the cert it terminates the connection.
There are other possibilities.. Check all the SSL attributes correctly configured in both ends. Make sure that the server certificate is added to the client repository. Also Check the SSLCAUTH parameter of your server channel, (If YES, it requires your client to negotiate a Cert before starting a data transfer) normally it is not required if you trust the client. Make sure that the CipherSpec negotiated is same... SSLCIPH
Was the channel running before the SSL configuration ?! |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Fri Aug 29, 2008 3:57 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
If the other end of the channel closed it check its error logs to see why it closed it.
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| jeevan |
| Posted: Fri Aug 29, 2008 7:56 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| ranganathan wrote: |
An SSL connection fails if there is a failure in the SSL Handshake.. So if there is a problem in any of the attributes the Certificate (both ends), i meant if the client couldn't verify the validity of the cert it terminates the connection.
There are other possibilities.. Check all the SSL attributes correctly configured in both ends. Make sure that the server certificate is added to the client repository.
Server certificate or CA certificate? I added CA certificate to client repo not server certificate.
I added server certificate and CA to QMGR's repo
CA certificate to client Repo
And I think from my udnerstanding, this is what required. As it worked with amqsputc which is a c clients ( i think).
NOw, I am working on the sample in MO04 the C clients. It does not work either.
Also Check the SSLCAUTH parameter of your server channel, (If YES, it requires your client to negotiate a Cert before starting a data transfer) normally it is not required if you trust the client. Make sure that the CipherSpec negotiated is same... SSLCIPH
Was the channel running before the SSL configuration ?! |
We get the connection working without SSL as the first step.
Then only we introduce the SSL connection. so I know channel and connection are working. |
|
| Back to top |
|
|
| jeevan |
| Posted: Fri Aug 29, 2008 8:17 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
Wehn I replaced the amqsputc with ssample.exe in MO04 support pack, and give the follwoing command line command
SSLSample.exe server(port) SSL.CLIENTS QMGR TRIPLE_DES_SHA_US replocaltion\client.kdb
it does not work. It gives 2381 error while amqsputc works.
Can some one please help. |
|
| Back to top |
|
|
|
|
