Using SSL With the WebSphere MQ Adapter

Perform the following tasks:

• To Create a Certification Authority

• To Issue a Certificate to a Queue Manager

• To Issue a Certificate to Java CAPS

Creating a Certification Authority

The following steps describe how to create a Certification Authority (CA) using the command-line utilities supplied with WebSphere MQ.

To Create a Certification Authority

1. Create a key repository for the CA.

2. Create a directory and in that directory, create a key repository file by entering the text shown below:

   C:\> mkdir \myCAdir C:\> cd \myCAdir C:\myCAdir> runmqckm -keydb -create -db myCA.kdb -type cms

   When prompted to create a password, type the password you want to use for the CA’s key repository.

3. Create a self-signed CA certificate, which will be used to identify your CA:

   C:\myCAdir> runmqckm -cert -create -db myCA.kdb -type cms -label "myCAcertificate" -dn "CN=myCAName,O=myOrganisation,OU=myDepartment,L=myLocation,C=IN" -expire 1000 -size 1024

4. Extract the CA certficate into a file called myCAcertfile.cer, which you will later transfer to the key repositories of the queue manager and client application:

   C:\myCAdir> runmqckm -cert -extract -db myCA.kdb -type cms -label "myCAcertificate" -target myCAcertfile.cer -format ascii

To Issue a Certificate to a Queue Manager

Each queue manager in your infrastructure should have its own certificate, with an appropriate Distinguished Name (DN). The DN should be unique within the WebSphere MQ network.

1. Create the queue manager’s key repository

   C:\myCAdir> mkdir \REPOS C:\myCAdir> cd \REPOS

2. Issue the following command to create a key database for the queue manager:

   C:\REPOS> runmqckm -keydb -create -db myqmgr.kdb -type cms -stash

   When prompted to create a password, type the password you want to use for the queue manager’s key repository.

   The -stash option is important, as it causes a stash file to be created. This file is called myqmgr.sth. It allows the queue manager to open the key repository without requesting a password from the user.

3. Generate a certificate request file for the queue manager, along with a private key:

   C:\REPOS> runmqckm -certreq -create -db myqmgr.kdb -type cms -dn "CN=QMNAME,O=SUN,OU=BI,L=BLR,C=IN" -label "ibmwebspheremqmyqmgr" -file myqmgr.req

   The label (as specified with the -label parameter) must be of the form ibmwebspheremqmyqmgr, all in lower case. This is important, as otherwise the queue manager will fail to find the certificate.

4. Transfer the certificate request file, myqmgr.req , to the directory where the CA files are located. Then change to the following directory:

   C:\REPOS> copy myqmgr.req \myCAdir C:\REPOS> cd \myCAdir

5. Sign the queue manager’s certificate by running the following command:

   C:\myCAdir> runmqckm -cert -sign -db myCA.kdb -label "myCAcertificate" -expire 365 -format ascii -file myqmgr.req -target myqmgr.cer

   When prompted for the password, supply the CA key repository’s password. Refer to the first step in To Create a Certification Authority.

6. Transfer the signed certificate (myqmgr.cer) and the public certificate of the CA (myCAcertfile.cer) back to C:\REPOS

   C:\myCAdir> copy myqmgr.cer \REPOS C:\myCAdir> copy myCAcertfile.cer \REPOS C:\myCAdir> cd \REPOS

7. Add the public certificate of the CA to the key repository of the queue manager:

   C:\REPOS> runmqckm -cert -add -db myqmgr.kdb -type cms -file myCAcertfile.cer -label "theCAcert"

   When prompted for a password, supply the queue manager key repository’s password.

8. Receive the certificate (now signed by the CA) into the queue manager’s key repository:

   C:\REPOS> runmqckm -cert -receive -db myqmgr.kdb -type cms -file myqmgr.cer

   When prompted for a password, supply the queue manager key repository’s password. Refer to step 1 (above).

To Issue a Certificate to Java CAPS

1. Create a certificate request to the application server domain default keystore.jks.

   <JavaCAPS>\appserver\domains\<domain_name>\config> runmqckm -certreq -create -db keystore.jks -type jks -dn "CN=Client Identifier,O=SUN,OU=BI,L=BLR,C=IN" -label "ibmwebspheremqmyuserid" -file myappj.req

   When prompted to create a password, type the default password changeit for the application server. The certificate label chosen was ibmwebspheremqmyuserid.

2. Transfer the certificate request file (myappj.req) to the directory where the CA files are located, then change to this directory:

   <JavaCAPS>\appserver\domains\<domain_name>\config> copy myappj.req C:\myCAdir <JavaCAPS>\appserver\domains\<domain_name>\config> cd C:\myCAdir

3. Sign the application’s certificate by running the following:

   C:\myCAdir> runmqckm -cert -sign -db myCA.kdb -label "myCAcertificate" -expire 365 -format ascii -file myappj.req -target myappj.cer

   When prompted for a password, supply the CA key repository’s password. Refer to the first step in To Create a Certification Authority.

4. Transfer the signed certificate (myappj.cer) and the public certificate of the CA (myCAcertfile.cer) back to C:\MYAPPJ:

   C:\myCAdir> copy myappj.cer <JavaCAPS>\appserver\domains\<domain_name>\config\ C:\myCAdir> copy myCAcertfile.cer<JavaCAPS>\appserver\domains\<domain_name>\config C:\myCAdir> cd <JavaCAPS>\appserver\domains\<domain_name>\config

5. Add the CA certificate to the Java CAPS keystore.

   <JavaCAPS>\appserver\domains\<domain_name>\config> runmqckm -cert -add -db keystore.jks -type jks -file myCAcertfile.cer -label "theCAcertificate"

   When prompted for a password, supply the Java CAPS keystore password as changeit.

6. Receive the certificate (now signed by the CA) into the Java CAPS keystore:

   <JavaCAPS>\appserver\domains\<domain_name>\config> runmqckm -cert -receive -db keystore.jks -type jks -file myappj.cer

   When prompted for a password, supply the Java CAPS keystore password as changeit.

7. Add the CA certificate to truststore:

   <JavaCAPS>\appserver\domains\<domain_name>\config> runmqckm -cert -add -db cacerts.jks -type jks -file myCAcertfile.cer -label "theCAcertificate"