Sun Java System Message Queue 4.3 Administration Guide

Step 1 (HTTPS Only): Generating a Self-Signed Certificate for the Tunnel Servlet

Message Queue’s SSL support is oriented toward securing on-the-wire data, on the assumption that the client is communicating with a known and trusted server. Therefore, SSL is implemented using only self-signed server certificates. Before establishing an HTTPS connection, you must obtain such a certificate. (This step is not needed for ordinary, non-secure HTTP connections.)

Run the Message Queue Key Tool utility (imqkeytool) to generate a self-signed certificate for the tunnel servlet. (On UNIX systems, you may need to run the utility as the root user in order to have permission to create the key store.) Enter the following at the command prompt:

   imqkeytool  -servlet keyStoreLocation

where keyStoreLocation is the location of Message Queue’s key store file.

The Key Tool utility prompts you for a key store password:

   Enter keystore password:

After you have entered a valid password, the utility prompts you for identifying information from which to construct an X.500 distinguished name. Table C–1 shows the prompts and the values to be provided for each prompt. Values are case-insensitive and can include spaces.

Table C–1 Distinguished Name Information Required for a Self-Signed Certificate


X.500 Attribute 



What is your first and last name?

commonName (CN)

Fully qualified name of server running the broker

What is the name of your organizational unit?

organizationalUnit (OU)

Name of department or division 


What is the name of your organization?

organizationName (ON)

Name of larger organization, such as a company or government entity 

Acme Widgets, Inc.

What is the name of your city or locality?

localityName (L)

Name of city or locality 

San Francisco

What is the name of your state or province?

stateName (ST)

Full (unabbreviated) name of state or province 


What is the two-letter country code for this unit?

country (C)

Standard two-letter country code 


When you have entered the information, the Key Tool utility displays it for confirmation: for example,

   Is, OU=purchasing, ON=Acme Widgets, Inc.,
   L=San Francisco, ST=California, C=US correct?

To accept the current values and proceed, enter yes; to reenter values, accept the default or enter no. After you confirm, the utility pauses while it generates a key pair.

Next, the utility asks for a password to lock the key pair (key password). Press Return in response to this prompt to use the same password for both the key password and the key store password.

Caution – Caution –

Be sure to remember the password you specify. You must provide this password later to the tunnel servlet so it can open the key store.

The Key Tool utility generates a self-signed certificate and places it in Message Queue’s key store file at the location you specified for the keyStoreLocation argument.

Caution – Caution –

The HTTPS tunnel servlet must be able to see the key store. Be sure to move or copy the generated key store from the location specified by keyStoreLocation to one accessible to the tunnel servlet (see Step 4 (HTTP and HTTPS): Deploying the Tunnel Servlet).