| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Problem enabling SSL on a connection |
« View previous topic :: View next topic » |
| Author |
Message
|
| sgb |
 Posted: Wed Mar 10, 2010 3:33 pm Post subject: Problem enabling SSL on a connection |
 |
|
Newbie
Joined: 10 Mar 2010
Posts: 7
|
I have a connection with a test system that is working, but I want to add SSL encryption to the link. The server is a Windows box, and it seems to work ok, but the linux 64 box keeps giving me AMQ9660 errors:
5724-H72 (C) Copyright IBM Corp. 1994, 2008. ALL RIGHTS RESERVED.
03/11/2010 10:14:40 AM Channel 'CCHECKTE.TO.CTTESTX' is starting.
03/11/2010 10:14:40 AM AMQ9660: SSL key repository: password stash file absent or unusable.
03/11/2010 10:14:40 AM AMQ9999: Channel program ended abnormally.
gsk7cmd_64 complains that:
The Java Cryptographic Extension(JCE) files were not found.
Please check that the JCE files have been installed in the correct directory.
...so I've been trying to use gsk7capicmd_64 to create the key repository (not being in the US or Canada I don't seem to have any legal option to get the Java Cryptographic Extensions), but I don't seem to be having any success.
echo dis qmgr sslkeyr | runmqsc CCHECKTE reports:
5724-H72 (C) Copyright IBM Corp. 1994, 2008. ALL RIGHTS RESERVED.
Starting MQSC for queue manager CCHECKTE.
1 : dis qmgr sslkeyr
AMQ8408: Display Queue Manager details.
QMNAME(CCHECKTE)
SSLKEYR(/var/mqm/qmgrs/CCHECKTE/ssl/key)
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
so I went to /var/mqm/qmgrs/CCHECKTE/ssl and ran:
gsk7capicmd_64 -keydb -create -db key
and
gsk7capicmd_64 -keydb -stashpw -db key -pw test
...but the latter tells me GSKKM_ERR_KEYDB_NOT_EXIST, and all the while runmqchl gives me AMQ9660 errors as above.
What am I missing in creating the required password stash?
Thanks,
Steve. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Mar 10, 2010 8:19 pm Post subject: Re: Problem enabling SSL on a connection |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| sgb wrote: |
I have a connection with a test system that is working, but I want to add SSL encryption to the link. The server is a Windows box, and it seems to work ok, but the linux 64 box keeps giving me AMQ9660 errors:
5724-H72 (C) Copyright IBM Corp. 1994, 2008. ALL RIGHTS RESERVED.
03/11/2010 10:14:40 AM Channel 'CCHECKTE.TO.CTTESTX' is starting.
03/11/2010 10:14:40 AM AMQ9660: SSL key repository: password stash file absent or unusable.
03/11/2010 10:14:40 AM AMQ9999: Channel program ended abnormally.
gsk7cmd_64 complains that:
The Java Cryptographic Extension(JCE) files were not found.
Please check that the JCE files have been installed in the correct directory.
...so I've been trying to use gsk7capicmd_64 to create the key repository (not being in the US or Canada I don't seem to have any legal option to get the Java Cryptographic Extensions), but I don't seem to be having any success. |
Wrong. I believe there is a standard JCE for export which should at least cater for all the export strength crypto. Request your crypto extension from your JVM vendor.
| sgb wrote: |
echo dis qmgr sslkeyr | runmqsc CCHECKTE reports:
5724-H72 (C) Copyright IBM Corp. 1994, 2008. ALL RIGHTS RESERVED.
Starting MQSC for queue manager CCHECKTE.
1 : dis qmgr sslkeyr
AMQ8408: Display Queue Manager details.
QMNAME(CCHECKTE)
SSLKEYR(/var/mqm/qmgrs/CCHECKTE/ssl/key)
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed. |
This looks right. The extension of the keystore does not get populated to MQ.
| sgb wrote: |
so I went to /var/mqm/qmgrs/CCHECKTE/ssl and ran:
gsk7capicmd_64 -keydb -create -db key
and
gsk7capicmd_64 -keydb -stashpw -db key -pw test
...but the latter tells me GSKKM_ERR_KEYDB_NOT_EXIST, and all the while runmqchl gives me AMQ9660 errors as above.
What am I missing in creating the required password stash?
Thanks,
Steve. |
Well remember that the keystore should have an extension (look it up in the manuals (kdb?) and this needs to be used in the command line.
So this should read
| Code: |
gsk7capicmd_64 -keydb -create -db key.kdb
gsk7capicmd_64 -keydb -stashpw -db key.kdb -pw test |
Also remember that none of this may work if you did not set the correct environment variables like JAVA_HOME etc...
If you are familiar with X11, read the manual, doing all this over the gui makes it so much easier to understand.
Don't know if just issuing refresh security type(ssl) (look it up for exact syntax) after all this setup is sufficient, but I would suggest you bounce the qmgr anyways so that it can pickup the JAVA_HOME environment variable that you will have set before starting the qmgr.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sgb |
| Posted: Tue Mar 16, 2010 7:38 pm Post subject: |
|
|
Newbie
Joined: 10 Mar 2010
Posts: 7
|
| Thanks for that - it looks like "gsk7capicmd_64 -keydb -stashpw" does need the .kdb extension to the key database name, but -create doesn't care so much (and will automatically add the .kdb if it is omitted). Thus the first step was working and creating the key files, but the second one didn't as the naming requirements are evidently more stringent for the second step! |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 16, 2010 8:53 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Thanks for sharing the solution.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
