How to setup SSL certificate for MQ6

I have setup this for MQ communication with some external party.

In brief, the steps are as follows

1) Create a key store (key.kdb is the default name)

# gsk7cmd -keydb -create -db /key.kdb -pw -type -expire -stash

i.e.

# gsk7cmd -keydb -create -db /var/mqm/qmgrs//ssl/key.kdb -pw -type cms -expire 370 -stash

** Important to stash the password, otherwise MQ will not know what password to use. The password is stash to key.sth.

2) Generate a certificate (CSR)

# gsk7cmd -certreq -create -db -pw -label -dn "" -size -file

^^ dn --> distinguished name. X.500 distinguished name enclosed in double quotes.

Note that only the CN attribute is required.

You can supply multiple OU attributes.

*** VERY IMPT

For MQ server, please use ibmwebspheremq'queue manager name' without the quotes. Do not try to "learn" from the hard way. All small letters and do follow exactly.

For MQ clients, please use ibmwebspheremq'userid' without the quotes.

i.e.

# gsk7cmd -certreq -create -db key.kdb -pw -label ibmwebspheremq -dn "CN=NAME,OU=For Internal Use,O=My Company,C=SG" -size 1024 -file _FILE>

3) Sent to CA to sign it.

4) Add the certificate signed by CA to MQ6.

# gsk7cmd -cert -receive -file -db -pw -format ascii

[ Option -add --> add a CA cert so that the signer is trusted]

[ Option -receive --> receive a cert signed by a CA]

# gsk7cmd -cert -receive -file SSL.cert -db key.kdb -pw -format ascii

4a) Display the certificate. Check that the Subject and Issuer is different.

# gsk7cmd -cert -list -db /key.kdb -pw

# gsk7cmd -cert -details -db /key.kdb -pw -label <---- list full detail of cert

i.e.

# gsk7cmd -cert -details -db key.kdb -pw -label ibmwebspheremq

5a) Alter MQ6 key location to /var/mqm/qmgrs//ssl/

# runmqsc

# ALTER QMGR SSLKEYR ('/ssl/')

i.e.

# ALTER QMGR SSLKEYR ('/var/mqm/qmgrs//ssl/')

5b) Refresh the security setting in MQ server.

# refresh security type(ssl)

6) configure MQ6 channels that needs SSL.

# runmqsc

# alter chl('') chltyp(sdr) sslciph('')

# alter chl('') chltyp(rcvr) sslciph('')

i.e.

# runmqsc

# alter chl('') chltyp(sdr) sslciph(TLS_RSA_WITH_AES_128_CBC_SHA)

# alter chl('') chltyp(rcvr) sslciph(TLS_RSA_WITH_AES_128_CBC_SHA)

7) Restart Channel for the changes to take effect.

# stop chl('')

# start chl('')

i.e.

# stop chl('')

# start chl('')

8) Done.

Tip:

In order for the gsk7cmd to run properly, you will need to set the environment # export JAVA_HOME=/opt/mqm/ssl/ # export PATH=$PATH:/bin:/usr/bin

To verify the certificate,

[Cert that you added in] gsk7cmd -cert -list personal -db key.kdb -pw

[All Cert in the DB] gsk7cmd -cert -list -db key.kdb -pw

[To show cert details] gsk7cmd -cert -details -db key.kdb -pw -label ibmwebspheremq

[Extract cert from DB] gsk7cmd -cert -extract -db key.kdb -pw -label ibmwebspheremq -target Cert.txt -format ascii

[To check cert validity] gsk7cmd -cert -list all -expiry 720 -db key.kdb -pw

To import certificate,

[Import] gsk7cmd -cert -import -file .p12 -pw -type pkcs12 -target key.kdb -target_pw -target_type cms -label ibmwebspheremq

[Import with label change] gsk7cmd -cert -import -file .p12 -pw -type pkcs12 -target key.kdb -target_pw -target_type cms -label -new_label ibmwebspheremq

To Export certificate,

[Export to file] gsk7cmd -cert -export -db key.kdb -pw -label -type cms -target ibmwebspheremq -target_pw -target_type pkcs12

To delete certificate,

[Delete from db] gsk7cmd -cert -delete -db key.kdb -pw -label