Generating a Self-Signed Certificate (Sun Java System Message Queue 4.1 Administration Guide)

Sun Java System Message Queue 4.1 Administration Guide

Generating a Self-Signed Certificate

Run the Key Tool utility (imqkeytool) to generate a self-signed certificate for the broker. (On UNIX systems, you may need to run the utility as the root user in order to have permission to create the key store.) The same certificate can be used for the ssljms, ssladmin, or cluster connection service.

Enter the following at the command prompt:

   imqkeytool  -broker

The Key Tool utility prompts you for a key store password:

   Generating keystore for the broker ...
   Enter keystore password:

Next, the utility prompts you for identifying information from which to construct an X.500 distinguished name. Table 9–6 shows the prompts and the values to be provided for each. Values are case-insensitive and can include spaces.

Table 9–6 Distinguished Name Information Required for a Self-Signed Certificate


Prompt	X.500 Attribute	Description	Example
`What is your first and last name?`	`commonName` (`CN`)	Fully qualified name of server running the broker	`mqserver.sun.com`
`What is the name of your organizational unit?`	`organizationalUnit` (`OU`)	Name of department or division	`purchasing`
`What is the name of your organization?`	`organizationName` (`ON`)	Name of larger organization, such as a company or government entity	`Acme Widgets, Inc.`
`What is the name of your city or locality?`	`localityName` (`L`)	Name of city or locality	`San Francisco`
`What is the name of your state or province?`	`stateName` (`ST`)	Full (unabbreviated) name of state or province	`California`
`What is the two-letter country code for this unit?`	`country` (`C`)	Standard two-letter country code	`US`

When you have entered the information, the Key Tool utility displays it for confirmation: for example,

   Is CN=mqserver.sun.com, OU=purchasing, ON=Acme Widgets, Inc.,
   L=San Francisco, ST=California, C=US correct?

To accept the current values and proceed, enter yes; to reenter values, accept the default or enter no. After you confirm, the utility pauses while it generates a key pair.

Next, the utility asks for a password to lock the key pair (key password). Press Return in response to this prompt to use the same password for both the key password and the key store password.

Caution –

Be sure to remember the password you specify. You must provide this password when you start the broker, to allow the broker to open the key store. You can store the key store password in a password file (see Password Files).

The Key Tool utility generates a self-signed certificate and places it in Message Queue’s key store. The key store is located in a directory whose location depends upon the operating system platform, as shown in Appendix A, Platform-Specific Locations of Message Queue Data.

The following are the configurable properties for the Message Queue key store for SSL-based connection services:

imq.keystore.file.dirpath: Path to directory containing key store file (see Appendix A, Platform-Specific Locations of Message Queue Data for default value)
imq.keystore.file.name: Name of key store file
imq.keystore.password: Key store password

In some circumstances, you may need to regenerate a key pair in order to solve certain problems: for example, if you forget the key store password or if the SSL-based service fails to initialize when you start a broker and you get the exception

   java.security.UnrecoverableKeyException: Cannot recover key

(This exception may result if you provided a key password different from the key store password when you generated the self-signed certificate.)

To Regenerate a Key Pair

Remove the broker’s key store, located as shown in Appendix A, Platform-Specific Locations of Message Queue Data.

Run imqkeytool again to generate a new key pair, as described above.