ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » How SSL .jks work

Post new topic  Reply to topic
 How SSL .jks work « View previous topic :: View next topic » 
Author Message
jim
PostPosted: Thu Sep 25, 2014 9:11 am    Post subject: How SSL .jks work Reply with quote

Voyager

Joined: 26 Nov 2013
Posts: 94

How security is implemented using JKS key store

We can connect to any qmgr in the same network using the same SSL jsk file.How the queue manager will find this genuine connection.
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Sep 25, 2014 9:16 am    Post subject: Re: How SSL .jks work Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

jim wrote:
How security is implemented using JKS key store


Start here and keep reading.

jim wrote:
We can connect to any qmgr in the same network using the same SSL jsk file.How the queue manager will find this genuine connection.


What have you configured at a connection level to prevent any given connection? At a simplistic level (given your question above) how have you supplied the key store to the queue manager and told the channels to check connections against it?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
jim
PostPosted: Thu Sep 25, 2014 9:55 am    Post subject: Re: How SSL .jks work Reply with quote

Voyager

Joined: 26 Nov 2013
Posts: 94

Vitor wrote:
jim wrote:
How security is implemented using JKS key store


Start here and keep reading.

jim wrote:
We can connect to any qmgr in the same network using the same SSL jsk file.How the queue manager will find this genuine connection.


What have you configured at a connection level to prevent any given connection?

At a simplistic level (given your question above) how have you supplied the key store to the queue manager and told the channels to check connections against it?


We don't have configure the security exits and SSLPEER value.

SSL config
1 Creating the Java keystore
2 Create a certificate request
3 Sign the application’s certificate
4 Receive the signed certificate
JKS file is configured at application side

On channel SSLCIPH value is configured.
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Sep 25, 2014 10:05 am    Post subject: Re: How SSL .jks work Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

jim wrote:
We don't have configure the security exits and SSLPEER value.


Well you don't need a security exit for this, but how are you expecting the queue manager to check if the DN on the sending side is acceptable without a SSLPEER value.

jim wrote:
SSL config
1 Creating the Java keystore
2 Create a certificate request
3 Sign the application’s certificate
4 Receive the signed certificate
JKS file is configured at application side


I don't see anything here about the queue manager.

jim wrote:
On channel SSLCIPH value is configured.


I'm assuming you mean a SVRCONN channel? Because you said "can connect to any queue manager" in your original post? How did you arrive at the conclusion that SSLCIPH would help you or was even needed?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
jim
PostPosted: Thu Sep 25, 2014 10:14 am    Post subject: Re: How SSL .jks work Reply with quote

Voyager

Joined: 26 Nov 2013
Posts: 94

Vitor wrote:
jim wrote:
We don't have configure the security exits and SSLPEER value.


Well you don't need a security exit for this, but how are you expecting the queue manager to check if the DN on the sending side is acceptable without a SSLPEER value.

jim wrote:
SSL config
1 Creating the Java keystore
2 Create a certificate request
3 Sign the application’s certificate
4 Receive the signed certificate
JKS file is configured at application side


I don't see anything here about the queue manager.

jim wrote:
On channel SSLCIPH value is configured.


I'm assuming you mean a SVRCONN channel? Because you said "can connect to any queue manager" in your original post? How did you arrive at the conclusion that SSLCIPH would help you or was even needed?


Yes, for SVRCONN channel.

On queue manager I have not set any thing on the qmgr. we will set SSLKEYR attribute when we will be using the qmgr to qmgr communication and for C program.


Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Sep 25, 2014 10:34 am    Post subject: Re: How SSL .jks work Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

jim wrote:
On queue manager I have not set any thing on the qmgr.


Ok, so you've not configured the queue manager nor (from what you've posted here) populated the queue manager's key store, and yet you expect this to be working?

jim wrote:
we will set SSLKEYR attribute when we will be using the qmgr to qmgr communication and for C program.


Interesting points in this statement:

- You've stopped talking about the application on the SVRCONN channel with the JKS (If you're using a Java Key Store with the C program you've just mentioned I don't want to know how or why!)

- You're apparently using MQTT for queue manager to queue manager communication as SSLKEYR is only valid for that, and isn't an allowable parameter on a sender or receiver channel

- You've not said how you came to the conclusion you needed SSLCIPH not SSLPEER

Read the link I gave. Understand how this works. Complete all the configuration steps. Post back here if it still doesn't work.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Thu Sep 25, 2014 10:56 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1237
Location: Gold Coast of Florida, USA

First you need to understand MQ's PKI infrastructure requirements.

  1. The Server has to have a PKI infrastructure (MQ, http or whatever is the server)
    1. In this case, the Qmgr is the server and the Qmgr requires one and only one key store of the type CMS (that means the file ends in .kdb). The Qmgr also requires the password to the key store be in a stash file.
    2. The key store must contain the Qmgr's private key (created when you make a Certificate Signing Request with this key store)
    3. The key store must receive a signed CSR (this is the Qmgr public cert) that matches the private key, but before you receive it
    4. You must add the CA's public cert to the Qmgr's key store
  2. The Client has to have a PKI infrastructure (Java needs JKS and all others are CMS), you indicate a need for JKS and so I will only talk about that
    1. In this case, The Client is Java and Java requires
      1. One key store (the file ends with .jks), which contains
        1. Client private key
        2. CA that signed client private key
      2. One trust store (the file ends with .jks), which contains
        1. CA that signed the Qmgr's cert

    2. Set the Client's SSLPEER to DN values of the Qmgr's cert DN
    3. Set the Qmgr's SSLPEER to DN values of the Client's cert DN
  3. What is an Internal CA? you say... Nothing more than a key store with a self signed cert you use to sign Certificate Signing Requests


Last edited by JosephGramig on Tue Sep 30, 2014 8:22 am; edited 1 time in total
Back to top
View user's profile Send private message AIM Address
JosephGramig
PostPosted: Thu Sep 25, 2014 11:00 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1237
Location: Gold Coast of Florida, USA

Also, note that I left out a whole lot of specifics... You must read the KC section pointed out to you before you will be successful.

Better yet, why not explain exactly what you want to connect with SSL first. That way we can tailor our questions/responses.
Back to top
View user's profile Send private message AIM Address
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » How SSL .jks work
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.