| Author |
Message
|
| dooma_paapu |
 Posted: Sat Dec 01, 2012 8:40 am Post subject: jks to kdb |
 |
|
Newbie
Joined: 30 Nov 2012
Posts: 4
|
Hello
Apologies if this has already been addressed.
We currently have a working impl using ssl which uses java mq on the client(using JKS). We are in the plan of upgrading to MQI (C based API), which uses KDB store. What are steps involved in converting from JKS to KDB?
To start off I tried using the ibm gskit, gsk7cmd convert which did not work. Then I tried the following approach:
1. List all certs in jks
2. create a new kdb store, using gsk7cmd create, all delete all the default ca certs that were created.
3. Import all certs from jks to kdb(including private)
Try to establish conn, I've changed the mqi client to use cipherspec instead of ciphersuite, and provided the approp keyrepo location
I am now seeing mqrc_ssl_initialization_error(2393) - would someone have some ppointers, most importantanly as to what needs to done when such keystore type conv are required.
Thanks for your help |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat Dec 01, 2012 11:45 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
define "gskit conversion did not work?"
Did you try using the UI of the keymanager for the conversion?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Dec 01, 2012 11:51 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Exactly what gsk7cmd convert command did you issue? What was the response from the command?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| dooma_paapu |
| Posted: Sun Dec 02, 2012 9:30 am Post subject: |
|
|
Newbie
Joined: 30 Nov 2012
Posts: 4
|
@fjb_saper|bruce2359 Here is the command, the error is not very intuitive
bash-3.2$ gsk7cmd -keydb -convert -db sumito.jks -pw sumito -old_format jks -new_format cms
An error occurred while inserting keys to the database.
No, I haven't tried the UI, I believe you're referring to iKeyman?
Here is the gskit ver:
bash-3.2$ echo $JAVA_HOME
/opt/mqm/ssl/jre
bash-3.2$ gsk7cmd -version IBM Key Management
Version : 7.0.4.29
Copyright IBM Corp. 1997 - 2006
All Rights Reserved |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Dec 02, 2012 12:08 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Did you search Google for 'gsk7cmd An error occurred while inserting keys to the database'?
What did you find?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| dooma_paapu |
| Posted: Sun Dec 02, 2012 2:02 pm Post subject: |
|
|
Newbie
Joined: 30 Nov 2012
Posts: 4
|
Yes of course. I've checked and have not seen anything meaningful. That generic error can mean anything - i see suggestions from updating the gsk dist, and some alluding to expired certs. I've listed out the details of the jks store, and they're all valid.
BTW I am able to use the jks as is, with the java client and it works just fine.
Can you point out to any docs that list out the ks conversion process - IBM docs are all over the place. Thx for your help. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Dec 02, 2012 7:06 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
usually conversions go much easier using ikeyman...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| dooma_paapu |
| Posted: Sun Dec 02, 2012 7:55 pm Post subject: |
|
|
Newbie
Joined: 30 Nov 2012
Posts: 4
|
Thx, I will try my hand at ikeyman tomorrow - I was hoping the cmd line utility would've worked 
I guess with IKeyman there is no concept of conversion, but instead import (individual certs) ? Also the gsk7cmd keydb create create up a bloated kdb store - how do you ensure that all those default ca certs are not created |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Dec 02, 2012 11:02 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| dooma_paapu wrote: |
Thx, I will try my hand at ikeyman tomorrow - I was hoping the cmd line utility would've worked
I guess with IKeyman there is no concept of conversion, but instead import (individual certs) ? Also the gsk7cmd keydb create create up a bloated kdb store - how do you ensure that all those default ca certs are not created |
There is a conversion. I believe (from memory) it is the third or fourth button on top...(looks like a save button)
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Dec 03, 2012 12:33 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| dooma_paapu wrote: |
| how do you ensure that all those default ca certs are not created |
Use the latest version, as distributed with WMQ V7.5, which now creates 'empty' key stores.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Dec 04, 2012 1:52 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| exerk wrote: |
| dooma_paapu wrote: |
| how do you ensure that all those default ca certs are not created |
Use the latest version, as distributed with WMQ V7.5, which now creates 'empty' key stores. |
Does it also create populated ones? |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Dec 04, 2012 2:04 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| zpat wrote: |
| exerk wrote: |
| dooma_paapu wrote: |
| how do you ensure that all those default ca certs are not created |
Use the latest version, as distributed with WMQ V7.5, which now creates 'empty' key stores. |
Does it also create populated ones? |
Not that I've seen, but why would you want it to?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pratheep85 |
| Posted: Thu Oct 09, 2014 10:12 am Post subject: Need Help |
|
|
Newbie
Joined: 09 Oct 2014
Posts: 1
|
Hi dooma_paapu,
did you figure out how to convert JKS to KDB, i'm struggling in a similar issue.
I used Ikeyman Tool, and while importing the JKS to KDB, it throws error for one of the certificate that it has already been added to the key database file. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Oct 09, 2014 11:49 am Post subject: Re: Need Help |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| pratheep85 wrote: |
Hi dooma_paapu,
did you figure out how to convert JKS to KDB, i'm struggling in a similar issue.
I used Ikeyman Tool, and while importing the JKS to KDB, it throws error for one of the certificate that it has already been added to the key database file. |
What OS? What version of MQ?
You could:
- Export your personal key as PKS12 (*.pfx)
- Extract the CA's you need
- Create a CMS (*.kdb) keystore (don't forget to create a stash file)
- Import your personal key (you get a chance to change the label and it matters <MQ V8 )
- Add only the CA's you need
|
|
| Back to top |
|
|
|
|
