test

Sun Java System Message Queue 4.3 Administration Guide

ProcedureTo Generate a Self-Signed Certificate

Run the Key Tool utility (imqkeytool) to generate a self-signed certificate for the broker. (On Solaris and Linux operating systems, you may need to run the utility as the root user in order to have permission to create the keystore file.) The same certificate can be used for all SSL-based connection services (ssljms, ssladmin, cluster connection services, and the ssljmxrmi connector).

  1. Enter the following at the command prompt:

    imqkeytool -broker

    The Key Tool utility prompts you for a key store password:

  2. At the prompt type a keystore password.

    The Keystore utility prompts you for identifying information from which to construct an X.500 distinguished name. The following table shows the prompts and the values to be provided for each. Values are case-insensitive and can include spaces.

    Prompt 

    X.500 Attribute 

    Description 

    Example 

    What is your first and last name?

    commonName (CN)

    Fully qualified name of server running the broker 

    mqserver.sun.com

    What is the name of your organizational unit?

    organizationalUnit (OU)

    Name of department or division 

    purchasing

    What is the name of your organization?

    organizationName (ON)

    Name of larger organization, such as a company or government entity 

    Acme Widgets, Inc.

    What is the name of your city or locality?

    localityName (L)

    Name of city or locality 

    San Francisco

    What is the name of your state or province?

    stateName (ST)

    Full (unabbreviated) name of state or province 

    California

    What is the two-letter country code for this unit?

    country (C)

    Standard two-letter country code 

    US

    The Key Tool utility displays the information you entered for confirmation. For example, 

       Is CN=mqserver.sun.com, OU=purchasing, ON=Acme Widgets, Inc.,
   L=San Francisco, ST=California, C=US correct?

  3. Accept the current values and proceed by typing yes.

    To reenter values, accept the default or enter no. After you confirm, the utility pauses while it generates a key pair.

    The utility asks for a password to lock the key pair (key password).

  4. Press return.

    This will set the same password for both the key password and the keystore password.

    Caution – Caution –

    Be sure to remember the password you specify. You must provide this password when you start the broker, to allow the broker to open the keystore file. You can store the keystore password in a password file (see Password Files).

    The Key Tool utility generates a self-signed certificate and places it in Message Queue’s keystore file. The keystore file is located in a directory whose location depends upon the operating system platform, as shown in Appendix A, Platform-Specific Locations of Message Queue Data.

    The following are the configurable properties for the Message Queue keystore for SSL-based connection services:

    imq.keystore.file.dirpath

    Path to directory containing keystore file (see Appendix A, Platform-Specific Locations of Message Queue Data for default value)

    imq.keystore.file.name

    Name of key store file

    imq.keystore.password

    Ke store password (to be used only in a password file)

    In some circumstances, you may need to regenerate a key pair in order to solve certain problems: for example, if you forget the key store password or if the SSL-based service fails to initialize when you start a broker and you get the exception: 

       java.security.UnrecoverableKeyException: Cannot recover key

    (This exception may result if you provided a key password different from the keystore password when you generated the self-signed certificate.)