| Author |
Message
|
| meaton78 |
 Posted: Fri Oct 09, 2009 7:04 am Post subject: Setup multple ssl certs for qmgr |
 |
|
Centurion
Joined: 16 Oct 2008
Posts: 100
|
I am trying to install 2 ssl certs to our qmgr for authentication. We currently have one setup that is used for our distributed channels that is working without issue. I would like to install a second cert for client connections. I imported the second cert and tested through rfhutil. When I specify ssl connection, I receive the message that the queue manager is unavailable for connect, but if disable ssl on rfhutil and connect to the non-ssl channel, I am able to get right in.
Channel on server:
CHANNEL(CLIENT.SSL.QMTEST)
CHLTYPE(SVRCONN)
SSLCAUTH(REQUIRED)
SSLCIPH(NULL_MD5)
SSLPEER( )
TRPTYPE(TCP)
Client:
CHANNEL(CLIENT.SSL.QMTEST)
CHLTYPE(CLNTCONN)
SSLCIPH(NULL_MD5)
SSLPEER( )
TRPTYPE(TCP) |
|
| Back to top |
|
 |
| exerk |
| Posted: Fri Oct 09, 2009 7:34 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
A queue manager has one, and only one personal certificate.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Oct 09, 2009 8:20 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| meaton78 |
| Posted: Fri Oct 09, 2009 9:05 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2008
Posts: 100
|
| Here's what I was hoping to do. Create one cert for the qmgr named ibmwebspheremqqmtest. Import that cert and also two root CA certs into the keystore. All certs for queue managers would be signed by signerA, while all client certs would be signed by signerB. Could something like that work? |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Oct 09, 2009 9:09 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Yes.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Oct 09, 2009 9:09 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You can trust as many signer certs as you want.
What did you do to add the second signer cert? |
|
| Back to top |
|
|
| meaton78 |
| Posted: Fri Oct 09, 2009 9:13 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2008
Posts: 100
|
| I opened the kdb for the qmgr in ikman, switched the view to Signer Certificates and added both signerA and signerB certs. So server now has server cert plus two signers. Client has one cert plus one signer. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Oct 09, 2009 9:15 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| The client will need to trust the signer of the qmgr's cert. |
|
| Back to top |
|
|
| meaton78 |
| Posted: Fri Oct 09, 2009 9:27 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2008
Posts: 100
|
I've added the signer CA cert to the client store and received the same results:
13.25.27 2059 Queue manager not available (Connect) - may not be started |
|
| Back to top |
|
|
| meaton78 |
| Posted: Fri Oct 09, 2009 10:21 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2008
Posts: 100
|
When I remove either of the CA certs on the client, I get the expected result:
13.54.13 *Error cc=2 rc=2393 Cannot Connect |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Oct 09, 2009 10:25 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| If you disable SSl or use a non-SSL channel from the client, with the same connection information, are you able to connect? |
|
| Back to top |
|
|
| meaton78 |
| Posted: Fri Oct 09, 2009 10:26 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2008
Posts: 100
|
| Yes, I have a non-ssl channel that I can connect to without issue on the same qmgr from rfhutil. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Oct 09, 2009 10:34 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
|
|
