Re: SSL on z/OS and RACF
Each queue manager has its own certificate. You can certainly link more than one queue manager to a key ring. Russell Russell Finn MQSeries System Test [EMAIL PROTECTED] [EMAIL PROTECTED] Sent by: MQSeries List <[EMAIL PROTECTED]> 30/04/2004 22:24 Please respond to MQSeries List To [EMAIL PROTECTED] cc Subject Re: SSL on z/OS and RACF All, Does anyone know if it's necessary to have a unique key ring for each queue manager on z/OS ? On the distributed side, it is necessary. From my reading in WMQ Security (z/OS), I think you use the same key ring for all queue managers, but I'm not 100% sure about this. Any help is appreciated Thanks ! Phil This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of J.P. Morgan Chase & Co., its subsidiaries and affiliates. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: SSL on z/OS and RACF
All, Does anyone know if it's necessary to have a unique key ring for each queue manager on z/OS ? On the distributed side, it is necessary. From my reading in WMQ Security (z/OS), I think you use the same key ring for all queue managers, but I'm not 100% sure about this. Any help is appreciated Thanks ! Phil This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of J.P. Morgan Chase & Co., its subsidiaries and affiliates. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: SSL on z/OS and RACF
and.. RACDCERT ID(SEDQCHIN) LISTRING(SEDQRING) On z/OS I Changed the queue manager object on the queue manager so it has the correct KEYRING specified on the SSLKEYR attribute and specifiy a number of SSL tasks to be started. /SEDQ ALTER QMGR SSLKEYR(SEDQRING) SSLTASKS(5) The CHINIT needs to be re-started for this to take effect. /SEDQ STOP QMGR /SEDQ START QMGR PARM(SEDQZPRM) -Original Message- From: Waldenburger, Barbara [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 8:39 AM To: [EMAIL PROTECTED] Subject: SSL on z/OS and RACF Hi, we are struggling to test MQ with SSL on z/OS with RACF as security server. We have generated an certificate request via RACDCERT command with operand GENREQ. The request is sent to the CA to sign the certificate, but the CA rejects it saying "invalid format"; the tool used is OPENSSL. With "openssl req -text -noauth -in (request)" we see, that the certificate request contains no attributes. Does anybody know how to set the attributes on z/OS with RACF? We cannot find any documentation on this. Has anybody running MQ with SSL on z/OS? Any help is greatly appreciated. Barbara Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: SSL on z/OS and RACF
Hi, Sorry, no direct experience with RACF generated CA sign requests. We have, however, successfully imported PKCS12 files from an OpenSSL environment (on Windows). Is that path open to you? Alan -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Waldenburger, Barbara Sent: 27 April 2004 14:39 To: [EMAIL PROTECTED] Subject: SSL on z/OS and RACF Hi, we are struggling to test MQ with SSL on z/OS with RACF as security server. We have generated an certificate request via RACDCERT command with operand GENREQ. The request is sent to the CA to sign the certificate, but the CA rejects it saying "invalid format"; the tool used is OPENSSL. With "openssl req -text -noauth -in (request)" we see, that the certificate request contains no attributes. Does anybody know how to set the attributes on z/OS with RACF? We cannot find any documentation on this. Has anybody running MQ with SSL on z/OS? Any help is greatly appreciated. Barbara Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
SSL on z/OS and RACF
Hi, we are struggling to test MQ with SSL on z/OS with RACF as security server. We have generated an certificate request via RACDCERT command with operand GENREQ. The request is sent to the CA to sign the certificate, but the CA rejects it saying "invalid format"; the tool used is OPENSSL. With "openssl req -text -noauth -in (request)" we see, that the certificate request contains no attributes. Does anybody know how to set the attributes on z/OS with RACF? We cannot find any documentation on this. Has anybody running MQ with SSL on z/OS? Any help is greatly appreciated. Barbara Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive