-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to move keystore into /var/mqm/qmgrs/QM1/ssl #370
Comments
The traditional MQ instructions are for creating a "kdb" file, which is a proprietary key store file used by MQ and some other IBM products. This image adds extra code to help create that file for you: you put standardized key and cert files under |
I'm struggling with this also. I've placed my 3 .crt files on a persistent volume called qm1keys. added to docker run: I see the files in /etc/mqm/pki/keys/ibmwebspheremqqm1 inside the running container. I see the qmgr SSLKEYR(/run/runmqserver/tls/key) attribute has set the keystore location. I see the keystores were indeed created in: /run/runmqserver/tls. However, the CERTLABL( ) on the queue manger isn't set to "ibmwebspheremqqm1" and the 3 certs were not imported into the keystore. It's empty. If I do: Liz |
Hi @liz72703 - What does your container logs say? What are your files called as well? The files need to be named in a particular way for example certificate.crt, certificate.key & ca.crt. @seanleblanc - The instructions for this repo are relevant to the container image created by the code within. In this code we added a mechanism that if you supply .crt files in a particular way we will automatically generate the kdb fiile for you and configure the queue manager to use it. The other TLS instructions you refer to are likely for general MQ, in which case they are still applicable here and you can place a .kdb file in /var/mqm.... and configure the queue manager to use it. But you couldn't follow the instructions here for an on-premise queue manager. |
After reflecting on this, I think I'm trying to do something that probably isn't possible or ever intended. I wanted to set up the keystore with our root/intermediate certificate chain and the personal certificate for the queue manager. But... it wouldn't be possible to even create the personal certificate via the certificate request, until the keystore had been created. I can't see a way to automate this really. |
If I wanted to supply a prepopulated keystore database with the chain/personal certificate for the qmgr already in it how would I do this? I'd want to have the keystore sitting on a persistent volume and have the queue managers SSLKEYR and CERTLABL configured for it and not changed again after qmgr creation. Preferably a way to dynamically provide these 2 values so I don't have to bake the mqsc for them into an image specific to one queue manager. Right now, every time I restart the container, the configureTLS() code runs again and changes those values back to SSLKEYR('/run/runmqserver/tls/key') and CERTLABL(''). At the least, is there a way to disable this? |
There isn't a way at the moment, and I think that's something we need to fix. FYI @sdmarshall79 @parrobe I think that if there are no keys are certs in the "pki" directory, we shouldn't set the SSLKEYR. |
Not sure if this suits your purpose, But this is how we deploy the QMgr keystore to our MQ pods
1. Create keystore (either cms or jks), using ibmkeyman
2. Request personal cert and receive it and its signer chain to the keystore (all using ibmkeyman)
3. Convert the keystore to pks12 (using ibmkeyman)
4. Create configmap (using Kubernetes "...create cm..."yaml using the pks12 keystore
5. Encrypt the keystore password and update secrets yaml
6. Update the MQ stateful set for the new configmap
7. Deploy stateful set to namespace
…-Larry
From: liz72703 <[email protected]>
Sent: Tuesday, October 15, 2019 10:26 AM
To: ibm-messaging/mq-container <[email protected]>
Cc: Subscribed <[email protected]>
Subject: Re: [ibm-messaging/mq-container] How to move keystore into /var/mqm/qmgrs/QM1/ssl (#370)
After reflecting on this, I think I'm trying to do something that probably isn't possible or ever intended.
I wanted to set up the keystore with our root/intermediate certificate chain and the personal certificate for the queue manager. But... it wouldn't be possible to even create the personal certificate via the certificate request, until the keystore had been created. I can't see a way to automate this really.
-
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#370?email_source=notifications&email_token=AMW7B7WUM2RQYTMHFSMIRQLQOXHJJA5CNFSM4I2RJ4LKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBI6ZUY#issuecomment-542239955>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMW7B7QPFZ2BNCQ5QMJNF5DQOXHJJANCNFSM4I2RJ4LA>.
|
I'm trying to figure out how to properly set up TLS. The instructions I've used to get TLS working have me put the key.kdb file under /var/mqm/qmgrs/QM1/ssl for queue manager QM1, for instance.
The instructions for this image talk about putting key and cert files under /etc. Are these the same thing?
The text was updated successfully, but these errors were encountered: