| Author |
Message
|
| jed |
 Posted: Thu Mar 18, 2004 6:59 am Post subject: IBM WebSphere MQ v5.3 SSL Configuration. |
 |
|
Centurion
Joined: 08 Jan 2004
Posts: 118
Location: MI, USA
|
I'm having some probz on configuring SSL.
Can you guys give me a short summary on SSL configuration?
Thanks!
_________________
Jed |
|
| Back to top |
|
 |
| oz1ccg |
| Posted: Thu Mar 18, 2004 7:58 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
|
| Back to top |
|
|
| jed |
| Posted: Thu Mar 18, 2004 5:31 pm Post subject: |
|
|
Centurion
Joined: 08 Jan 2004
Posts: 118
Location: MI, USA
|
Sorry for being too vague on my question.....
I've read bits and parts of the IBM WebSphere MQ Security PDF.
And below are the steps I did based on my understanding of what I've read (I know I need to read more).
The following are the steps that I did in configuring up SSL for IBM WebSphere MQ v5.3 for Windows.
1. Created SSL client queue manager (PC1).
2. Created SSL server queue manager (QM2).
3. SSL Repository for PC1 is c:\Program Files\IBM\WebSphere MQ\Qmgrs\PC1\ssl\key.
4. SSL Repository for QM2 is c:\Program Files\IBM\WebSphere MQ\Qmgrs\QM2\ssl\key.
5. Created a self signed personal certificate using MAKECERT.EXE as shown below:
makecert –ss MY –n “CN=DEAN” –pe
6. List all the certificates found in the current’s users MY system store.
amqmcert –l –k MY
System Store (MY):
14005: * DEAN, DEAN
7. Copied the certificate from MY to PC1 SSL Repository using the command.
amqmcert –m PC1 –a 14005
8. List the certificates found in the PC1
amqmcert –m PC1 –l
WebSphere MQ Store (PC1):
00014: * DEAN, DEAN
9. Assigned the certificate for use by WebSphere MQ.
amqmcert –m PC1 –d 00014
10. Export the certificate for import to QM2
amqmcert –m PC1 –x 00014 –s mycert.cer
11. Copy the certificate file to the system that contains the queue manager QM2.
12. Import the certificate from the certificate file to the QM2 SSL repository.
amqmcert -a -p mycert.cer -k "E:\Program Files\IBM\WebSphere MQ\Qmgrs\QM2\ssl\key"
13. List the certificates found in the repository.
amqmcert -l -k "E:\Program Files\IBM\WebSphere MQ\Qmgrs\QM2\ssl\key"
WebSphere MQ Store (QM2):
00027: * DEAN, DEAN
14. Assigned the certificate for use by WebSphere MQ.
amqmcert -m QM2 -d 00027
15. Changed the SSLCIPH for the SDR/RCVR channels to “TRIPLE_DES_SHA_US”
16. SSLCAUTH(REQUIRED) for the RCVR channel.
17. Started the SDR channel.
18. SDR channel status is RETRYING.
_________________
Jed |
|
| Back to top |
|
|
| gunter |
| Posted: Fri Mar 19, 2004 12:31 am Post subject: |
|
|
Partisan
Joined: 21 Jan 2004
Posts: 307
Location: Germany, Frankfurt
|
If you use SSLCAUTH(REQUIRED), you need on both ends, client and server, a certificate with private key. amqmcert -x exports only the public key.
I would give each Queumanager a certificate on it's own.
_________________
Gunter Jeschawitz
IBM Certified System Administrator - Websphere MQ, 5.3 |
|
| Back to top |
|
|
| crossland |
| Posted: Fri Mar 19, 2004 1:13 am Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
|
| Back to top |
|
|
| gunter |
| Posted: Fri Mar 19, 2004 1:24 am Post subject: |
|
|
Partisan
Joined: 21 Jan 2004
Posts: 307
Location: Germany, Frankfurt
|
If I'm right and you change to SSLCAUTH(OPTIONAL), only one direction should work. I assume it's PC1 -> QM2.
