Step 1 (HTTPS Only): Generating a Self-Signed Certificate for the Tunnel Servlet
Message Queue’s SSL support is oriented toward securing on-the-wire data, on the assumption that the client is communicating with a known and trusted server. Therefore, SSL is implemented using only self-signed server certificates. Before establishing an HTTPS connection, you must obtain such a certificate. (This step is not needed for ordinary, non-secure HTTP connections.)
Run the Message Queue Key Tool utility (imqkeytool) to generate a self-signed certificate for the tunnel servlet. (On UNIX systems, you may need to run the utility as the root user in order to have permission to create the key store.) Enter the following at the command prompt:
imqkeytool -servlet keyStoreLocation
where keyStoreLocation is the location of Message Queue’s key store file.
The Key Tool utility prompts you for a key store password:
Enter keystore password:
After you have entered a valid password, the utility prompts you for identifying information from which to construct an X.500 distinguished name. Table C–1 shows the prompts and the values to be provided for each prompt. Values are case-insensitive and can include spaces.
Table C–1 Distinguished Name Information Required for a Self-Signed Certificate|
Prompt |
X.500 Attribute |
Description |
Example |
|---|---|---|---|
|
What is your first and last name? |
commonName (CN) |
Fully qualified name of server running the broker |
mqserver.sun.com |
|
What is the name of your organizational unit? |
organizationalUnit (OU) |
Name of department or division |
purchasing |
|
What is the name of your organization? |
organizationName (ON) |
Name of larger organization, such as a company or government entity |
Acme Widgets, Inc. |
|
What is the name of your city or locality? |
localityName (L) |
Name of city or locality |
San Francisco |
|
What is the name of your state or province? |
stateName (ST) |
Full (unabbreviated) name of state or province |
California |
|
What is the two-letter country code for this unit? |
country (C) |
Standard two-letter country code |
US |
When you have entered the information, the Key Tool utility displays it for confirmation: for example,
Is CN=mqserver.sun.com, OU=purchasing, ON=Acme Widgets, Inc., L=San Francisco, ST=California, C=US correct?
To accept the current values and proceed, enter yes; to reenter values, accept the default or enter no. After you confirm, the utility pauses while it generates a key pair.
Next, the utility asks for a password to lock the key pair (key password). Press Return in response to this prompt to use the same password for both the key password and the key store password.
Caution – Be sure to remember the password you specify. You must provide this password later to the tunnel servlet so it can open the key store.
The Key Tool utility generates a self-signed certificate and places it in Message Queue’s key store file at the location you specified for the keyStoreLocation argument.
Caution – The HTTPS tunnel servlet must be able to see the key store. Be sure to move or copy the generated key store from the location specified by keyStoreLocation to one accessible to the tunnel servlet (see Step 4 (HTTP and HTTPS): Deploying the Tunnel Servlet).
- © 2010, Oracle Corporation and/or its affiliates