| Author |
Message
|
| PeterPotkay |
 Posted: Fri Aug 18, 2017 1:16 pm Post subject: Can runmqckm convert from PKCS12 to jks |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
I have been using runmqckm for managing my keystore / truststores. But I have hit a bit of a roadblock with a new scenario for me.
The application needs to use a keystore of type jks.
Out internal Certificate Authority is giving me a PKCS12 file.
I have found commands to accomplish this using keytool, using the -importkeystore option and telling keytool what the source and destination formats should be, PKCS12 and jks, respectively.
OK, if keytool can do it, then runmqckm can do it, right? I can keep using runmqckm.
But, according to the Knowledge Center, apparently not.
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.ref.adm.doc/q083840_.htm
The -keydb -convert section only lists "cms" as an option for the -new_format parameter.
Is it true that runmqckm can only convert to cms? Or is it a gap in the doc and it can convert to jks as well? (I am not anywhere I can try myself just now, but was researching and very curious).
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| tczielke |
| Posted: Fri Aug 18, 2017 8:59 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
I don't think runmqakm/runmqckm can do this, but maybe I am wrong. I never could find it in the doc. I use the iKeyman GUI instead which can take a .p12 file and create a JKS or JCEKS. From what I have read, a JCEKS is more secure than a JKS. Also, runmqakm (C) blows the pants off of runmqckm (Java) from a performance standpoint. 
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Aug 19, 2017 2:24 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| tczielke wrote: |
| I don't think runmqakm/runmqckm can do this, but maybe I am wrong. I never could find it in the doc. I use the iKeyman GUI instead which can take a .p12 file and create a JKS or JCEKS. From what I have read, a JCEKS is more secure than a JKS. Also, runmqakm (C) blows the pants off of runmqckm (Java) from a performance standpoint. |
The only trouble being that runmqakm cannot translate to jks but runmqckm can... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| tczielke |
| Posted: Sat Aug 19, 2017 4:59 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
Do you know the command syntax for doing that for runmqckm? I don't see it documented in the manual, but this wouldn't be the first time functionality is available that is not documented for MQ commands.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Aug 19, 2017 9:14 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| tczielke wrote: |
| Do you know the command syntax for doing that for runmqckm? I don't see it documented in the manual, but this wouldn't be the first time functionality is available that is not documented for MQ commands. |
| Code: |
| runmqckm -keydb -convert -db abc.p12 -target abc.jks -old_format p12 -new_format jks |
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sun Aug 20, 2017 4:08 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| fjb_saper wrote: |
| tczielke wrote: |
| Do you know the command syntax for doing that for runmqckm? I don't see it documented in the manual, but this wouldn't be the first time functionality is available that is not documented for MQ commands. |
| Code: |
| runmqckm -keydb -convert -db abc.p12 -target abc.jks -old_format p12 -new_format jks |
|
I will try this when I get to my workstation.
If the Knowledge Center l is correct, it should balk that "jks" is not a valid option for -new_format.
If it works, PMR time to confirm its correct behavior I can count on and to get the doc updated.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Aug 22, 2017 1:07 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Well.
You can submit jks as a destination format.
But it does not work.
When I switched to keytool, everything started to work. When I switched back to runmqckm, 
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Aug 22, 2017 1:09 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
The keystore produced by this command works like a charm
| Code: |
| keytool -importkeystore -srckeystore TheFileFromOurCA.pfx -srcstoretype pkcs12 -srcalias MyAliasLabel -destkeystore keytoolkeystore.jks -deststoretype jks -deststorepass DaPasswordHere -destalias MyAliasLabel |
The keystore produced by this command makes me sad, it does not make for a happy app:
| Code: |
| runmqckm -keydb -convert -db TheFileFromOurCA.pfx -pw DaPasswordHere -target mqkeystore.jks -old_format pkcs12 -new_format jks |
mqkeystore.jks byte count is 7440
keytoolkeystore.jks byte count is 5124
The runmqckm method is adding extra stuff in there apparently, and that stuff makes the app not work.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Aug 22, 2017 4:53 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Are you sure that -old_format should be pkcs12 and not something like "pfx"?
(I have no idea, myself. )
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Aug 22, 2017 6:45 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You should be able to inspect both output files and see what the difference is.
It's gotta be that some of the stuff brought over is possibly different? Not the same DN on a cert??
I was going to say can you quantify does not work like what are the certs in the 2 jks key stores. Any differences?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
