ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Two way QMGR SSL Configuration_ Need clarification .pem file

Post new topic  Reply to topic
 Two way QMGR SSL Configuration_ Need clarification .pem file « View previous topic :: View next topic » 
Author Message
ashokt
PostPosted: Tue Nov 29, 2022 2:35 am    Post subject: Two way QMGR SSL Configuration_ Need clarification .pem file Reply with quote

Novice

Joined: 09 Oct 2022
Posts: 18

Hi Guys,

Need clarification about .pem file . We've requirement for two-way QMGR SSL CA .We've received rootCA.pem file from destination side .

What we did from our side .

We've used ikeyman tool for certs.

->we've created Keydatabase file

->Created certreq from ikeymantool and file was generated certreq.arm file format.

->Then we sent to respective team for certificate.

->Received the certs from respective department.

->validated that certs in our keydatabase file by using ikeymantool and received option ,it's get validation successful

->Then extracted certificate and generated automatically .arm file, which we need to send Destination side.


kindly clarify me as i said earlier i received rootCA.pem file from destination QMGR side , this file can we consider as extracted cert from destination side(which we've extracted .arm file) bit confusing .pem file and .arm file ..As i aware of .arm file generally. not much aware of .pem file .

Kindly help me out.

Regards,
Ashok
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Nov 30, 2022 10:26 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

PEM format is basically ASCII-encoded text, as opposed to binary-encoded.

This is the process I usually follow:

1. Create a key store.
2. Add the commercial CA certificates from my certificate provider into the key store, and inform whoever owns the other queue manager the name of the commercial CA you use, and the names of the certificates.
3. Add the commercial CA certificates from the certificate provider of the other queue manager into the key store (see notes below).
4. Generate a certificate request (arm file) in the key store.
5. Send the certificate request to the commercial CA, or the team that will do it for me.
6. Receive the signed certificate into the key store.
7. Ensure the queue manager SSLKEYR and CERTLABL attributes match those of the key store and queue manager personal certificate label.
8. Refresh SSL security in the queue manager, and test.

NOTES:
a. The owner of the other queue manager does NOT need a copy of your queue manager's personal certificate, nor do you need a copy of theirs!
b. Ensure you have the full chain of CA certificates in your key store, i.e., the root CA certificate and any intermediate CA certificates, for any certificates that will be checked by your queue manager - if you are unsure, interrogate the queue manager personal certificate to see which level of CA certificate signed it, then interrogate that CA certificate to see what signed that, and so on.
c. DO NOT, EVER, accept commercial CA certificates sent from other organisations, always download them from the providers, e.g., if an organisation informs you they use VeriSign, get the requisite certificates from VeriSign! You cannot guarantee the provenance of user-supplied certificates.
d. Try not to use other organisation's internal CA certificates, i.e., if they do not wish to use a commercial CA, or want to use self-signed certificates. If you have no other choice, make sure that information is contained in a risk register.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
ashokt
PostPosted: Thu Dec 01, 2022 12:02 am    Post subject: Reply with quote

Novice

Joined: 09 Oct 2022
Posts: 18

Hi Exerk ,

Thanks for the update . Now i understand procedure meaning of .pem file

Regards,
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Two way QMGR SSL Configuration_ Need clarification .pem file
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.