Mike, thnx for all the info.
Libraries in /usr/mqm/lib, usr/opt/ibm/gskak/lib are OK and all permission and links are set properly as well as environment variables. Looks like my amqccgsk_r and other problems are related to C++ runtime (XLC) which must be at level 5.0.2.0 or higher according to MQSeries Level 2 Support. Since I want to test both platform ( NT and AIX) I'll follow your instructions to obtain NT test certificate and let you know if I succeeded. thnx, -jerry Mike Horan <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Sent by: MQSeries List cc: <[EMAIL PROTECTED]> Subject: Re: webspheremq version 5.3 on AIX 4.3.3 and NT Tuesday July 9, 2002 11:48 AM Please respond to MQSeries List Jerzy, 1. We don't prereq any version of Java unless you are running the Java or JMS client. As Justin says, we ship a special jre, which you access by setting Java home as documented in the Security book. 2. As Justin implies, the failure on loading amqccgsk_r may indicate that the underlying SSL support has not been installed properly. You could check that you have got the file amqcgsk_r in /usr/lpp/mqm/lib, and that there are several *.so files in the directory /usr/opt/ibm/gskak/lib (amqcgsk_r needs these). You could then think about paths and permissions for these files. Or you could just try reinstalling (the SSL parts of) MQ. Note, with reference to your first append, that you can't run any kind of SSL channel without use of digital certificates! 3. Test certificates on NT. Makecert is the Microsoft tool which is intended for this purpose. We have been in communication with Microsoft as to how to make this work in the way we need it to, and we are optimistic that , at the right service level and with the right parameters, it can be used to create test certificates which can be used on WMQ SSL channels. For the moment, though,we recommend the following approach to getting a free test certificate for your Windows environment (it looks more complex than it is!) 1. Go to website: www.digsigtrust.com (using Internet Explorer) 2. Click on Products/Services 3. Click on Get a TrustID Demo Certificate 4. Fill in the identification form and click Continue 5. Check your form contents and click Continue 6. You are asked to Select a mechanism for storing your TrustID digital certificate from the options below You should select browser (NOT roaming) 7. Click accept on the certificate agreement 8. Next panel: leave 1024 as the Key Bit Length, and select Microsoft Enhanced Cryptographic Provider 9. Next panel: you don't have to do anything (you will already have the DST root certificate, the root of the CA certificate chain, so you don't need to download this) 10. Next you receive a URL in your email, with an activation code. 11. Access the URL through Internet Explorer. 12. It will give you the activation code, you just have to type in the passcode you gave on the identification form at step 4. Click Retrieve. 13. You now have your personal certificate, click Continue 14. Go into Internet Explorer, Select Tools->Internet Options->Content->Certificates 15. Select the Personal Tab and you will see a certificate with your name in the Issued To column and DEMO CA A6 in the Issued By column. 16. Double click (left mouse button) on that certificate. This brings up a display of certificate information. 17. Click on the Certification Path tab. This shows you the chain of CA certificates you need to validate this personal certificate >From here, if you have never added certificates to WebSphere MQ on this Windows system before, you have to use the amqmcert command line tool to add in the personal certificate you have obtained. This involves listing the certificates in the Microsoft MY store: amqmcert -k MY -l and then adding the personal certificate you have obtained into your queue manager store: e.g. amqmcert -a 14002 -m fred, where 14002 is the handle for the certificate in the amqmcert list, and fred is the queue manager name. Note that you can add further certificates using the GUI once you have added this one using amqmcert. You then have to export the CA certificates in the chain and ftp them to you UNIX system, where you add them as signer certificates using iKeyman. Best regards, Mike WebSphere MQ Base Development (distributed platforms) Channels and Clustering Teams IBM Hursley Park, UK [EMAIL PROTECTED] Jerzy Pierscinski <jerzy.pierscinski@PRUD To: [EMAIL PROTECTED] ENTIAL.COM> cc: Sent by: MQSeries List Subject: Re: webspheremq version 5.3 on AIX 4.3.3 and NT <[EMAIL PROTECTED] T> 07/09/2002 03:21 PM Please respond to MQSeries List Justin, thnx for your reply. 