Moogsoft Docs

Configuring SSL in Websphere MQ

The steps for SSL configuration on linux is as follows:

Note

The following commands can also be used on a windows command prompt

  1. Set up a key repository by executing the following command:

    runmqckm -keydb -create -db filename -pw password -type cms -stash
    • db filename: Specifies the fully qualified file name of a CMS key database, and must have a file extension of .kdb

    • pw password: Specifies the password for the CMS key database

    • type cms: Specifies the type of database. (For WebSphere MQ, it must be cms.)

    • stash : Saves the key database password to a file

  2. Change the location of the queue manager's key database file by entering the following command:

    ALTER QMGR SSLKEYR('/var/mqm/qmgrs/QM1/ssl/MyKey')

    The key database file has the fully qualified file name: /var/mqm/qmgrs/QM1/ssl/MyKey.kdb

    Note

    For Windows command prompt enter the following command:

    ALTER QMGR SSLKEYR('C:\Program Files\IBM\WebSphere MQ\Qmgrs\QM1\ssl\Mykey')

    The key database file has the fully qualified file name: C:\Program Files\IBM\WebSphere MQ\Qmgrs\QM1\ssl\Mykey.kdb

  3. Create a self-signed personal certificate by entering the following command:

    runmqckm -cert -create -db filename -pw password -label label
            -dn distinguished_name -size key_size -x509version version -expire days -sig_alg algorithm
    • db filename: The fully qualified file name of a CMS key database as described in the above step
    • pw password: The password for the CMS key database
    • label label: The key label attached to the certificate
    • dn distinguished_name: The X.500 distinguished name enclosed in double quotation marks. At least one attribute is required. You can supply multiple OU or DC attribute
    • size key_size: The key size. Values can be 512 or 1024
    • x509version version: The version of X.509 certificate to create. The value can be 1, 2, or 3. The default is 3
    • expire days: The expiration time in days of the certificate. The default is 365 days for a certificate
    • sig_alg algorithm: The hashing algorithm used during the creation of a self-signed certificate. This hashing algorithm is used to create the signature associated with the newly created self-signed certificate. The values can be md5 , MD5_WITH_RSA , MD5WithRSA , SHA_WITH_DSA , SHA_WITH_RSA , sha1 , SHA1WithDSA , SHA1WithECDSA , SHA1WithRSA , sha224 , SHA224_WITH_RSA , SHA224WithDSA , SHA224WithECDSA , SHA224WithRSA , sha256 , SHA256_WITH_RSA , SHA256WithDSA , SHA256WithECDSA , SHA256WithRSA , SHA2WithRSA , sha384 , SHA384_WITH_RSA , SHA384WithECDSA , SHA384WithRSA , sha512 , SHA512_WITH_RSA , SHA512WithECDSA , SHA512WithRSA , SHAWithDSA , SHAWithRSA , EC_ecdsa_with_SHA1 , EC_ecdsa_with_SHA224 , EC_ecdsa_with_SHA256 , EC_ecdsa_with_SHA384 , or EC_ecdsa_with_SHA512 . The default value is SHA1WithRSA
  4. To request a personal certificate execute the following commands:

    runmqckm -certreq -recreate -db filename -pw password -label label 
     -target filename 
    • db filename: Specifies the fully qualified file name of a CMS key database

    • pw password: Specifies the password for the CMS key database

    • target filename: Specifies the file name for the certificate request

  5. To extract the public part of a self-signed certificate execute the following command:

    runmqckm -cert -extract -db filename -pw password -label label -target filename
             -format ascii
    • db filename: Specifies the fully qualified path name of a CMS key database

    • pw password: Specifies the password for the CMS key database
    • label label: Specifies the label attached to the certificate
    • target filename: Specifies the name of the destination file
    • format ascii: Specifies the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii
  6. To add a personal certificate to a key database file execute the following commands:

    runmqckm -cert -receive -file filename -db filename -pw password  
            -format ascii 
    • db filename: Specifies the fully qualified path name of a CMS key database

    • pw password: Specifies the password for the CMS key database
    • target filename: Specifies the name of the destination file
    • format ascii: Specifies the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii
  7. To export a personal certificate execute the following commands:

    runmqckm -cert -export -db filename -pw password -label label -type cms
            -target filename -target_pw password -target_type pkcs12
    • db filename: Specifies the fully qualified path name of the CMS key database

    • pw password: Specifies the password for the CMS key database

    • label label: Specifies the label attached to the certificate

    • type cms: The type of the database i.e. cms(certificate management system)

    • target filename: Specifies the fully qualified path name of the destination file

    • target_pw password: Specifies the password for encrypting the certificate

    • target_type pkcs12: The type of the certificate i.e. pkcs12

  8. To import a personal certificate execute the following commands:

    runmqckm -cert -import -file filename -pw password -type pkcs12 -target filename 
    -target_pw password -target_type cms -label label
    • file filename: Specifies the fully qualified file name of the file containing the PKCS #12 certificate

    • pw password: Specifies the password for the PKCS #12 certificate
    • type pkcs12: The type of the file i.e. pkcs12
    • target filename: Specifies the name of the destination of CMS key database
    • target_pw password: Specifies the password for the CMS key database
    • target_type cms: The type of the database specified by -target i.e. cms
    • label label: Specifies the label of the certificate to import from the source key database
    • new_label: Specifies the label that the certificate will be assigned in the target database. If you omit -new_label option, the default is to use the same as the -label option
  9. To enable the channel authentication for a channel enter the following command.

    ./runmqsc qm1
    SET CHLAUTH(CHAN2) TYPE(ADDRESSMAP)  ADDRESS('IP-address') MCAUSER('userid')
    
    
    • CHLAUTH : uses the name of the already created channel for which authentication is to be enabled

    • ADDRESS : Specify the IP address of the client which will connect to WebSphereMQ

    • MCAUSER : Specifies the user name with which the client connect to WebSphereMQ

The SSL is configured for WebSphere MQ using a Linux CLI.

SSL configuration of WebSphere MQ on Windows (Optional)

  1. Expand the queue manager created in the above procedure and select Channels.
  2. In the right panel double click on the channel, E.g. Serverchannel1 created in the above procedure.
  3. The Channel properties dialog opens. Click on SSL in the right panel of the Server-connenction Channel .


  4. Select TLS_RSA_WITH_3DES_EDE_CBC_SHA in the SSL Cipher Spec field in the left panel of the channel properties .
  5. Select Required in SSL Authentication, then enter the queue manger name in certificate label . E.g. QueueManger1 and click on OK .
  6. Expand Channels and then select Client Connections.
  7. Go to the right panel and double click on the channel, E.g. Clientchannel1 created in the above procedure.


    The Channel properties dialog opens.
  8. Click on SSL in the right panel of the Client-connenction Channel .
  9. Select TLS_RSA_WITH_3DES_EDE_CBC_SHA in the SSL Cipher Spec field in the left panel of the channel properties .
  10. Enter the queue manger name in certificate label . E.g. QueueManger1 and click on OK .
  11. Navigate to Channel Authentication Record in Channels .
  12. Go to the right panel and click on the channel authentication record with type set as Block User Type and delete it by selecting Delete in the context menu.
  13. Select Channel Authentication Record in Channels. Right click and navigate to New, then select Channel Authentication Record
  14. In the Create a Channel Authentication Record view of the New Channel Authentication Record dialog , select the option Allow Access and click Next.
  15. In the Match part of the identity view of the New Channel Authentication Record dialog , select the option Client application user ID and click Next .
  16. In the Matching the channels view of the New Channel Authentication Record dialog , enter the channel profile name, same as the server connection channel, E.g. Serverchannel1 and click on Show matching channels.
  17. The channel is displayed on the channel below section. After the channel name is displayed, click Next .
  18. In the Matching a remote client user ID view of the New Channel Authentication Record dialog , enter the user name of the client OS which will access the channel, then enter the IP address of the client in the field IP address or hostname pattern .

  19. In the Authorization user ID view of the New Channel Authentication Record dialog , select the option Channels's user ID ,  then click Next.

  20. In the Authentication view of the New Channel Authentication Record dialog , select the option As queue manager, then click Next.
  21. In the Optional attributes view of the New Channel Authentication Record dialog , click Next.
  22. In the Summary view of the New Channel Authentication Record dialog , click Finish.
  23. Select and right click on IBM WebSphere MQ , then select “ Manage SSL Certificates.


    The IBM Key Management dialog opens.

  24. Click on the Key Database File menu, then select New. The New dialog opens.
  25. Enter the name of the database file containing keys in the File Name field. E.g. Key.kdb


  26. Enter the password in the Password field, then re-enter the password in the Confirm Password field.
  27. Select the check box Expiration time and Stash password to a file .

  28. Enter the number of days before the password expires E.g. 365, then click OK.

  29. Click on Create, then click on New Self-Signed Certificate.

  30. Enter Key label E.g. QM1, then enter Common Name E.g. Localhost and click OK.

  31. Click on Extract Certificate. The New dialog opens.

  32. Select Base64-encoded ASCII data in the Data type dropdown if not already selected. then, enter the Certificate file name , and click OK

  33. Click on the Key Database File menu , then select New. The New dialog opens.

  34. Select JKS in the Key database type dropdown, then enter the name of the file in File Name field and click OK .

  35. Enter the password in the Password field, then renter the password in the Confirm Password field.

  36. Select Signer Certificates in the drop down in the Key database content section and click Add .

  37. Browse for the extracted certificate created in the above step and select it. The File Name and Location will be filled automatically, then click OK .

  38. Enter the Label name and click on OK. The signed certificate is displayed in the the Key database content section.

  39. Close IBM Key Management, then navigate to the created queue manager E.g. QueueManager1.
  40. Right click on QueueManager1 and select Properties from the context menu.
  41. Click on SSL in the left panel of the Properties dialog.

  42. Enter the path where the certificates were generated E.g.  /var/mqm/qmgrs/QM1/ssl in the SSL key repository field.

  43. Select optional in the OCSP authentication field, then enter the label that was used during certificate creation e.g. QM1 in the Certificate label field.

  44. Right click on QueueManager1, navigate to Securities, then select Refresh SSL from the context menu.

The SSL is configured for the queue and topic in WebSphere MQ.