| Author |
Message
|
| akm.mohan |
 Posted: Fri Dec 19, 2008 8:25 am Post subject: importing the SSL certificate to qmgr on UNIX(new to SSL) |
 |
|
Apprentice
Joined: 07 Oct 2008
Posts: 41
|
Could you please anyone let me know how to import the SSL certificate to qmgr which is on UNIX. I need commands to do with out using GUI(ikey management tool).
Thanks,
mohan. |
|
| Back to top |
|
 |
| exerk |
| Posted: Fri Dec 19, 2008 8:37 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Google is a wonderful thing...you might want to try it some time 
It gave me this.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Dec 19, 2008 9:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Of course, this is a much more *relevant* link.
 |
|
| Back to top |
|
|
| akm.mohan |
| Posted: Fri Dec 19, 2008 9:35 am Post subject: importing the SSL certificate to qmgr on UNIX(new to SSL) |
|
|
Apprentice
Joined: 07 Oct 2008
Posts: 41
|
Thanks for fast reply. I have gone thru those links i found the commands. but please let me know the procedure how to import SSL certificate to qmgr i mean i need step wise becoz i don know the actual procedure present i have certificate in my desktop , i need to import that certificate to one qmgr which is on UNIX box. This is the first time i am doing please help me.
Thanks,
Mohan. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Dec 19, 2008 9:56 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
The link that mqjeff posted provides the answer...so good an answer in fact that I've bookmarked it for future reference 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| akm.mohan |
| Posted: Fri Jan 30, 2009 9:09 am Post subject: need theritical explanation about ssl |
|
|
Apprentice
Joined: 07 Oct 2008
Posts: 41
|
Hi friends,
I have saved your links for commands. here i need more information about ssl . now i got the chance to implement the ssl certificates to qmgrs. As per my knowledge the flow like:
when we get the certificate, we need to FTP that certificate into /var/mqm/qmgrs/qmgr/ssl , then we need to import the cert by using below command
So how do we give the values in the above command and how do we know on which channels do we have to check ssl sipherspec and ssl peer values
I am getting confusion here please clarify me it would be great help me
if this question is not clear to you so please let me know how do you import the certificate step by step in unix environment.
Thanks,
Mohan. |
|
| Back to top |
|
|
| akm.mohan |
| Posted: Fri Jan 30, 2009 9:12 am Post subject: sorry forgot to add command |
|
|
Apprentice
Joined: 07 Oct 2008
Posts: 41
|
| gsk6cmd -cert -add -db key.kdb -pw password -label certificate label -file filename |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jan 30, 2009 9:37 am Post subject: Re: need theritical explanation about ssl |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| akm.mohan wrote: |
| ...So how do we give the values in the above command... |
You know what the certificate label name will be, e.g. ibmwebspheremq<queue manager name>, and you know what the filename of the file is because you will have FTP'd it to the server.
| akm.mohan wrote: |
| ...and how do we know on which channels do we have to check ssl cipherspec and ssl peer values... |
On whichever channels you need to secure with SSL!
And don't forget to refresh security (V6) or bounce the queue manager (V5).
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| akm.mohan |
| Posted: Fri Jan 30, 2009 1:22 pm Post subject: need more information |
|
|
Apprentice
Joined: 07 Oct 2008
Posts: 41
|
Thanks for your quick reply. here i have few more questions. could you please answer my below questions
in this week my old certs are going to expire so I am going to import new certs. for this
**CSR generation: for this
Do I need to setup the new key repository by using below command or do i have to use old repository? ( I don have any knowledge on repositories)
gsk6cmd -keydb -create -db filename -pw password -type cms - expire days -stash
After this I know the below command to generate the CSR
gsk6cmd -certreq -create -db filename -pw password -label -dn distinguished_name -size key_size -file filename
From the above command i will know the label name CN name etc.
so can i use these values in the importing command or do i need to open the certificate and check the values(if so how?here i am getting little bit confusion please give more explanation)
**my second question is:
Now I have the certificate on my desktop,
1)Do I need to FTP to /var/mqm/qmgrs/ssl?
2)if so, after getting that certificate into ssl then what will i have to do?
3) after importing the certificate how do i get the sipersphec and ssl peer values in the channel properties(IF I know the channel names)
Please reply to my questions with more explanation. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jan 30, 2009 1:41 pm Post subject: Re: need more information |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| akm.mohan wrote: |
| ...in this week my old certs are going to expire so I am going to import new certs...Do I need to setup the new key repository by using below command or do i have to use old repository? ( I don have any knowledge on repositories)... |
What do your site standards say? Normally I set up two key stores, A and B, and switch between them - when a cert is due to expire I use the non-active key store for cert request generation, import the cert into it, switch the queue manager SSLKEYR attribute to it, and check all is OK. This gives peace of mind should the new cert be faulty in any way, as the old cert in the 'other' key store can be used while a new 'new' cert is being obtained.
Obtain the field names for your new certificate from the old certificate, to ensure correctness, and no, you don't need the values when you import the cert, they are already contained within it and can't be changed - so make sure you get the CSR right!
| akm.mohan wrote: |
...Now I have the certificate on my desktop,
1)Do I need to FTP to /var/mqm/qmgrs/ssl?... |
Well, it wont get there by itself 
| akm.mohan wrote: |
| ...2)if so, after getting that certificate into ssl then what will i have to do?... |
Once it's in the directory, import it into the key store
| akm.mohan wrote: |
| ...3) after importing the certificate how do i get the sipersphec and ssl peer values in the channel properties(IF I know the channel names)... |
Manuals are a wonderful thing...please try reading them 
Your free lunch is now finished, but here's one bit of free advice - don't wait until the last week of a certificates validity, obtain the new ones at least a month before.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| akm.mohan |
| Posted: Fri Jan 30, 2009 2:40 pm Post subject: Thanks for your valuable reply |
|
|
Apprentice
Joined: 07 Oct 2008
Posts: 41
|
| Many thanks to you for your valuable information and suggestions. |
|
| Back to top |
|
|
| akm.mohan |
| Posted: Mon Feb 02, 2009 3:43 pm Post subject: how to recreate the same CSR instead of creating new one |
|
|
Apprentice
Joined: 07 Oct 2008
Posts: 41
|
hi Exerk,
instead of creating new CSR, from the above manuals I found the command gsk6cmd -vertreq -recreate -db filename -pw password -taget filename.
Is that okey to create like this ?
but before that i would like to display the list but i got an error like no request key was found
what does it mean? Please let me know
Thanks,
Mohan |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Feb 03, 2009 1:23 am Post subject: Re: need more information |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| exerk wrote: |
| Your free lunch is now finished... |
Try the manuals, try the Info Centers, try Google, try this for instance.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| akm.mohan |
| Posted: Tue Feb 03, 2009 3:28 pm Post subject: doubt has been cleared |
|
|
Apprentice
Joined: 07 Oct 2008
Posts: 41
|
|
| Back to top |
|
|
|
|