1) I agree on the JRE 1.4 prereq for JSSE , or at least that's what the docs say, but IBM tech support said JRE 1.4 was prereq for GSKit, but they still checking on it. 2) my JAVA_HOME points to /usr/mqm/ssl/jre 3) /usr/mqm/ssl/jre/bin/java -fullversion shows the same J2RE 1.3.1 ....version and same build 4) lslpp -L "mqm.*" "gskak.*" show exactly the same filesets and versions 3) Since I have AIX 4.3.3 and you were successful with AIX 5.1 looks like the problem is with some OS filesets. I have PMR#55101-344 with IBM. At this moment we're looking into XLC C++ runtime filesets which might be outdated on my box. We don't use crypt hardware at this moment. I hope once I jump over this problem, SSL testing should be smooth. thnx, -jerry Justin Fries <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Sent by: MQSeries List cc: <[EMAIL PROTECTED]> Subject: Re: webspheremq version 5.3 on AIX 4.3.3 and NT Tuesday July 9, 2002 04:26 AM Please respond to MQSeries List Jerzy, I have been successful in setting this up using a vanilla 5.3.0.0 install on AIX 5.1 ML2. As I understand it, the JRE 1.4 prereq is for JSSE (Java Secure Socket Extension), which is necessary only if you are going to establish SSL-secured Java connections to MQSeries; It should not be necessary for using GSKit. According to the new "MQSeries Security" manual, Chapter 11, it is necessary to export your JAVA_HOME=/usr/mqm/ssl/jre on AIX. MQSeries ships a cut-down JRE under that directory just for running gsk6ikm. Java 1.4 can't be required for GSKit: aemaix4> /usr/mqm/ssl/jre/bin/java -fullversion java full version "J2RE 1.3.1 IBM AIX build ca1311-20011123a" Based on the load failure you are seeing with amqccgsk_r I wonder whether you have all the necessary LPPs installed. Compare your system to mine, and if necessary reinstall using 'smitty install_all' to select the proper LPPs manually: aemaix4> lslpp -L "mqm.*" "gskak.*" Fileset Level State Type Description (Uninstaller) ---------------------------------------------------------------------------- gskak.rte 6.0.2.46 C F AIX Certificate and SSL Base Runtime ACME Toolkit mqm.base.runtime 5.3.0.0 C F WebSphere MQ Runtime for Client and Server mqm.base.samples 5.3.0.0 C F WebSphere MQ Samples mqm.base.sdk 5.3.0.0 C F WebSphere MQ Base Kit for Client and Server mqm.client.rte 5.3.0.0 C F WebSphere MQ Client for AIX mqm.java.rte 5.3.0.0 C F WebSphere MQ Java Client and JMS mqm.keyman.rte 5.3.0.0 C F WebSphere MQ Support for GSKit mqm.man.en_US.data 5.3.0.0 C F WebSphere MQ Man Pages - U.S. English mqm.msg.en_US 5.3.0.0 C F WebSphere MQ Messages - U.S. English mqm.server.rte 5.3.0.0 C F WebSphere MQ Server Once you can get gsk6ikm running, it's surprisingly easy to create and exchange two self-signed certificates and test various CipherSpecs. Unless you have crypto hardware, be prepared for your test channels to spend a little extra time in the BINDING state while testing! Best regards, Justin T. Fries MQSeries Support Raleigh, North Carolina Email: [EMAIL PROTECTED] Jerzy Pierscinski <[EMAIL PROTECTED]> Sent by: MQSeries List <[EMAIL PROTECTED]> 07/08/2002 18:41 Please respond to MQSeries List To: [EMAIL PROTECTED] cc: Subject: webspheremq version 5.3 on AIX 4.3.3 and NT Does anyone started playing with websphere mqseries v5.3? I have installed v5.3 on my AIX and NT boxes. All my connections ( channels) work fine without the SSL features but I have multiple problems when I'm trying to test SSL: 1) I couldn't create self sign digital certificate via gsk6ikm (IBM GSKit installed with webspheremq v5.3) . IBM tech-support claims that I need JDK 1.4 but the mq documentation says JDK1.3.1 is required. I have JDK1.3.1 on my box and my JAVA_HOME points to it. ( JDK 1.4 is Beta on IBM site and has prerequisite of AIX OS 5.1 which I don't have ) 2) When I want to use encryption only without Digital Certificate ( RC4_SHA_US or any other CipherSpec on both ends of the channels ) I'm getting error on my AIX box: "The attempt to load the GSKitSSL library or procedure 'amqccgsk_r' failed with error code 536895861." I exported my PATH and LIBPATH pointing them to all possible directories which have mq or gsk or even java libraries. 3) On NT I was able to create Digital Certificate via makecert software but I have a 'format error' when I try to Assign this certificate to my NT Queue Manager. Does anyone experience similar problem? thnx, -jerry Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive (See attached file: C.htm) #### C.htm has been removed from this note on July 09 2002 by Mike Horan Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive