Skip Navigation Links | |
Exit Print View | |
Configuring Oracle Java CAPS for SSL Support Java CAPS Documentation |
Configuring Java CAPS for SSL Support
Secure Sockets Layer (SSL) Overview
Public Keys, Private Keys, and Certificates
Generating a KeyStore and TrustStore
Creating a KeyStore in JKS Format
Creating a KeyStore in PKCS12 Format
Configuring a Oracle Java CAPS JMS IQ Manager to Use SSL
Configuring the Message Server URL
To Configure the Message Server URL
Changing the Self-Signed Server Certificate
To Change the Self-Signed Server Certificate
Configuring the Repository to Use SSL
Generating a Key Pair and a Self-Signed Certificate
To Generate a Key Pair and a Self-Signed Certificate
Obtaining a Signed Certificate
To Obtain a Digitally Signed Certificate from a Certificate Authority
To Obtain a Self-Signed Certificate from a Local Keystore
Configuring the server.xml File
To Configure the server.xml File
Testing the New SSL Connection
To Test the New SSL Connection
Configuring Enterprise Manager to Use SSL
Creating the Keystore and Trust Store
To Create the Keystore and Trust Store
Importing the Domain Certificate
To Import the Domain Certificate
Enabling Security on the Application Server
To Enable Security on the Application Server
Logging In to Enterprise Manager
To Log In to Enterprise Manager
Using SSL With the WebSphere MQ Adapter
Creating a Certification Authority
To Create a Certification Authority
Using the OpenSSL Utility for the LDAP and HTTPS Adapters
Creating a Sample CA Certificate
To Create a Sample CA Certificate
Signing Certificates With Your Own CA
To Create a CSR with keytool and Generate a Signed Certificate for the Certificate Signing Request
Perform the following tasks:
The following steps describe how to create a Certification Authority (CA) using the command-line utilities supplied with WebSphere MQ.
C:\> mkdir \myCAdir C:\> cd \myCAdir C:\myCAdir> runmqckm -keydb -create -db myCA.kdb -type cms
When prompted to create a password, type the password you want to use for the CA’s key repository.
C:\myCAdir> runmqckm -cert -create -db myCA.kdb -type cms -label "myCAcertificate" -dn "CN=myCAName,O=myOrganisation,OU=myDepartment,L=myLocation,C=IN" -expire 1000 -size 1024
C:\myCAdir> runmqckm -cert -extract -db myCA.kdb -type cms -label "myCAcertificate" -target myCAcertfile.cer -format ascii
Each queue manager in your infrastructure should have its own certificate, with an appropriate Distinguished Name (DN). The DN should be unique within the WebSphere MQ network.
C:\myCAdir> mkdir \REPOS C:\myCAdir> cd \REPOS
C:\REPOS> runmqckm -keydb -create -db myqmgr.kdb -type cms -stash
When prompted to create a password, type the password you want to use for the queue manager’s key repository.
The -stash option is important, as it causes a stash file to be created. This file is called myqmgr.sth. It allows the queue manager to open the key repository without requesting a password from the user.
C:\REPOS> runmqckm -certreq -create -db myqmgr.kdb -type cms -dn "CN=QMNAME,O=ORACLE,OU=BI,L=BLR,C=IN" -label "ibmwebspheremqmyqmgr" -file myqmgr.req
The label (as specified with the -label parameter) must be of the form ibmwebspheremqmyqmgr, all in lower case. This is important, as otherwise the queue manager will fail to find the certificate.
C:\REPOS> copy myqmgr.req \myCAdir C:\REPOS> cd \myCAdir
C:\myCAdir> runmqckm -cert -sign -db myCA.kdb -label "myCAcertificate" -expire 365 -format ascii -file myqmgr.req -target myqmgr.cer
When prompted for the password, supply the CA key repository’s password. Refer to the first step in To Create a Certification Authority.
C:\myCAdir> copy myqmgr.cer \REPOS C:\myCAdir> copy myCAcertfile.cer \REPOS C:\myCAdir> cd \REPOS
C:\REPOS> runmqckm -cert -add -db myqmgr.kdb -type cms -file myCAcertfile.cer -label "theCAcert"
When prompted for a password, supply the queue manager key repository’s password.
C:\REPOS> runmqckm -cert -receive -db myqmgr.kdb -type cms -file myqmgr.cer
When prompted for a password, supply the queue manager key repository’s password. Refer to step 1 (above).
<JavaCAPS>\appserver\domains\<domain_name>\config> runmqckm -certreq -create -db keystore.jks -type jks -dn "CN=Client Identifier,O=ORACLE,OU=BI,L=BLR,C=IN" -label "ibmwebspheremqmyuserid" -file myappj.req
When prompted to create a password, type the default password changeit for the application server. The certificate label chosen was ibmwebspheremqmyuserid.
<JavaCAPS>\appserver\domains\<domain_name>\config> copy myappj.req C:\myCAdir <JavaCAPS>\appserver\domains\<domain_name>\config> cd C:\myCAdir
C:\myCAdir> runmqckm -cert -sign -db myCA.kdb -label "myCAcertificate" -expire 365 -format ascii -file myappj.req -target myappj.cer
When prompted for a password, supply the CA key repository’s password. Refer to the first step in To Create a Certification Authority.
C:\myCAdir> copy myappj.cer <JavaCAPS>\appserver\domains\<domain_name>\config\ C:\myCAdir> copy myCAcertfile.cer<JavaCAPS>\appserver\domains\<domain_name>\config C:\myCAdir> cd <JavaCAPS>\appserver\domains\<domain_name>\config
<JavaCAPS>\appserver\domains\<domain_name>\config> runmqckm -cert -add -db keystore.jks -type jks -file myCAcertfile.cer -label "theCAcertificate"
When prompted for a password, supply the Java CAPS keystore password as changeit.
<JavaCAPS>\appserver\domains\<domain_name>\config> runmqckm -cert -receive -db keystore.jks -type jks -file myappj.cer
When prompted for a password, supply the Java CAPS keystore password as changeit.
<JavaCAPS>\appserver\domains\<domain_name>\config> runmqckm -cert -add -db cacerts.jks -type jks -file myCAcertfile.cer -label "theCAcertificate"