| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ SSL between QMgrs & MQExplorer |
« View previous topic :: View next topic » |
| Author |
Message
|
| Sam Uppu |
 Posted: Wed Nov 16, 2011 2:49 pm Post subject: MQ SSL between QMgrs & MQExplorer |
 |
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
Hi,
We are using MQ v7 on unix systems and MQExplorer on our desktops. We created a SVRCONN channel specifically for Admins want to administer the QMgrs from MQExplorer at one location. For this channel to secure, wanted to implement SSL (self signed as it is just internal to our network). Wanted to go with 1 way SSL.
Steps followed:
Created a self signed certificate on unix Qmgr:
| Code: |
gsk7cmd -keydb -create -db "/var/mqm/qmgrs/QM1/ssl/key.kdb" -pw passw0rd -type cms -expire 1825 –stash
gsk7cmd -cert -create -db "/var/mqm/qmgrs/QM1/ssl/key.kdb" -pw passw0rd -label ibmwebspheremqqm1 -dn " CN=WMQ, OU=WMQ, O=xxx, L=CHICAGO, ST=Illinois, C=US " -expire 1825
gsk7cmd -cert -extract -db "/var/mqm/qmgrs/QM1/ssl/key.kdb" -pw passw0rd -label ibmwebspheremqqm1 -target qm1.arm -format ascii |
Now this self signed cert, qm1.arm is FTPed over to desktop machine where MQExplorer is running.
Created a keydb (key.jks) on desktop machine and added the qm1.arm to the key.jks
Able to connect to the Qmgr, QM1 using MQExplorer using key.jks keystore.
Question:
Now I want to implement same SSL on all of the other queue managers in our network. As we got around 100 Qmgrs within our network, can I push/ copy the same keystore created on QM1 to all other queue managers and want to connect using MQExplorer using the keystore(key.jks) created on desktop. Is it possible?.
I tried for a QMgr, QM2 on the same machine. I copied the /var/mqm/qmgrs/QM1/ssl/* to /var/mqm/qmgrs/QM2/ssl directory.
Changed the SVRCONN channel parameters - SSLCIPH(RC4_SHA_US) & SSLCAUTH(OPTIONAL).
When I try to connect using MQExplorer to the QMgr, QM2 it says SSL error and not able to connect.
Can you please share your ideas how to implement this across all of our Qmgrs within our network?.
Thanks. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Nov 16, 2011 2:56 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| The only thing you need to change is the label of the key in the keystore. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Nov 16, 2011 7:11 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
all over I'd say nicely thought, but poorly executed...
This is your start in SSL. As you think a little bit more about it, you will want each qmgr to have its own.
To make your work easier, I would suggest you talk to your security department. If they don't have an internal CA you can set yourself up as CA.
Looking at the number of qmgrs involved you need to script your tasks so that nearly everything is automated.
Once all the qmgr certs are in place, you can think about the admin cert. With one cert for the single admin, and the correct DN you should then be able to administer each single qmgr in the network...
If you have multiple admins, give each admin his / her own cert and on the channel check SSL PEER, but omit the CN=<user> value as it would change by admin. Remember you can define multiple OUs.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Thu Nov 17, 2011 1:16 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2602
Location: The Netherlands (Amsterdam)
|
|
| Back to top |
|
|
| ramires |
| Posted: Thu Nov 17, 2011 1:53 am Post subject: |
|
|
Knight
Joined: 24 Jun 2001
Posts: 523
Location: Portugal - Lisboa
|
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Thu Nov 17, 2011 6:55 am Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
| fjb_saper wrote: |
all over I'd say nicely thought, but poorly executed...
This is your start in SSL. As you think a little bit more about it, you will want each qmgr to have its own.
To make your work easier, I would suggest you talk to your security department. If they don't have an internal CA you can set yourself up as CA.
Looking at the number of qmgrs involved you need to script your tasks so that nearly everything is automated.
Once all the qmgr certs are in place, you can think about the admin cert. With one cert for the single admin, and the correct DN you should then be able to administer each single qmgr in the network...
If you have multiple admins, give each admin his / her own cert and on the channel check SSL PEER, but omit the CN=<user> value as it would change by admin. Remember you can define multiple OUs.
Have fun |
As this is just internal to our network and only used by our admins to connect to the Qmgrs and administer, wanted to go with self signed and and no comapny/ external CA cert.
What I understood from your comments is that I should create a .arm file for each Qmgrs(execute the gsk7cmd commands what I pasted in my earlier post for each Qmgr) and add it to the Admin keystore on desktop, correct? and we can't use the same .arm file for all the Qmgrs?.
Please confirm. Appreciate your inputs.
Thanks. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Thu Nov 17, 2011 7:15 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2602
Location: The Netherlands (Amsterdam)
|
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
