FYI:
Mike,
I followed the 17 step instructions and it worked pretty well. The only
problem was missing DEMO CA A6 root CA certificate in the chain, which I
downloaded as .p7b file from DST site. IBM gives you DST RootCA X1 and DST
RootCA X3 with version 5.3 software but not the DEMO CA A6. Anyway, it
worked well and I was able to send encrypted messages between 2 NT qmgrs
and authenticate each other with its own DST DEMO digital certificate.
PS: I still have a problem on AIX box but it is related to some outdated OS
patches.
thnx for your help, -jerry
Mike Horan <[EMAIL PROTECTED]>
To:
[EMAIL PROTECTED]
Sent by: MQSeries List cc:
<[EMAIL PROTECTED]> Subject: Re: webspheremq
version 5.3 on AIX 4.3.3 and NT
Tuesday July 9, 2002 11:48 AM
Please respond to MQSeries List
Jerzy,
1. We don't prereq any version of Java unless you are running the Java or
JMS client. As Justin says, we ship a special jre, which you access by
setting Java home as documented in the Security book.
2. As Justin implies, the failure on loading amqccgsk_r may indicate that
the underlying SSL support has not been installed properly. You could check
that you have got the file amqcgsk_r in /usr/lpp/mqm/lib, and that there
are several *.so files in the directory /usr/opt/ibm/gskak/lib (amqcgsk_r
needs these). You could then think about paths and permissions for these
files. Or you could just try reinstalling (the SSL parts of) MQ.
Note, with reference to your first append, that you can't run any kind of
SSL channel without use of digital certificates!
3. Test certificates on NT. Makecert is the Microsoft tool which is
intended for this purpose. We have been in communication with Microsoft as
to how to make this work in the way we need it to, and we are optimistic
that , at the right service level and with the right parameters, it can be
used to create test certificates which can be used on WMQ SSL channels.
For the moment, though,we recommend the following approach to getting a
free test certificate for your
Windows environment (it looks more complex than it is!)
1. Go to website: www.digsigtrust.com (using Internet Explorer)
2. Click on Products/Services
3. Click on Get a TrustID Demo Certificate
4. Fill in the identification form and click Continue
5. Check your form contents and click Continue
6. You are asked to Select a mechanism for storing your TrustID digital
certificate from the options below
You should select browser (NOT roaming)
7. Click accept on the certificate agreement
8. Next panel: leave 1024 as the Key Bit Length, and select Microsoft
Enhanced Cryptographic Provider
9. Next panel: you don't have to do anything (you will already have the DST
root certificate, the root of the CA certificate chain, so you don't need
to download this)
10. Next you receive a URL in your email, with an activation code.
11. Access the URL through Internet Explorer.
12. It will give you the activation code, you just have to type in the
passcode you gave on the identification form at step 4.
Click Retrieve.
13. You now have your personal certificate, click Continue
14. Go into Internet Explorer, Select Tools->Internet
Options->Content->Certificates
15. Select the Personal Tab and you will see a certificate with your name
in the Issued To column and DEMO CA A6
in the Issued By column.
16. Double click (left mouse button) on that certificate. This brings up a
display of certificate information.
17. Click on the Certification Path tab. This shows you the chain of CA
certificates you need to validate this personal certificate
>From here, if you have never added certificates to WebSphere MQ on this
Windows system before, you have to use the amqmcert command line tool to
add in the personal certificate you have obtained.
This involves listing the certificates in the Microsoft MY store:
amqmcert -k MY -l
and then adding the personal certificate you have obtained into your queue
manager store: e.g. amqmcert -a 14002 -m fred, where 14002 is the handle
for the certificate in the amqmcert list, and fred is the queue manager
name.
Note that you can add further certificates using the GUI once you have
added this one using amqmcert.
You then have to export the CA certificates in the chain and ftp them to
you UNIX system, where you add them as signer certificates using iKeyman.
Best regards,
Mike
WebSphere MQ Base Development (distributed platforms)
Channels and Clustering Teams
IBM Hursley Park, UK
[EMAIL PROTECTED]
Jerzy Pierscinski
<jerzy.pierscinski@PRUD To:
[EMAIL PROTECTED]
ENTIAL.COM> cc:
Sent by: MQSeries List Subject: Re:
webspheremq version 5.3 on AIX 4.3.3 and NT
<[EMAIL PROTECTED]
T>
07/09/2002 03:21 PM
Please respond to
MQSeries List
Justin,
thnx for your reply.
1) I agree on the JRE 1.4 prereq for JSSE , or at least that's what the
docs say, but IBM tech support said JRE 1.4 was prereq for GSKit, but they
still checking on it.
2) my JAVA_HOME points to /usr/mqm/ssl/jre
3) /usr/mqm/ssl/jre/bin/java -fullversion shows the same J2RE 1.3.1
....version and same build
4) lslpp -L "mqm.*" "gskak.*" show exactly the same filesets and versions
3) Since I have AIX 4.3.3 and you were successful with AIX 5.1 looks like
the problem is with some OS filesets.
