Hi,
I try to configure a WMQ client application for permitting multiple qmgr connection
where each qmgr has it own different certificat.
The application (MO71 sysadmin in fact) should run on my W2K workstation.
Let me explain with the exemple :
QM_TEST is a WMQ5.3 W2K qmgr installed on a Test machine. QM_TEST has it own
certificat PKCS12 based on our TEST certification.
QM_PROD is a WMQ5.3 W2K qmgr installed on a Production machine. QM_PROD has it own
certificat PKCS12 based on our PROD certification.
I've install WMQ 5.3 client on my W2K workstation.
To allow connection to QM_TEST, I've create a svrconn channel 'protected by SSL'
On my W2K workstation, I've create a key repository C:\TEST_key.sto where I've
imported my TEST certificat by doing this :
SET MQSSLKEYR=C:\TEST_key
amqmcert -a -p certificatfile.p12 -z password to add certificat to TEST_key store
amqmcert -l to see the handle of added certificat
amqmcert -d the_handle to assign certificat to WMQ client
amqmcert -d the_handle If I don't repeat this, no certificate
was assigned to WMQ client.
amqmcert -l to check that certificat was well
assigned
In the application, I set value for SSL SYPHERSPEC and SSL key repository
c:\TEST_key.sto, the connection works perfectly.
via MO71 on my workstation, I can work on qmgr MQ_TEST.
If I do the same for PROD, creating c:\PROD_key in the same way (importing PROD
certificate), it works well too for qmgr MQ_PROD.
But the problem is that since that, the TEST key repository has no longer Certificate
assigned for WMQ client.
I receive following error :
C:\>amqmcert -l
Using CURRENT_USER for default system stores.
AMQ4809: No certificate has been assigned to this WebSphere MQ client.
I have to redo again the command amqmcert -d the_handle for c:\TEST_key.sto bu this
cause PROD key repository have the same problem.
I don't understand because MO71 doesn't use env var MQSSLKEYR for key repository,
there is a special separate field for each qmgr connection.
I try different combination of command amqmcert -a -k MY and all you can imagine, but
it give always the same problem !
The problem is probably because the private key is stored in the same place in the
CURRENT_USER protected registry key.
So, it's seems that it's not possible to configure a WMQ client application (so MO71)
to connect to differents qmgr having different certificate)
Could you please tell me if I understand well the mecanism of key repository on W2K
(I'm not a SSL specialist and I don't find any documentation about this problem.)
Do you see any solution to permit MO71 using SSL client channel to connect to qmgr
having different certificate ?
Thank you in advance.
Denis
------------------------------------------
"The information contained in this message is intended for the addressee
only and may contain confidential and/or privileged information and/or
information protected by intellectual property rights. If you are not
the addressee, please delete this message and notify the sender; you
should not use, alter, copy or distribute this message or disclose its
contents to anyone. Email transmission cannot be guaranteed to be secure
or error free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. No responsibility
is accepted by Dexia Bank for any loss or damage arising in any way from
its use. Any views or opinions expressed in this message are those of the
author and do not necessarily represent those of Dexia Bank or any of its
affiliates. Therefore this email does not constitute a commitment by Dexia
bank unless it contains an express statement to the contrary from an
authorised representative."
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
