| Author |
Message
|
| rajmq |
 Posted: Fri Nov 07, 2003 1:17 am Post subject: |
 |
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi Harrwinder
I found the problem, it is due to the my MQSeries ikeyman installation fault
Now i did the following steps in Linux box
After creating QMgr
1.using the gsk6cmd i have creaed key repository ..
./gsk6cmd -keydb -create -db /var/mqm/qmgrs/SSL/ssl/key.kdb
-pw pwdb -type cms -expire 2048 -stash
2.Given rights and changed the SSLkEYR path
3.Created new selfsigned certificate
./gsk6cmd -cert -create -db /var/mqm/qmgrs/SSL/ssl/key.kdb -
pw pwdb -label ibmwebspheremqssl -dn "CN=SSL,C=DE,O=IDG" -size 1024 -x509version 3 -expire 2048
4.extraction part also completed
can u give me details for below doubts
1.which file i need to ftp to AIX box??
2.before that i need to do same steps in AIX(like ..creting keyrepositry and creating selfsigned certificate)
Give me more details.........
thanks in Advance
raj |
|
| Back to top |
|
 |
| rajmq |
| Posted: Sat Nov 08, 2003 7:31 am Post subject: |
|
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi
Finally i did the setpup,But after starting the Sender channel i am getting error like......
AMQ9633: Bad SSL certificate for channel 'SSL.SDR'.
EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of the following reasons:
(a) it was formatted incorrectly and could not be validated, or
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system, or
(c) it was found in a Certification Revocation List (CRL) on an LDAP server.
The channel is 'SSL.SDR'; in some cases its name cannot be determined and so is shown as '????'. The channel did not start.
ACTION:
Check which of the three possible causes applies on your system. Correct the error, and restart the channel.
regards
raj |
|
| Back to top |
|
|
| harwinderr |
| Posted: Mon Nov 10, 2003 2:57 am Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
| Quote: |
| 1.which file i need to ftp to AIX box?? |
The file (cert.der), which you have extracted using
$ gsk6cmd -cert -extract -db filename -pw password -label label -target cert.der -format binary
needs to FTPed to AIX, where you should add it as a CA certificate. The command to do that is
$ gsk6cmd -cert -add -db /var/mqm/qmgrs/qm2/ssl/key.kdb -pw Welcome123 -label Test -file cert.der -format binary
| Quote: |
| 2.before that i need to do same steps in AIX(like ..creting keyrepositry and creating selfsigned certificate) |
Yes, you have to repeat the same steps what you carried on the Linux box on AIX as well. That means extracting the self-signed certificate and adding it as a CA certificate in the Linux key repository.
From the error what you are getting, looks like the certificate has not been FTPed and assigned properly. |
|
| Back to top |
|
|
| rajmq |
| Posted: Mon Nov 10, 2003 11:56 pm Post subject: |
|
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi Harwinderr
Thanks for ur Reply,
After the SSL setup i am able to start Sender channel.
Now i need to check whether the messages are encrypted or not..
For i have one sniffer program which is downloaded from .net site
For that i did following steps
1.i changed the port of Linux box Sender channel (port 1414 1415)
2.After running the program like
SimpleProxyServer localhost 1414 1415
3After putting the values, it is not showing any encrypted values
Can u help me out
regards
raj |
|
| Back to top |
|
|
| harwinderr |
| Posted: Tue Nov 11, 2003 12:49 am Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
Hi Raj
I used a network sniffer which I downloaded from this site
http://www.kolban.com/mq/Security/Data/Interceptor.jar
You have to run it with
java -jar Interceptor.jar <inPort> <outPort>
None the less, in your case, to make things clear, in your SDR channel you will have conname as ('a.b.c.d(1415)')
On the other machine, you will run the listener as
$runmqlsr -m qm -t TCP -p 1414
and the sniffer as
$java SimpleProxyServer localhost 1414 1415
You can see the transfer as soon as you do a runmqchl.
Hope this helps  |
|
| Back to top |
|
|
| rajmq |
| Posted: Tue Nov 11, 2003 1:44 pm Post subject: |
|
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi Harwinderr
Thanks for ur great help.....
Using the SimpleProxyServer class is showing the Encrypted values.
without SSL i able to see the message.So My SSL setup is working now.
After enable SSL, Any performance issue will come?..
Now my confidence is increased,My next task is NT client to Linux Server SSL enable.
thanks
raj |
|
| Back to top |
|
|
| harwinderr |
| Posted: Wed Nov 12, 2003 8:45 pm Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
Well, I am really glad that it worked for you.
| Quote: |
| After enable SSL, Any performance issue will come?.. |
Definetely, performance issues will come as there will be overheads of initial handshake and encrypting/decrypting all the data that is flowing across the queue managers. But one can overcome them by using cryptographic hardware. |
|
| Back to top |
|
|
| rajmq |
| Posted: Thu Nov 13, 2003 10:36 am Post subject: |
|
|
Partisan
Joined: 29 Sep 2002
Posts: 331
Location: USA
|
Hi
Can u give me a some more details for my below doubts !!!
1.Currently using java program i am putting the message to my remotequeue.From there it will reach the remote system.
But my requirement is after reaching the qmgr RemQ, i need to write the message to one place in MQServer itself.
Basically i need to trace IN and OUT message to MQServer itself.Is it possible Can u give me a suggestions??
2.What is Cryptographic Hardware???
thanks
raj |
|
| Back to top |
|
|
|
|
