| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| New in MQ 8.0.0.4 mqcertck |
« View previous topic :: View next topic » |
| Author |
Message
|
| fjb_saper |
 Posted: Wed Mar 23, 2016 5:47 am Post subject: New in MQ 8.0.0.4 mqcertck |
 |
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You will want to read about this https://www.ibm.com/developerworks/community/blogs/messaging/entry/Verifying_your_Queue_Managers_SSL_Configuration_with_MQCERTCK?lang=en
| Quote: |
Verifying Queue Managers SSL Configuration with MQCERTCK.
MQCERTCK is the updated version of the MH03 SupportPac that is now included in MQ as of version 8.0.0.4. MQCERTCK is a tool to look for common mistakes in your Queue Manager’s SSL configuration and provides recommendations for resolving problems |
I think the only thing missing here is a way to run it only as client...
I.E. you can still give the remote qmgr's info but not have to run it on the same box as the qmgr....
_________________
MQ & Broker admin
Last edited by fjb_saper on Wed Mar 30, 2016 11:21 pm; edited 1 time in total |
|
| Back to top |
|
 |
| zpat |
| Posted: Wed Mar 23, 2016 10:57 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Hard to see how that could work, the support pac version used to access the keystore of the QM and take a look around. Not possible over a MQ client connection.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Mar 24, 2016 4:54 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
| Hard to see how that could work, the support pac version used to access the keystore of the QM and take a look around. Not possible over a MQ client connection. |
No but accessing the channel should return the cert currently used by the qmgr for said channel... so checking this against what is set up in the client store should at least check for one side of the equation.
The second part is more difficult because it assumes you have the client's public cert chain and only need to check that the signer chain is also in the qmgr's truststore. Of course the next step is to also check the channel's setup for SSL PEER values match, and possibly the chlauth for ISSUER values match... so yes for a thorough and full check you need to do it on the server with the store for the client being available...
In the absence of a CCDT you won't be able to check the client side SSL PEER. (Java / JMS / or hard coded) setup... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Mar 29, 2016 12:21 am Post subject: Re: New in MQ 8.0.0.4 mqcertck |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Mar 30, 2016 11:22 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Thanks Morag. So done.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
