| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL Configurations |
« View previous topic :: View next topic » |
| Author |
Message
|
| kakkarj |
 Posted: Fri Feb 12, 2010 12:38 am Post subject: SSL Configurations |
 |
|
Novice
Joined: 03 Aug 2009
Posts: 10
|
Hi All,
I'd like to know the steps to configure SSL for MQSeries and for Message Broker. Could you please if the steps below are correct. Please feel free to guide of better approaches or solutions.
My understanding of SSL
The client initiates the ssl handshake by sending some text along with the cipherspec and compression algo to the server and asking server to send his digital certificate.
The server sends some free text choose the cipherspec to user and sends his digital certificate. The digital certifies authenticates the server and also contains server's public key.
The clients uses the certification authority public key to verify the server's digital certificate.
My Question: How does the client verify using CA public key that the digital certifciate has not been tampererd?. Is it by using the CA public key the client reads the hash value for the digital certifcate and generates the hash key at its own side and compares the two? If so do we send the text also along with the digital certifcate?
The client uses the server's public key and agrees on the secret key to transfer the data and also establieshes a session key. The server may request client's digital certificate but thats optional.
The server uses his private key to decrypt the information and identfies the shared session key.
The handshake completes here and so the shared key is distributed using asymmetric approcah and then uses the symmetric approcah to share the bulk of data.
------------------------------------------------------------------------------------
SSL Configuration for MQ
1.Associating a certificate with a queue manager
2.Associating a certificate with a WebSphere MQ client
3.Allowing access to Certificate Revocation Lists (CRLs)
4.Update channel definitions
1.Associating a certificate with a queue manager:
Store the certificate in a key repository using
digital certificate management tool iKeyMan (UNIX)
ALTER QMGR SSLKEYR('var/mqm/qmgrs/QM1/ssl/key')
use digital certificate management tool to associate certificate with QM.
keytool -import -alias ibmwebspheremq<qm_name> -file jcertfile.cer
My Question: Are any steps missing to associate a certificate with QM? Associating. Suppose we get the certificate from an external body like veritas.
Shall we use keytool or gsk6 utility to associate a digitial certificate with QM? What is the difference between the two?
I understand that at server side we need the digital certificate, server's private key and CA public key. How to we get the server's private ley and CA public key and how do we associate these with the QM?
2.Associating a certificate with a WebSphere MQ client
This key repository file is accessed using the environment variable MQSSLKEYR, or the MQCONNX SSLKeyRepository parameter.
A particular personal certificate within that file is selected for use on the client's SSL channels. UNIX clients use the certificate labeled with ibmwebspheremq followed by the logon userid, wrapped to lower case.
Specify
Environment variable:
export MQSSLKEYR=var/mqm/ssl/key
MQCONNX
SSLKeyRepository
My Question: How is the key repository file generates and who is the owner of the file. or do we move the key repository file generated on the server to the client side?
3.Allowing access to Certificate Revocation Lists (CRLs)
define authinfo objects to access the ldap server and associate the authinfo objects with QM
For client to access to the CRL, create a client connection channel on the queue manager machine. As a result, you see a file called AMQCLCHL.TAB in your queue manager's @ipcc directory. Copy (or FTP binary) the AMQCLCHL.TAB file from the queue manager's @ipcc directory to the C:\MQCLIENT directory on the client machine
4.Update channel definitions
Update the channel definition and specify the SSLKEYR, SSLCIPH, SSLCAUTH paramaters and start the channel.
=============================================
For Broker:
The broker requires several properties to be set to make use of HTTP over SSL. All of these properties can be changed using the mqsichangeproperties command. Change the properties as follows:
• Choose the key store file to be used, by setting a value for keystoreFile
• mqsichangeproperties broker name -b httplistener -o HTTPSConnector
-n keystoreFile -v fully qualified file path to keystore file
• Specify the password for the keystore file, by setting a value for keystorePass
• mqsichangeproperties broker name -b httplistener -o HTTPSConnector
-n keystorePass -v password for keystore
• Specify the port on which WebSphere Message Broker will listen for HTTPS requests
• mqsichangeproperties broker name -b httplistener -o HTTPSConnector
-n port -v Port to listen on for https
• Turn on SSL support in message broker, by setting a value for enableSSLConnector
• mqsichangeproperties broker name -b httplistener -o HTTPListener
-n enableSSLConnector -v true
I'd appreicate if you could please review and let me know if i have missed anything. Any comments, ideas or links are welcome.
Regards |
|
| Back to top |
|
 |
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
