| Author |
Message
|
| MQMB&WAS |
 Posted: Tue Aug 11, 2020 6:59 pm Post subject: cert details of a partner |
 |
|
Centurion
Joined: 12 Jun 2016
Posts: 130
|
Hello experts,
I need to check the details of ssl certs like the serial number, expiry, DN.. of the certs belonging to all the remote qmgrs that my qmgr is communicating with ssl.
How do I do this wit hthe runmqakm commands? The commands I've tried so far are only displaying me the details of our own cert.
Appreciate if you could help.
Thanks |
|
| Back to top |
|
 |
| hughson |
| Posted: Tue Aug 11, 2020 8:56 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
If you have set up your certificates as CA signed certificates, then I would not expect that your partner's certificates would be in your key repository. You have no need for them to be, only the CA certificate which signed them needs to be in YOUR key repository.
If you only need to check details like the serial number and DN you can see that when the channel from the partner is running by using the following command:
| Code: |
| DISPLAY CHSTATUS(channel-name) SSLPEER |
Finding out the expiry will probably require a conversation with the administrator of the partner queue manager.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| MQMB&WAS |
| Posted: Tue Aug 11, 2020 9:12 pm Post subject: |
|
|
Centurion
Joined: 12 Jun 2016
Posts: 130
|
Thanks for your response, Morag.
Our sender channel to our partner isn't working and in the errors its throwing ssl errors with the details of the partners' certs like CN, serial number.....
My goal is to check if their certs exist in our kdb. How do I check this?
Thanks for your time. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Aug 11, 2020 9:38 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| MQMB&WAS wrote: |
| My goal is to check if their certs exist in our kdb. How do I check this? |
Well it sounds like you have already discovered that the certs DO NOT exist in your KDB. But for the avoidance of doubt, to list ALL the certs in your KDB, try this command.
| Code: |
| runmqakm -cert -list all -db key.kdb -stashed |
Then to show the details of a particular cert, try this command.
| Code: |
| runmqakm -cert -details -label CertLabelFromAboveCommand -db key.kdb -stashed |
Are you sure the certs are SUPPOSED to be in your KDB?
| MQMB&WAS wrote: |
| Our sender channel to our partner isn't working and in the errors its throwing ssl errors with the details of the partners' certs like CN, serial number..... |
Could you show us an example of the error please?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| MQMB&WAS |
| Posted: Thu Aug 13, 2020 10:49 am Post subject: |
|
|
Centurion
Joined: 12 Jun 2016
Posts: 130
|
Hello Morag,
The issue has was with our partner qmgr. Their certs expired and they had to renew.
My questions: When the partner renews their personal certs, don't we have to add their new root/intermediate certs to our kdb?? in this case, they didn't send us any but the channel started working after they renewed/installed at their end.
another question: so from what I understand, there's no way for us to find out the expiry details of partners' certs just by looking at our kdb file. is this correct?
q3: how to display the details of the partner's root/intermediate cert details from our kdb??
Appreciate your time. |
|
| Back to top |
|
|
| tczielke |
| Posted: Thu Aug 13, 2020 11:30 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Aug 13, 2020 11:38 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| MQMB&WAS wrote: |
| My questions: When the partner renews their personal certs, don't we have to add their new root/intermediate certs to our kdb?? in this case, they didn't send us any but the channel started working after they renewed/installed at their end. |
Not if they renewed with the same provider. You would have got a certificate signed by a root and intermediate cert chain you already trusted.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jon.austen |
| Posted: Thu Aug 13, 2020 12:27 pm Post subject: |
|
|
Newbie
Joined: 03 Aug 2020
Posts: 9
|
|
| Back to top |
|
|
| hughson |
| Posted: Thu Aug 13, 2020 8:02 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| MQMB&WAS wrote: |
| My questions: When the partner renews their personal certs, don't we have to add their new root/intermediate certs to our kdb?? in this case, they didn't send us any but the channel started working after they renewed/installed at their end. |
As @Vitor says, not if they renewed their certificate with the same CA. The verification would continue to work with the CA certificates you had from the previous certificate.
| MQMB&WAS wrote: |
| another question: so from what I understand, there's no way for us to find out the expiry details of partners' certs just by looking at our kdb file. is this correct? |
This is correct
| MQMB&WAS wrote: |
| q3: how to display the details of the partner's root/intermediate cert details from our kdb?? |
Issue this command:-
| Code: |
| DISPLAY CHSTATUS(chl-name) SSLCERTI |
to see the Issuer DN for that connection (SSLPEER attribute for the Subject's DN), then look for that DN in your KDB.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Aug 14, 2020 5:00 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| hughson wrote: |
| MQMB&WAS wrote: |
| q3: how to display the details of the partner's root/intermediate cert details from our kdb?? |
Issue this command:-
| Code: |
| DISPLAY CHSTATUS(chl-name) SSLCERTI |
to see the Issuer DN for that connection (SSLPEER attribute for the Subject's DN), then look for that DN in your KDB.
Cheers,
Morag |
Not quite. If you're looking for your partner's DN and intermediary run
| Code: |
| dis chs(chl-name) sslpeer sslcerti |
The SSLPEER field will show the partner's DN and possibly cert id number and the SSLCERTI will show the information about the next signer cert in the chain. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
