MQ SSL Practice,2012-03-19,Objectives,SSL Introduction Certificate Management on MQ SSL configuration on MQ,SSL Introduction – Concept 1,Symmetric encryption & Asymmetric encryption CipherSpecs: Different CipherSpecs provide different levels of security and performance. Certificate Digital signature Root CA and CA chain,SSL Introduction – Concept 2,Message digests & Digital signature,SSL Introduction – Concept 3,Root CA and CA chain: The root CA certificate is always signed by the CA itself.,SSL Introduction – Hand Shake (1 of 6),The Client Hello: Jill sends Jack some random text Also sends what CipherSpecs and compression methods she can use Jill is the client,SSL Introduction – Hand Shake (2 of 6),The Server Hello Jack sends Jill some random text Jack chooses the CipherSpec and compression method to be used, from Jill's list The Server Certificate The Client Certificate Request,SSL Introduction – Hand Shake (3 of 6),Verify Server Certificate Check Validity Period Decrypt using CA's Public Key - verifies that CA is trusted Check Domain Name and/or Distinguished Name Also receives Jack's Public Key,SSL Introduction – Hand Shake (4 of 6),Client Key Exchange Jill sends Jack the Secret Key to use This is encrypted with Jack's Public Key Also sends her certificate,SSL Introduction – Hand Shake (5 of 6),Verify Client Certificate Decrypt using CA's public Key,SSL Introduction – Hand Shake (6 of 6),Send Information using agreed Secret Key Randomly generated 1-time key This is now a secure line,Certificate Management on MQ (1 of 3),Tools: IKeyMan or runmqckm Create a key repository for the CA Key repository is used for storing the CA certificate and personal certificate along with an associated private key. E.g. runmqckm -keydb -create -db myCA.kdb -type cms Three files are created: myCA.kdb, myCA.crl and myCA.rdb. Self-signed CA certificate Certificate request The label, as specified with -label parameter, must be of the form ibmwebspheremqmyqmgr , all in lower case. This
展开阅读全文