| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ SSL Configuration question. |
« View previous topic :: View next topic » |
| Author |
Message
|
| kragav |
 Posted: Tue Jun 02, 2009 12:26 pm Post subject: MQ SSL Configuration question. |
 |
|
Newbie
Joined: 02 Jun 2009
Posts: 2
|
I have a queue manager with a key repository which is configured with SSL to connect to a remote queue manager. Current key.kdb file has personal cerificate which is signed by remote queue manager's organization.
Now I need to configure the SSL from the same queue manager to another remote queue manager (Mutual handshake this time). If I want to generate the new CSR to get it signed from verisign, I am getting error saying the label (ibmwebspheremqmyqueuemanager) is already existed. I can't change the label to existing key.kdb file according to IBM books label should be ibmwebspheremqqmgrname.
According to my reading I can't have more than one key repository to a qmgr.
Please advice me
Thanks in advance.
kragav. |
|
| Back to top |
|
 |
| exerk |
| Posted: Tue Jun 02, 2009 2:01 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
You can have more than one key repository (as many as you like in fact) but the queue manager can only use one at any given time.
I'm assuming from your post that you want to replace the current, 'remote queue manager's organization' CA-signed personal certificate with one from VeriSign, while maintaining the use of the current key repository; the only way to achieve that is to recreate the request (please note the emphasis...there's a clue there) and send that to VeriSign - I think the receive will then over-write the existing certificate. Of course, you will have to ensure that the 'remote queue manager's organization' queue manager has all the required VeriSign CA certificates in their queue managers' key repository, so, would it not be easier just to add the 'remote queue manager's organization' CA certificate to the 'new' queue manager to which you want to connect? After all, you must have a copy of it in your current key repository?
Alternatively, create another key store (naming them by the default name 'key' is not a good idea), create a certificate request in that, receive the VeriSign-signed certificate into that, then alter the queue manager's SSLKEYR attribute to point to the new key store, and refresh security - the same caveat applies though as regards the 'remote queue manager's organization' queue manager having the VeriSign CA certificates.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| kragav |
| Posted: Wed Jun 03, 2009 6:25 am Post subject: |
|
|
Newbie
Joined: 02 Jun 2009
Posts: 2
|
Exerk, thank you for the detailed reply..
I dont want to change the existing key repository because that key is being used by queue manager to connect to another remote qmgr.
I want to configure SSL from same queue manager to another remote queue manager. Remote queue manager organization is going to get their certificate from Entrust by generating new CSR. I need to do the same by generating new CSR and get it signed by Verisign. While generating new CSR I am getting the error label is already existed. I can't generate the CSR without label as you know.
If I change the SSLKEYR attribute of qmgr to new key repository, existing key repository will not be used and it will break current application.
I am going to get the root certificate and chain certificate from Entrust which I am going to add into my repository so that my qmgr and remote qmgr trust each other.
I noticed there is certreq.arm file which was created while generating previous CSR, can I use the same to get it signed from verisign? then the common name will be same for both previous and new verisign signed and I believe that would break the existing configuration. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jun 03, 2009 6:48 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| kragav wrote: |
| ...I dont want to change the existing key repository because that key is being used by queue manager to connect to another remote qmgr... |
No problem with using the same key repository.
| kragav wrote: |
| I want to configure SSL from same queue manager to another remote queue manager. Remote queue manager organization is going to get their certificate from Entrust... |
Then you need to ensure you have the Entrust CA certificates in your key repository.
| kragav wrote: |
| ...I need to do the same by generating new CSR and get it signed by Verisign.... |
No you don't. All that is needed is for the remote queue manager to have a copy of the CA cert that verifies your queue managers personal cert.
| kragav wrote: |
| ...I am going to get the root certificate and chain certificate from Entrust which I am going to add into my repository so that my qmgr and remote qmgr trust each other... |
So what is different about what the other party need to do with your CA certs? (see paragraph 2)
| kragav wrote: |
| ...I noticed there is certreq.arm file which was created while generating previous CSR, can I use the same to get it signed from verisign? then the common name will be same for both previous and new verisign signed and I believe that would break the existing configuration... |
Correct, it will 'break' your current system.
In short - you do not need a new queue manager personal certificate; all you need to do is ensure you have all the necessary CA certs to verify the certs flowed to you, and the other parties have all the necessary CA certs to verify the certs flowed to them.
So, the key repositories should contain:
REMOTE1 ORGANISATION (R1) KEY REPOSITORY
R1 CA certificate
R1 queue manager personal certificate
REMOTE2 ORGANISATION (R2) KEY REPOSITORY
Entrust CA certificates
R1 CA certificate
R2 queue manager personal certificate
YOUR KEY REPOSITORY
R1 CA certificate
Entrust CA certificates
Your queue manager personal certificate
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
