I have setup this for MQ communication with some external party.
In brief, the steps are as follows
1) Create a key store (key.kdb is the default name)
# gsk7cmd -keydb -create -db
i.e.
# gsk7cmd -keydb -create -db /var/mqm/qmgrs/
** Important to stash the password, otherwise MQ will not know what password to use. The password is stash to key.sth.
2) Generate a certificate (CSR)
# gsk7cmd -certreq -create -db
^^ dn --> distinguished name. X.500 distinguished name enclosed in double quotes.
Note that only the CN attribute is required.
You can supply multiple OU attributes.
*** VERY IMPT
For MQ server, please use ibmwebspheremq'queue manager name' without the quotes. Do not try to "learn" from the hard way. All small letters and do follow exactly.
For MQ clients, please use ibmwebspheremq'userid' without the quotes.
i.e.
# gsk7cmd -certreq -create -db key.kdb -pw
3) Sent to CA to sign it.
4) Add the certificate signed by CA to MQ6.
# gsk7cmd -cert -receive -file
[ Option -add --> add a CA cert so that the signer is trusted]
[ Option -receive --> receive a cert signed by a CA]
# gsk7cmd -cert -receive -file SSL.cert -db key.kdb -pw
4a) Display the certificate. Check that the Subject and Issuer is different.
# gsk7cmd -cert -list -db
# gsk7cmd -cert -details -db
i.e.
# gsk7cmd -cert -details -db key.kdb -pw
5a) Alter MQ6 key location to /var/mqm/qmgrs/
# runmqsc
# ALTER QMGR SSLKEYR ('
i.e.
# ALTER QMGR SSLKEYR ('/var/mqm/qmgrs/
5b) Refresh the security setting in MQ server.
# refresh security type(ssl)
6) configure MQ6 channels that needs SSL.
# runmqsc
# alter chl('
# alter chl('
i.e.
# runmqsc
# alter chl('
# alter chl('
7) Restart Channel for the changes to take effect.
# stop chl('
# start chl('
i.e.
# stop chl('
# start chl('
8) Done.
Tip:
In order for the gsk7cmd to run properly, you will need to set the environment # export JAVA_HOME=/opt/mqm/ssl/ # export PATH=$PATH:/bin:/usr/bin
To verify the certificate,
[Cert that you added in] gsk7cmd -cert -list personal -db key.kdb -pw
[All Cert in the DB] gsk7cmd -cert -list -db key.kdb -pw
[To show cert details] gsk7cmd -cert -details -db key.kdb -pw
[Extract cert from DB] gsk7cmd -cert -extract -db key.kdb -pw
[To check cert validity] gsk7cmd -cert -list all -expiry 720 -db key.kdb -pw
To import certificate,
[Import] gsk7cmd -cert -import -file
[Import with label change] gsk7cmd -cert -import -file
To Export certificate,
[Export to file] gsk7cmd -cert -export -db key.kdb -pw
To delete certificate,
2 comments:
I'm looking to Create SSL Certificate and the different code has made me more aware of the overall process and what it is actually trying to say and do.
Hi oliver,
What do you mean by the different codes? Do you mean the different type of SSL certificates?
regards,
Victor
Post a Comment