Author |
Message
|
jim |
Posted: Thu Sep 25, 2014 9:11 am Post subject: How SSL .jks work |
|
|
Voyager
Joined: 26 Nov 2013 Posts: 94
|
How security is implemented using JKS key store
We can connect to any qmgr in the same network using the same SSL jsk file.How the queue manager will find this genuine connection. |
|
Back to top |
|
|
Vitor |
Posted: Thu Sep 25, 2014 9:16 am Post subject: Re: How SSL .jks work |
|
|
Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
jim wrote: |
How security is implemented using JKS key store |
Start here and keep reading.
jim wrote: |
We can connect to any qmgr in the same network using the same SSL jsk file.How the queue manager will find this genuine connection. |
What have you configured at a connection level to prevent any given connection? At a simplistic level (given your question above) how have you supplied the key store to the queue manager and told the channels to check connections against it? _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
|
jim |
Posted: Thu Sep 25, 2014 9:55 am Post subject: Re: How SSL .jks work |
|
|
Voyager
Joined: 26 Nov 2013 Posts: 94
|
Vitor wrote: |
jim wrote: |
How security is implemented using JKS key store |
Start here and keep reading.
jim wrote: |
We can connect to any qmgr in the same network using the same SSL jsk file.How the queue manager will find this genuine connection. |
What have you configured at a connection level to prevent any given connection?
At a simplistic level (given your question above) how have you supplied the key store to the queue manager and told the channels to check connections against it? |
We don't have configure the security exits and SSLPEER value.
SSL config
1 Creating the Java keystore
2 Create a certificate request
3 Sign the application’s certificate
4 Receive the signed certificate
JKS file is configured at application side
On channel SSLCIPH value is configured. |
|
Back to top |
|
|
Vitor |
Posted: Thu Sep 25, 2014 10:05 am Post subject: Re: How SSL .jks work |
|
|
Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
jim wrote: |
We don't have configure the security exits and SSLPEER value. |
Well you don't need a security exit for this, but how are you expecting the queue manager to check if the DN on the sending side is acceptable without a SSLPEER value.
jim wrote: |
SSL config
1 Creating the Java keystore
2 Create a certificate request
3 Sign the application’s certificate
4 Receive the signed certificate
JKS file is configured at application side |
I don't see anything here about the queue manager.
jim wrote: |
On channel SSLCIPH value is configured. |
I'm assuming you mean a SVRCONN channel? Because you said "can connect to any queue manager" in your original post? How did you arrive at the conclusion that SSLCIPH would help you or was even needed? _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
|
jim |
Posted: Thu Sep 25, 2014 10:14 am Post subject: Re: How SSL .jks work |
|
|
Voyager
Joined: 26 Nov 2013 Posts: 94
|
Vitor wrote: |
jim wrote: |
We don't have configure the security exits and SSLPEER value. |
Well you don't need a security exit for this, but how are you expecting the queue manager to check if the DN on the sending side is acceptable without a SSLPEER value.
jim wrote: |
SSL config
1 Creating the Java keystore
2 Create a certificate request
3 Sign the application’s certificate
4 Receive the signed certificate
JKS file is configured at application side |
I don't see anything here about the queue manager.
jim wrote: |
On channel SSLCIPH value is configured. |
I'm assuming you mean a SVRCONN channel? Because you said "can connect to any queue manager" in your original post? How did you arrive at the conclusion that SSLCIPH would help you or was even needed? |
Yes, for SVRCONN channel.
On queue manager I have not set any thing on the qmgr. we will set SSLKEYR attribute when we will be using the qmgr to qmgr communication and for C program.
|
|
Back to top |
|
|
Vitor |
Posted: Thu Sep 25, 2014 10:34 am Post subject: Re: How SSL .jks work |
|
|
Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
jim wrote: |
On queue manager I have not set any thing on the qmgr. |
Ok, so you've not configured the queue manager nor (from what you've posted here) populated the queue manager's key store, and yet you expect this to be working?
jim wrote: |
we will set SSLKEYR attribute when we will be using the qmgr to qmgr communication and for C program. |
Interesting points in this statement:
- You've stopped talking about the application on the SVRCONN channel with the JKS (If you're using a Java Key Store with the C program you've just mentioned I don't want to know how or why!)
- You're apparently using MQTT for queue manager to queue manager communication as SSLKEYR is only valid for that, and isn't an allowable parameter on a sender or receiver channel
- You've not said how you came to the conclusion you needed SSLCIPH not SSLPEER
Read the link I gave. Understand how this works. Complete all the configuration steps. Post back here if it still doesn't work. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
|
JosephGramig |
Posted: Thu Sep 25, 2014 10:56 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006 Posts: 1237 Location: Gold Coast of Florida, USA
|
First you need to understand MQ's PKI infrastructure requirements.
- The Server has to have a PKI infrastructure (MQ, http or whatever is the server)
- In this case, the Qmgr is the server and the Qmgr requires one and only one key store of the type CMS (that means the file ends in .kdb). The Qmgr also requires the password to the key store be in a stash file.
- The key store must contain the Qmgr's private key (created when you make a Certificate Signing Request with this key store)
- The key store must receive a signed CSR (this is the Qmgr public cert) that matches the private key, but before you receive it
- You must add the CA's public cert to the Qmgr's key store
- The Client has to have a PKI infrastructure (Java needs JKS and all others are CMS), you indicate a need for JKS and so I will only talk about that
- In this case, The Client is Java and Java requires
- One key store (the file ends with .jks), which contains
- Client private key
- CA that signed client private key
- One trust store (the file ends with .jks), which contains
- CA that signed the Qmgr's cert
- Set the Client's SSLPEER to DN values of the Qmgr's cert DN
- Set the Qmgr's SSLPEER to DN values of the Client's cert DN
- What is an Internal CA? you say... Nothing more than a key store with a self signed cert you use to sign Certificate Signing Requests
Last edited by JosephGramig on Tue Sep 30, 2014 8:22 am; edited 1 time in total |
|
Back to top |
|
|
JosephGramig |
Posted: Thu Sep 25, 2014 11:00 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006 Posts: 1237 Location: Gold Coast of Florida, USA
|
Also, note that I left out a whole lot of specifics... You must read the KC section pointed out to you before you will be successful.
Better yet, why not explain exactly what you want to connect with SSL first. That way we can tailor our questions/responses. |
|
Back to top |
|
|
|