_________________
Gunter Jeschawitz
IBM Certified System Administrator - Websphere MQ, 5.3 |
|
| Back to top |
|
|
| jed |
| Posted: Fri Mar 19, 2004 2:05 am Post subject: |
|
|
Centurion
Joined: 08 Jan 2004
Posts: 118
Location: MI, USA
|
Gunter,
Yes, I made SSLAUTH(REQUIRED).
I see, amqmcert -s <filename> -x, only exports public key.
How do I generate a private? Can I use makecert?
Let me try changing the SSLAUTH(OPTIONAL) and I'll tell you if it works or not.
Tim,
Yes, I did receive an error on the qmgrs error log. It says.....
AMQ9659: A failure occurred during SSL handshaking.
EXPLANATION:
During SSL handshaking, or associated activities, a failure occurred. The failure is 'WebSphere MQ TCP/IP Receive Failed' and has caused WebSphere MQ
channel name 'PC1.TO.QM1' to be closed. If the name is '????' then the name is
unknown.
ACTION:
Refer to prior message in the WebSphere MQ error log for information related to
this problem.
Question:
1. Does makecert.exe create private keys or public keys? If not sure, can you dudes recommend any program that can create private and/or public keys?
2. By my understanding regarding the MQ Security PDF. Both queue managers must have certificates in order for them to do that handshaking thing. So, enumerating the steps.....
a.) Create qmgrs QM1 and QM2.
b.) Create digital certs for QM1 and QM2 (is it private or public keys?)
c.) Add and assign the created QM1 digi cert to the QM1 queue manager.
d.) Add and assign the created QM2 digi cert to the QM2 queue manager.
e.) Copy the digi cert of QM1 to QM2 and upload the digi cert of QM1 to QM2.
f.) Copy the digi cert of QM2 to QM1 and upload the digi cert of QM2 to QM1.
g.) Create sender channel in qmgrs QM1 and QM2.
h.) Create receiver channel in qmgs QM1 and QM2.
NOTE:
One more thing, what IBM redbooks should I read in order to prepare for the IBM Certified Systems Administrator test?
I'm being dumped a lot of MQ works and I'm still a newbie on this one. Imagine I had to create channel exits, event monitors, API exits and now SSL!
_________________
Jed |
|
| Back to top |
|
|
| JasonE |
| Posted: Fri Mar 19, 2004 3:26 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
| See your other append about makecert for step by step instructions on getting a 2 way authentication MQ SSL channel with makecert |
|
| Back to top |
|
|
| jed |
| Posted: Fri Mar 19, 2004 4:21 am Post subject: |
|
|
Centurion
Joined: 08 Jan 2004
Posts: 118
Location: MI, USA
|
Jason,
What other append? You're talking about the other thread that I posted regarding MAKECERT?
Dino
_________________
Jed |
|
| Back to top |
|
|
| JasonE |
| Posted: Fri Mar 19, 2004 5:24 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Yes, that was in respect of the
| Quote: |
| Does makecert.exe create private keys or public keys? |
There are loads of ways of getting self signed certificates (openSSL, iKeyMan/GSKit etc).
| Quote: |
e.) Copy the digi cert of QM1 to QM2 and upload the digi cert of QM1 to QM2.
f.) Copy the digi cert of QM2 to QM1 and upload the digi cert of QM2 to QM1.
|
Yes, but the general principle is you copy the signer certificate (certificate authority / CA) which is public key only to the other end of the connection, you dont need the private key information as well (At least, with real certificates rather than self signed). |
|
| Back to top |
|
|
| jed |
| Posted: Fri Mar 19, 2004 10:35 am Post subject: |
|
|
Centurion
Joined: 08 Jan 2004
Posts: 118
Location: MI, USA
|
ohh... i only copy the signer cert....
lemme try later, its very late now over here....
and i need to review tomorrow 'coz my boss asked me to take the IBM WebSphere MQ Administrator Certification.
what IBM MQ book should I read?
is reading the manual provided for the MQ01 and MQ05 training enough?
_________________
Jed |
|
| Back to top |
|
|
|
|
