| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Managing SSL Certificates |
« View previous topic :: View next topic » |
| Author |
Message
|
| Ceartas |
 Posted: Mon Feb 08, 2010 2:38 am Post subject: Managing SSL Certificates |
 |
|
Novice
Joined: 31 Oct 2008
Posts: 11
Location: Scotland
|
Good morning folks.
I am in the process of setting up SSL between AIX QM and WAS. This will in future be rolled out between other platforms. I am finding that using iKeyman through an X Windows really clumsy. By contrast the Windows invovation is pretty seamless.
Can anyone who has experience of manaing Certificates share any pitfalls in me setting up a procedure whereby they are managed centrally from Windows iKeyman and the complete Db FTP'd to the QM's SSL repository ?
Any help or comments gratefully receieved
Andrew (aka Windy)
_________________
Lang may yer lum reek ! |
|
| Back to top |
|
 |
| exerk |
| Posted: Mon Feb 08, 2010 7:37 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Do your security standards allow for the movement of keys around the network?
Depending on the number of queue managers you have, and the number of WAS instances connecting to them, management through iKeyman will be time consuming (the GUI can be slooooow) and there will be an awful lot of repetition.
My suggestion is to create a 'universal' script that can be deployed to each server hosting a queue manager, said script should create the key store(s), remove default CA certificates, add 'white list' CA certificates, and generate a personal certificate request. Copy out the request (use Base64 Encoded ASCII and you can use copy/paste) and when you get the signed request returned to you, use a second 'universal' script to receive the certificate, set the key store path, and refresh security. This is just one method (guess what I use  ) and there are undoubtedly others.
As regards the WAS instance personal certificate, talk to your WAS people as to how they wish to manage their certificates, and at what level, e.g. cell.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Ceartas |
| Posted: Tue Feb 23, 2010 2:50 am Post subject: Thanks |
|
|
Novice
Joined: 31 Oct 2008
Posts: 11
Location: Scotland
|
Cheers for the response.
Q. Would you be prepared to share such a script if you already have one ?
A negative response is perfectly acceptable.
_________________
Lang may yer lum reek ! |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Feb 23, 2010 3:09 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
When PM's are working again, ping me. I'll give you the basics (including the command lines) and flow, but I can't give you the scripts as they are site-specific, sorry. From that information you can build the necessary logic around the framework I provide.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Feb 23, 2010 3:57 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
http://www.ibm.com/developerworks/websphere/techjournal/0906_mismes/0906_mismes.html
| Quote: |
| Summary: Although the iKeyman GUI makes interactive key management easy, human-driven processes are time consuming, can be prone to errors, and might not produce consistent results. Scripts address all of these issues. In addition, command line tools provide easy access to advanced options, such as FIPS compatibility and choice of signature algorithm. Whether you have a large deployment or just a few queue managers, when it comes to key management, scripts are the key to quality, consistency, repeatability, and efficiency. |
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
