ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportSSL CSR Generation

Post new topicReply to topic
SSL CSR Generation View previous topic :: View next topic
Author Message
smeunier
PostPosted: Wed Mar 15, 2017 11:11 am Post subject: SSL CSR Generation Reply with quote

Master

Joined: 19 Aug 2002
Posts: 256

I'm preparing to stand up some new servers, which have known domain assignments reserved for them. The hardware is not built yet, so MQ does not exist on them yet, obviously. I wan to get a head start on ordering the SSL CA certificates so that I will have them in hand when the new hardware is built and MQ is installed.

My question is: Can I generate a CSR from any MQ server using GSKit version 8 as long as the request has all the information in the request that is relevant to the new server(CN,O, etc). It seems that the generation of a CSR is not really dependent on server information, but rather than the information that is supplied in the CSR itself. When I receive the CA back, I figured I could either create a new keydb that I created on a tmp directory and then move that keydb to the new server when the time comes, or install it on the new servers keydb.

Is there any issue with doing this(create a CSR on one server and use the results on another server)?

I don't want to generate request from on server that can't be used on another.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
exerk
PostPosted: Wed Mar 15, 2017 11:44 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 5590

No problem at all, provided the relevant security department doesn't have any objection to you shipping keys around the network...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
zpat
PostPosted: Thu Mar 16, 2017 1:51 am Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5360
Location: UK

Make your life easy.

Launch ikeyman GUI on your PC (comes with MQ installation).

Create a CMS keystore (stash password) or open one copied from somewhere else.

Create a CSR (see the menu options) - submit ARM file to the CA.
When you get the cert, import it as a personal certificate.
Add any signers you want.

Copy the keystore (binary mode FTP) to the server.

I suggest you keep all your keystores in a master LAN location, so you can recover from losing them on the server. Keep a note of passwords, expiry dates etc.

If you find ikeyman incredibly slow - then temporarily put the keystore on your C drive and it will magically speed up. For some reason working on a LAN drive makes ikeyman sluggish.

ikeyman can do JKS and other keystore formats (e.g. for use with IIB).
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Mar 16, 2017 2:30 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 5590

zpat wrote:
...Keep a note of passwords...

Or unstash it when necessary
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
smeunier
PostPosted: Fri Mar 17, 2017 5:55 am Post subject: Reply with quote

Master

Joined: 19 Aug 2002
Posts: 256

Thanks for all the feedback on this. I had access to a new MQ build on Linux and created a directory under SSL directory and creates a
kdb for each qmgr I'm generating a CSR for. I'll use this as my ssl build until the real servers are in place, then port the kdb to each server.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
zpat
PostPosted: Fri Mar 17, 2017 8:48 am Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5360
Location: UK

Just to be clear.

You can do all the keystore work on your own PC with the GUI ikeyman tool that comes with MQ (aka IBM key management on your Windows menu).

You can also run command line tools on windows.

Probably a good idea to name the keystores to include the QM name, as the default name of key is too easy to mix up.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
smeunier
PostPosted: Fri Mar 17, 2017 10:15 am Post subject: Reply with quote

Master

Joined: 19 Aug 2002
Posts: 256

Quote:


You can do all the keystore work on your own PC with the GUI ikeyman tool that comes with MQ (aka IBM key management on your Windows menu).


Understood. Except I didn't/don't have a MQ instance on my Laptop
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
mqjeff
PostPosted: Fri Mar 17, 2017 10:32 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17059

You can install ikman with a client, I think.

You can also just use openssl.
_________________
Read, Think, Try, Repeat
Back to top
View user's profile Send private message
zpat
PostPosted: Sun Mar 19, 2017 11:32 pm Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5360
Location: UK

smeunier wrote:
Quote:


You can do all the keystore work on your own PC with the GUI ikeyman tool that comes with MQ (aka IBM key management on your Windows menu).


Understood. Except I didn't/don't have a MQ instance on my Laptop


Install MQ client at least. Do yourself a favour and get some good MQ tools.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportSSL CSR Generation
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.