I got a .p12 file from our server team. I need to connect MQ server using this. What i need to amqputc to work. is there any config entries i need perform before i use this.
+3
A:
Short answer: Not enough info to answer your question. This topic is quite deep and a lot depends on whether your app is C or Java and whether the WMQ channel is set for mutual authentication or not.
Long answer: Here's what you need to find out and why...
WMQ programs use either a .kdb format key store or they use a .jks keystore. The .jks format is for Java/JMS programs and the .kdb format is generally for C programs. Since amqsputc is definitely not the thing you will be using in Production, the first thing to do is determine what you will be using in Production so that you get the right key store type. No sense in getting amqsputc to work using a kdb if your actual app needs a .jks keystore. Once you know whether you need a kdb or a jks you can proceed accordingly.
The .p12 you were given will need to be loaded into the .kdb or .jks file before a WMQ program can use it. The important thing here is to understand whether the .p12 file contains your private key or the QMgr's public key. Depending on whether the channel is set to require mutual authentication, either of these scenarios is valid. A program like amqsputc that accesses a kdb file looking for your private key will search for a specific label to find the right certificate. So if it's a private key you need to know that and you'll need to know the user ID that will access it because that's part of the label when you install the cert.
If you use a kdb file then you need to use IBM's tooling to manage it. If you use a jks you can use IBM's tools, Sun's keytool or any compatible tool. IBM provides a GUI and a command-line tool. I recommend the command-line tool gskcapicmd for which you can find the user manual here.
To do some of the heavy lifting when creating and managing WMQ certificates, feel free to grab the WMQ Security Lab downloads from my web site. The zip file contains scripts that generate kdb files and certificates. They don't do exactly what you need but you will get a good idea of how the command does most basic tasks.
Take a look at the WMQ SupportPac MO04 SSL Wizard. You tell it what kind of app you have and what platform and it spits out the commands to generate keystores and certs. It will get you half way there. It would get you all the way there if you didn't have this mystery .p12 to deal with.
The WMQ product manuals are your friend. You will become quite familiar with the WMQ Security and WMQ Client manuals before you are done. If your app is Java or JMS you will also want to look at the Using Java manual.
Finally, there's a lot of links to various WMQ security resources on my web site. Some of these may be helpful.
T.Rob
2010-05-06 04:34:45
You are one of amazing person in MQ area. I alwasy love your answers. thanks for veryuseful information. I think this prety much soloves my problem.
2010-05-06 12:50:45
What do i need to do at server side to accept .p12 kind of certificates from client.
2010-05-07 00:56:03
Sorry for the late reply. I'm at IMPACT this week and due to time commitments have limited access to the Internet.The QMgr cannot use a .p12 directly, You will need to use iKeyman or one of the command-line GSKit tools to get the certificate into the QMgr's kdb keystore. Remember that a QMgr's private certificate *must* be named ibmwebspheremq<qmgr name> all one word, all in lower case. A cert for a trusted entity (a CA root or self-signed public key) can have any label name.Thanks for the kind words!
T.Rob
2010-05-07 05:57:31