| Author |
Message
|
| qmgr |
 Posted: Thu Mar 15, 2012 7:47 am Post subject: ****SSL BETWEEN TWO QMANAGERS**** |
 |
|
Novice
Joined: 24 Feb 2010
Posts: 13
|
Hi All,
I am new guy in to MQ administration and got a task to finish it up. Here is my task, I am suppose to create a SSL between two queuemanagers. I have created a key repository (file type CMS with .kdb extension). Generated CSRs (1 for the Qmanager on our end and 2 for the 2Qmanagers on the other end (they use MQ1 to connect to our system and MQ2 is for failover). Submitted the CSR to CA. CA has sent me 1 root CA, 1 intermediate CA and 1 qmgr certificate for each qmanager (example: root.crt, intermediate.crt, mq1.crt). I have read so many articles related to setting up a Qmgr-Qmgr SSL and got confused what do next. Can please someone help me providing the steps clearly I am suppose to perform from here.
Thanks In Advance |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Thu Mar 15, 2012 7:54 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| qmgr |
| Posted: Sun Mar 18, 2012 5:04 pm Post subject: |
|
|
Novice
Joined: 24 Feb 2010
Posts: 13
|
Thanks for the response "mqjeff". I have read this article and started working on SSL stuff. I have created new key data base, raised CSR to CA and got ROOT, Intermediate and Qmgr certs. When I am trying to add ROOT certificate there is a error popping up "A duplicate certificate already exists in the database". Can someone please help me what might be the reason behind this issue. Though my key database is a newly created, how come a ROOT CA cert already exists in the database? A
Any help on this is really appreciated.
Thanks In Advance |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Mar 19, 2012 1:05 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| qmgr wrote: |
| ...how come a ROOT CA cert already exists in the database? |
Because depending on the version of GSKit you're using, the key store is auto-populated with certain CA certificates, e.g. most of the VeriSign ones.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| qmgr |
| Posted: Mon Mar 19, 2012 8:17 am Post subject: |
|
|
Novice
Joined: 24 Feb 2010
Posts: 13
|
| exerk wrote: |
Because depending on the version of GSKit you're using, the key store is auto-populated with certain CA certificates, e.g. most of the VeriSign ones. |
So you mean there is no need of adding ROOT CA separately as it is already in the database? |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Mar 19, 2012 8:19 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| qmgr wrote: |
| So you mean there is no need of adding ROOT CA separately as it is already in the database? |
If it's not already there, an error when adding it claiming it's a duplicate seems rather odd.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| qmgr |
| Posted: Mon Mar 19, 2012 8:38 am Post subject: |
|
|
Novice
Joined: 24 Feb 2010
Posts: 13
|
| Vitor wrote: |
If it's not already there, an error when adding it claiming it's a duplicate seems rather odd. |
As of now, I have added intermediate certificate and received qmgrs certificates in to the key database (did not added ROOT CA, assuming that ROOT CA is already in the data base). Trying to test this key database, if that works, I will be saved. |
|
| Back to top |
|
|
| qmgr |
| Posted: Tue Apr 24, 2012 8:38 am Post subject: |
|
|
Novice
Joined: 24 Feb 2010
Posts: 13
|
Sorry for the late response on this topic. Just want to let you that, I have resolved this issue "a duplicate certificate already exists in the data base". This is because in some of the key data bases the ROOT CA are automatically populated and there is no need of adding them separately.In this case skip adding ROOT CA and start adding Intermediate CA to signer certificates of the key data base.
Thanks everyone who has given input to me in solving this issue. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Apr 24, 2012 8:48 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
It is a recommended practice from a security point of view to ensure that all key rings only have the required certificates in them. Particularly in the case of key rings used as trust stores. Just because someone is trustworthy doesn't mean you're going to give them your house keys and your car keys.
An auto mechanic doesn't need your house keys and a plumber doesn't need your car keys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Apr 24, 2012 9:19 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| mqjeff wrote: |
| An auto mechanic doesn't need your house keys and a plumber doesn't need your car keys. |
Unless you live in a Winnebago.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 24, 2012 9:26 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| PeterPotkay wrote: |
| mqjeff wrote: |
| An auto mechanic doesn't need your house keys and a plumber doesn't need your car keys. |
Unless you live in a Winnebago. |
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Apr 24, 2012 10:20 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| PeterPotkay wrote: |
| mqjeff wrote: |
| An auto mechanic doesn't need your house keys and a plumber doesn't need your car keys. |
Unless you live in a Winnebago. |
I'm gonna go code me a Winnebago. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 24, 2012 11:14 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| PeterPotkay wrote: |
| mqjeff wrote: |
| An auto mechanic doesn't need your house keys and a plumber doesn't need your car keys. |
Unless you live in a Winnebago. |
I'm gonna go code me a Winnebago. |
Once the PHB starts paying bonus for bugs fixed in test.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Apr 24, 2012 11:37 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| mqjeff wrote: |
| PeterPotkay wrote: |
| Unless you live in a Winnebago. |
I'm gonna go code me a Winnebago. |
Once the PHB starts paying bonus for bugs fixed in test. |
I was hoping I could rely on you to spot the reference. |
|
| Back to top |
|
|
| rekarm01 |
| Posted: Thu Apr 26, 2012 12:40 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 1415
|
| mqjeff wrote: |
| I was hoping I could rely on [Vitor] to spot the reference. |
Ah ... now it makes sense ... |
|
| Back to top |
|
|
|
|
