| Author |
Message
|
| Mangesh1187 |
 Posted: Sat Dec 28, 2013 7:42 am Post subject: Need your help to get the solution for SSL dialema occured |
 |
|
Centurion
Joined: 23 Mar 2013
Posts: 116
|
Hi All,
I need the solution for one of the dilema I am facing now with one of my project.
Please go throough the following flow for better understanding.
APPLICATIONS: EnquirySystem (JMS) <> ACCOUNT (QM1) <> ESB(QM2) <> WareHouse (QM3)
CONNECTIVITY:|--NEW CONNECTIVITY------| |--- EXISTING CONNECTIVITY -----------------|
Application Details:
1. EnquirySystem
JMS
2. ACCOUNT
QM Name : QM1
SVRSONN Channel :EnquirySystemSVRCONN
SSL : ORGNIZATION_CA_certificate , CN=ibmwebspheremqqm1
3. ESB
QM Name : QM2
SSL : ORGNIZATION_CA_certificate , CN=ibmwebspheremqqm2
4. WareHouse
QM Name : QM3
SSL : ORGNIZATION_CA_certificate , CN=ibmwebspheremqqm3
As mentioned in the above diagram, we need to provide the new connectivity between Applications EnquirySystem & WareHouse via Queue Managers QM1 & QM2.
The SSL connectivity between QM1 <> QM2 <> QM3 QMs is already present.
The task is to establish the new SSL connectivity between Application EnquirySystem (Using JMS) to application ACCOUNT(MQ).
The problem here is EnquirySystem is the outside of our orgnization n/w , and hence we cant provide the our orginizations CA certificates(ORGNIZATION_CA_certificate) to EnquirySystem.
So we have only 2 options:
1. Use the self signed certificates.
2. Use third party global CA certificates e.g. Verizon
1. Use the self signed certificates:
The problem with this approach is there is already a CA certificate with the CN=ibmwebspheremqqm1 .
Hence we cant add one more self signed certificate with the same CN.
One option is that remove already existing CA certificate and then create the Self signed certificate with CN=ibmwebspheremqqm1.
But if we do this , the already exesting SSL connectivity beween QM1 to QM2 QM will not work.
Hence this option wont work.
2. Use third party global CA certificates e.g. Verizon :
For this approach I have doubt. Can we add another CA certificate with the same CN=ibmwebspheremqqm1 along with already existing orgnizational CA certifates?
Can we use this approach so that it wont affect already existing SSL connectivty between QM1 & QM2 Qms?
Please help me to get the solution. |
|
| Back to top |
|
 |
| Michael Dag |
| Posted: Sat Dec 28, 2013 11:45 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
|
| Back to top |
|
|
| smdavies99 |
| Posted: Sat Dec 28, 2013 11:56 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
I agree about MS81. It is perfect for connecting two organisations together like this.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| zpat |
| Posted: Sun Dec 29, 2013 1:12 am Post subject: Re: Need your help to get the solution for SSL dialema occur |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Mangesh1187 wrote: |
2. Use third party global CA certificates e.g. Verizon :
|
You've been watching too much TV...! I think you mean Verisign.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Dec 29, 2013 6:06 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Quote: |
1. EnquirySystem
JMS
2. ACCOUNT
QM Name : QM1
SVRSONN Channel :EnquirySystemSVRCONN
SSL : ORGNIZATION_CA_certificate , CN=ibmwebspheremqqm1
3. ESB
QM Name : QM2
SSL : ORGNIZATION_CA_certificate , CN=ibmwebspheremqqm2
4. WareHouse
QM Name : QM3
SSL : ORGNIZATION_CA_certificate , CN=ibmwebspheremqqm3 |
Far from me to rain on your Distingished name parade but the value you gave to your CN is really meant to be the LABEL of the cert.
I would have given the qmgr name to the CN...(CN=QM1, CN=QM2, CN=QM3...)
You might want to think on that... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Mangesh1187 |
| Posted: Thu Jan 02, 2014 9:06 am Post subject: |
|
|
Centurion
Joined: 23 Mar 2013
Posts: 116
|
@zpat: Thanks to get me on the track. 
@fjb_saper.
Thanks for your feedback.
As per your suggestion, I have tried the change in the CN as ...(CN=QM1, CN=QM2, CN=QM3...) And it is working fine.
But as I told earlier the senario is that, the QM1 key.kdb already has the CA certificate with the label, ibmwebspheremqqm1. Now we can not add another self-signed/CA certificate with the same label. And certificate with other label name wont work.
Also we cant alter the already existing CA certificate in the QM1, as alreay existing SSL connectivity between QM1 and QM2 will affect.
Can you please advise, how can still make the ssl connectivty between applicaitons : EnquirySystem(JMS) & Account (QM1)
Please go throgh my 1st post to get the understanding about the senario. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jan 03, 2014 9:52 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
One of the solutions has already been described.
Using MQIPT (ms81) to intercept the call allows you all kinds of stuff with SSL...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
