| Author |
Message
|
| apk007 |
 Posted: Wed Apr 07, 2010 12:09 pm Post subject: Set up the self signed SSL test process |
 |
|
Apprentice
Joined: 23 Mar 2010
Posts: 25
|
I would like to know the process to set up the SSL with the self signed. What do i need to do on the IBM Key management , MQ Explorer and Client side.
The IBM documentation is not very details enough. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Apr 07, 2010 12:26 pm Post subject: Re: Set up the self signed SSL test process |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| apk007 wrote: |
| I would like to know the process to set up the SSL with the self signed. |
It's pretty much the process in the documentation 
| apk007 wrote: |
| The IBM documentation is not very details enough. |
Which parts did you consider incomplete?
(I do accept that it is spread a little, with both the Security & Clients manuals having useful information for you. Though I'm not sure why you're specifically asking about MQExplorer...)
You might also find some of the posts on the forum deal with specific areas of concern that you have. SSL is a popluar topic here.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| apk007 |
| Posted: Wed Apr 07, 2010 12:47 pm Post subject: |
|
|
Apprentice
Joined: 23 Mar 2010
Posts: 25
|
|
| Back to top |
|
|
| apk007 |
| Posted: Wed Apr 07, 2010 12:50 pm Post subject: |
|
|
Apprentice
Joined: 23 Mar 2010
Posts: 25
|
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 07, 2010 12:54 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| apk007 wrote: |
| How i need to genrate the public keys and stuff. |
That's in the links you yourself posted, and the Security manual that the 2nd link refers you to.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| apk007 |
| Posted: Wed Apr 07, 2010 1:04 pm Post subject: |
|
|
Apprentice
Joined: 23 Mar 2010
Posts: 25
|
Create a key database for the client and generate the corresponding certificate.
Create a key database for the server and generate the corresponding certificate.
Extract public keys from each of the certificates.
Import the public key of the client into the server's key database.
Import the public key of the server into the client's key database.
Enable SSLCIPH and set SSLCAUTH(REQUIRED) on the channels between the client and server.
If i look at this the steps are not very clear. Do u have any details steps around this which will help me. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Apr 07, 2010 2:48 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
1. Create a key store for the queue manager.
2. Create a self-signed certificate in that key store*.
3. Extract a copy of the certificate from the key store.
4. Create a key store for the client.
5. Create a self-signed certificate in that key store*.
6. Extract a copy of the certificate from the key store.
* Pay particular attention to the label name of the certificates, particularly that of the client, which must be ibmwebspheremqclientuserid where clientuserid is the name of the account under which the client will run.
7. Add the copy of the client certificate to the key store of the queue manager, and the copy of the queue manager certificate to the key store of the client.
8. Set the SSLKEYR attribute of the queue manager to the path and file name of the queue manager key store and refresh security type(ssl)**.
9. Set the environment variable MQSSLKEYR to the path and file name of the client key store**.
** File names must be in stem format, i.e. with NO file extension.
10. Create your SVRCONN and CLNTCONN channels with NO SSL ATTRIBUTES SET.
11. Test connectivity and if successful proceed to the next step, or if unsuccessful fix until it works - do NOT try to go further until you have successfully achieved a connection.
12. Set the appropriate SSL attributes on the SVRCONN and CLNTCONN channels and retest.
Using the iKeyman GUI will make your life easier (at first anyway) and MQExplorer takes away the pain of setting the MQSSLKEYR environment variable.
That's your first fish (well, more of a whale really) but if you don't know how to set up the environment for a client you're pretty much screwed from step 10 onwards anyway.
If you can't combine the above information with that of the manuals, and the advice of the venerable Vitor to dig through the Security forum, then I'd hazard you need to understand more about SSL and how it works generally before you start trying to apply it to WMQ.
Enjoy...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| apk007 |
| Posted: Thu Apr 08, 2010 5:45 pm Post subject: |
|
|
Apprentice
Joined: 23 Mar 2010
Posts: 25
|
|
| Back to top |
|
|
|
|