I have PMR#55101-344 with IBM. At this moment we're looking into XLC C++
runtime filesets which might be outdated on my box.
We don't use crypt hardware at this moment. I hope once I jump over this
problem, SSL testing should be smooth.
thnx, -jerry
Justin Fries <[EMAIL PROTECTED]>
To:
[EMAIL PROTECTED]
Sent by: MQSeries List cc:
<[EMAIL PROTECTED]> Subject: Re:
webspheremq version 5.3 on AIX 4.3.3 and NT
Tuesday July 9, 2002 04:26 AM
Please respond to MQSeries List
Jerzy,
I have been successful in setting this up using a vanilla 5.3.0.0
install on AIX 5.1 ML2. As I understand it, the JRE 1.4 prereq is for
JSSE (Java Secure Socket Extension), which is necessary only if you are
going to establish SSL-secured Java connections to MQSeries; It should not
be necessary for using GSKit.
According to the new "MQSeries Security" manual, Chapter 11, it is
necessary to export your JAVA_HOME=/usr/mqm/ssl/jre on AIX. MQSeries
ships a cut-down JRE under that directory just for running gsk6ikm. Java
1.4 can't be required for GSKit:
aemaix4> /usr/mqm/ssl/jre/bin/java -fullversion
java full version "J2RE 1.3.1 IBM AIX build ca1311-20011123a"
Based on the load failure you are seeing with amqccgsk_r I wonder
whether you have all the necessary LPPs installed. Compare your system to
mine, and if necessary reinstall using 'smitty install_all' to select the
proper LPPs manually:
aemaix4> lslpp -L "mqm.*" "gskak.*"
Fileset Level State Type Description
(Uninstaller)
----------------------------------------------------------------------------
gskak.rte 6.0.2.46 C F AIX Certificate and SSL
Base
Runtime ACME Toolkit
mqm.base.runtime 5.3.0.0 C F WebSphere MQ Runtime
for Client
and Server
mqm.base.samples 5.3.0.0 C F WebSphere MQ Samples
mqm.base.sdk 5.3.0.0 C F WebSphere MQ Base Kit
for Client
and Server
mqm.client.rte 5.3.0.0 C F WebSphere MQ Client for
AIX
mqm.java.rte 5.3.0.0 C F WebSphere MQ Java
Client and JMS
mqm.keyman.rte 5.3.0.0 C F WebSphere MQ Support
for GSKit
mqm.man.en_US.data 5.3.0.0 C F WebSphere MQ Man Pages
- U.S.
English
mqm.msg.en_US 5.3.0.0 C F WebSphere MQ Messages -
U.S.
English
mqm.server.rte 5.3.0.0 C F WebSphere MQ Server
Once you can get gsk6ikm running, it's surprisingly easy to create
and exchange two self-signed certificates and test various CipherSpecs.
Unless you have crypto hardware, be prepared for your test channels to
spend a little extra time in the BINDING state while testing!
Best regards,
Justin T. Fries
MQSeries Support
Raleigh, North Carolina
Email: [EMAIL PROTECTED]
Jerzy Pierscinski <[EMAIL PROTECTED]>
Sent by: MQSeries List <[EMAIL PROTECTED]>
07/08/2002 18:41
Please respond to MQSeries List
To: [EMAIL PROTECTED]
cc:
Subject: webspheremq version 5.3 on AIX 4.3.3 and NT
Does anyone started playing with websphere mqseries v5.3?
I have installed v5.3 on my AIX and NT boxes. All my connections (
channels) work fine without the SSL features but I have multiple problems
when I'm trying to test SSL:
1) I couldn't create self sign digital certificate via gsk6ikm (IBM GSKit
installed with webspheremq v5.3) . IBM tech-support claims that I need JDK
1.4 but the mq documentation says JDK1.3.1 is required. I have JDK1.3.1
on
my box and my JAVA_HOME points to it. ( JDK 1.4 is Beta on IBM site and
has prerequisite of AIX OS 5.1 which I don't have )
2) When I want to use encryption only without Digital Certificate (
RC4_SHA_US or any other CipherSpec on both ends of the channels ) I'm
getting error on my AIX box:
"The attempt to load the GSKitSSL library or procedure 'amqccgsk_r' failed
with error code 536895861."
I exported my PATH and LIBPATH pointing them to all possible directories
which have mq or gsk or even java libraries.
3) On NT I was able to create Digital Certificate via makecert software
but
I have a 'format error' when I try to Assign this certificate to my NT
Queue Manager.
Does anyone experience similar problem?
thnx, -jerry
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
(See attached file: C.htm)
#### C.htm has been removed from this note on July 09 2002 by Mike Horan
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
