Re: Using gsk6cmd to create certificates and key ring files on AI X
I have been using gsk6cmd on AIX (4.3, 5.1) for quite a while. It is a bore but it works. I have never used GUI (I tried but some windows were appearing shrinked to zero size so I dropped). Pavel "Lovett, Alan J" <[EMAIL PROTECTED]To: [EMAIL PROTECTED] COM> cc: Sent by: MQSeriesSubject: Re: Using gsk6cmd to create certificates and key ring files on AI List X <[EMAIL PROTECTED] n.AC.AT> 11/23/2004 05:10 AM Please respond to MQSeries List Bill, That statement does create concerns! Given that gsk6cmd and gsk6man share the same code I translate the statement as meaning little. In the interval between about a year ago and some unknown point in the future, we use gsk6cmd successfully on AIX. In my experience, rely upon JAVA_HOME to point to the Java run-time installed with MQ (/usr/mqm/ssl/jre). Attempting to set up your own class path leads to madness. We use openSSL on a Windows system to cut the PKCS12 file. We import these into a copy of our empty model key repository. When you create one with gsk6cmd, it populates it with popular CA certificates, which we most definitely don't want - we need full control of the CA. Deleting them all is then a once only activity. You might find it useful to trawl the web for general stuff about gsk6cmd. You will notice that there is a history of problems getting that first key repository created. Once past that the problems get easier. Also the AIX documentation of gsk6cmd is somewhat more forthcoming than MQ's. What are your messages? Alan -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Bill Anderson Sent: 22 November 2004 20:06 To: [EMAIL PROTECTED] Subject: Using gsk6cmd to create certificates and key ring files on AIX I have been struggling with setting up SSL on an AIX server running AIX 5.2 and WMQ5.3 CSD07. The IBM security manual only walks you through procedures for using the gsk6ikm which only works with a server that is X-compatible (so you can "see" the GUI of course). It goes on to say, and I quote, "WebSphere MQ does not support the gsk6cmd command." gsk6cmd is the command line version of the ikeyman tool used to create key repositories and certificates. has anyone had success using gsk6cmd on AIX? I have tried, but get various errors depending on how I set up the environment and what command line options I use with the tool. Thanks Bill Anderson SITA Atlanta, GA Standard Messaging Engineering WebSphere MQ Service Owner 770-303-3503 (office) 404-915-3190 (cell) This e-mail contains information which is SITA - Company Confidential All sita.int addresses have changed to sita.aero [EMAIL PROTECTED] http://www.mconnect.aero/ Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Using gsk6cmd to create certificates and key ring files on AI X
Thanks for the tips Alen, I'm not going to play around with SSL again until I review the latest version of the security manual. given the holiday and other projects, that will not be until next Monday or so. I like your idea of creating the PKCS12 files using open SSL and importing them. I think that is the way I may go. I'll just put open SSL on my laptop for now, and when I get things working and ready to go beyond a self signed certificate, I can find a server out on the LAN to be the open SSL server. Thanks again for your help Bill Anderson SITA Atlanta, GA Standard Messaging Engineering WebSphere MQ Service Owner 770-303-3503 (office) 404-915-3190 (cell) This e-mail contains information which is SITA - Company Confidential All sita.int addresses have changed to sita.aero [EMAIL PROTECTED] http://www.mconnect.aero/ "Lovett, Alan J" <[EMAIL PROTECTED]To: [EMAIL PROTECTED] COM> cc: Sent by: MQSeriesSubject: Re: Using gsk6cmd to create certificates and key ring files on AI List X <[EMAIL PROTECTED] N.AC.AT> 11/23/2004 05:10 AM Please respond to MQSeries List Bill, That statement does create concerns! Given that gsk6cmd and gsk6man share the same code I translate the statement as meaning little. In the interval between about a year ago and some unknown point in the future, we use gsk6cmd successfully on AIX. In my experience, rely upon JAVA_HOME to point to the Java run-time installed with MQ (/usr/mqm/ssl/jre). Attempting to set up your own class path leads to madness. We use openSSL on a Windows system to cut the PKCS12 file. We import these into a copy of our empty model key repository. When you create one with gsk6cmd, it populates it with popular CA certificates, which we most definitely don't want - we need full control of the CA. Deleting them all is then a once only activity. You might find it useful to trawl the web for general stuff about gsk6cmd. You will notice that there is a history of problems getting that first key repository created. Once past that the problems get easier. Also the AIX documentation of gsk6cmd is somewhat more forthcoming than MQ's. What are your messages? Alan -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Bill Anderson Sent: 22 November 2004 20:06 To: [EMAIL PROTECTED] Subject: Using gsk6cmd to create certificates and key ring files on AIX I have been struggling with setting up SSL on an AIX server running AIX 5.2 and WMQ5.3 CSD07. The IBM security manual only walks you through procedures for using the gsk6ikm which only works with a server that is X-compatible (so you can "see" the GUI of course). It goes on to say, and I quote, "WebSphere MQ does not support the gsk6cmd command." gsk6cmd is the command line version of the ikeyman tool used to create key repositories and certificates. has anyone had success using gsk6cmd on AIX? I have tried, but get various errors depending on how I set up the environment and what command line options I use with the tool. Thanks Bill Anderson SITA Atlanta, GA Standard Messaging Engineering WebSphere MQ Service Owner 770-303-3503 (office) 404-915-3190 (cell) This e-mail contains information which is SITA - Company Confidential All sita.int addresses have changed to sita.aero [EMAIL PROTECTED] http://www.mconnect.aero/ Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Using gsk6cmd to create certificates and key ring files on AI X
Bill, That statement does create concerns! Given that gsk6cmd and gsk6man share the same code I translate the statement as meaning little. In the interval between about a year ago and some unknown point in the future, we use gsk6cmd successfully on AIX. In my experience, rely upon JAVA_HOME to point to the Java run-time installed with MQ (/usr/mqm/ssl/jre). Attempting to set up your own class path leads to madness. We use openSSL on a Windows system to cut the PKCS12 file. We import these into a copy of our empty model key repository. When you create one with gsk6cmd, it populates it with popular CA certificates, which we most definitely don't want - we need full control of the CA. Deleting them all is then a once only activity. You might find it useful to trawl the web for general stuff about gsk6cmd. You will notice that there is a history of problems getting that first key repository created. Once past that the problems get easier. Also the AIX documentation of gsk6cmd is somewhat more forthcoming than MQ's. What are your messages? Alan -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Bill Anderson Sent: 22 November 2004 20:06 To: [EMAIL PROTECTED] Subject: Using gsk6cmd to create certificates and key ring files on AIX I have been struggling with setting up SSL on an AIX server running AIX 5.2 and WMQ5.3 CSD07. The IBM security manual only walks you through procedures for using the gsk6ikm which only works with a server that is X-compatible (so you can "see" the GUI of course). It goes on to say, and I quote, "WebSphere MQ does not support the gsk6cmd command." gsk6cmd is the command line version of the ikeyman tool used to create key repositories and certificates. has anyone had success using gsk6cmd on AIX? I have tried, but get various errors depending on how I set up the environment and what command line options I use with the tool. Thanks Bill Anderson SITA Atlanta, GA Standard Messaging Engineering WebSphere MQ Service Owner 770-303-3503 (office) 404-915-3190 (cell) This e-mail contains information which is SITA - Company Confidential All sita.int addresses have changed to sita.aero [EMAIL PROTECTED] http://www.mconnect.aero/ Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
