To provide more secure communication between MQ channels, we may need to put in the SSL protection. In brief, here's are the steps..
1) Create a key store (key.kdb is the default name)
# gsk7cmd -keydb -create -db/key.kdb -pw -type cms -expire -stash
** It is very IMPORTANT to stash the password, otherwise MQ will not know what password to use. The password is stash to key.sth in the same location.
2) Generate a certificate (CSR)
# gsk7cmd -certreq -create -db-pw -label -dn " " -size -file
^^ dn --> distinguished name. X.500 distinguished name enclosed in double quotes.
Note that only the CN attribute is required.
You can supply multiple OU attributes.
*** For MQ server, please use ibmwebspheremq'queue manager name' without the quotes. Do not try to "learn" from the hard way. All small letters and follow exactly. For MQ clients, please use ibmwebspheremq'userid' without the quotes.
3) Sent to CA to sign the certificate you have generated.
4) Add the certificate signed by CA to MQ6.
# gsk7cmd -cert -receive -file-db -pw -format ascii
[ Option -add --> add a CA cert so that the signer is trusted]
[ Option -receive --> receive a cert signed by a CA]
4a) You may want to check and display the certificate. Check that the Subject and Issuer is different.
# gsk7cmd -cert -list -db/key.kdb -pw
# gsk7cmd -cert -details -db/key.kdb -pw -label
5a) Alter MQ6 key location so that MQ is informed.
# runmqsc # ALTER QMGR SSLKEYR ('/ssl/')
i.e.
5b) Refresh the security setting in MQ server.
# refresh security type(ssl)
6) configure MQ6 channels that needs SSL.
# runmqsc
# alter chl('') chltyp(sdr) sslciph(' ')
# alter chl('') chltyp(rcvr) sslciph(' ')
e.g. Type of cipher -- TLS_RSA_WITH_AES_128_CBC_SHA
7) Restart Channel for the changes to take effect. Check the status to see if its successful.
# stop chl('')
# start chl('')
# dis chs(*)
Tip:
In order for the gsk7cmd to run properly, you will need to set the environment
# export JAVA_HOME=/opt/mqm/ssl/
# export PATH=$PATH:/bin:/usr/bin
Here are additional commands you can use..
For displaying of the certificates,
[Cert that you added in] gsk7cmd -cert -list personal -db key.kdb -pw xxxxxxx
[All Cert in the DB] gsk7cmd -cert -list -db key.kdb -pw xxxxxxx
[To show cert details] gsk7cmd -cert -details -db key.kdb -pw xxxxxxx -label ibmwebspheremqqmgrname
[Extract cert from DB] gsk7cmd -cert -extract -db key.kdb -pw xxxxxxx -label ibmwebspheremqqmgrname -target Cert.txt -format ascii
[To check cert validity] gsk7cmd -cert -list all -expiry 720 -db key.kdb -pw xxxxxxx
To import certificate,
[Import] gsk7cmd -cert -import -file ibmwebspheremq_qmgr.p12 -pw xxxxxxx -type pkcs12 -target key.kdb -target_pw yyyyyyy -target_type cms -label ibmwebspheremqqmgrname
[Import with label change] gsk7cmd -cert -import -file ibmwebspheremq_pqmgr.p12 -pw xxxxxxx -type pkcs12 -target key.kdb -target_pw yyyyyyy -target_type cms -label SSLcert_MQ6 -new_label ibmwebspheremqqmgrname
To Export certificate,
[Export to file] gsk7cmd -cert -export -db key.kdb -pw xxxxxxx -label SSLcert_MQ6 -type cms -target ibmwebspheremqqmgrname -target_pw xxxxxxx -target_type pkcs12
To delete certificate,
[Delete from db] gsk7cmd -cert -delete -db key.kdb -pw xxxxxxx -label ibmwebspheremqqmgrname
Reference for this installation...
http://www.ibm.com/developerworks/websphere/library/techarticles/0611_yue/0611_yue.html
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/topic/com.ibm.mq.csqzas.doc/sy12350_.htm
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.csqzas.doc/sy12340_.htm
http://www-1.ibm.com/support/docview.wss?uid=swg21113368
http://middleware.its.state.nc.us/middleware/Documentation/en_US/htm/csqzas00/csqzas001x.htm
http://hursleyonwmq.wordpress.com/tag/webspheremq/
http://hursleyonwmq.wordpress.com/2007/02/16/do-you-have-to-specify-an-ssl-certificate-label/
No comments:
Post a Comment