JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Configuring Oracle Java CAPS for SSL Support     Java CAPS Documentation
search filter icon
search icon

Document Information

Configuring Java CAPS for SSL Support

Secure Sockets Layer (SSL) Overview

Public Keys, Private Keys, and Certificates

Keytool Program

OpenSSL Project

SSL and Adapters

KeyStores and TrustStores

Generating a KeyStore and TrustStore

Creating a KeyStore in JKS Format

Creating a KeyStore in PKCS12 Format

Creating a TrustStore

Configuring a Oracle Java CAPS JMS IQ Manager to Use SSL

Configuring the Message Server URL

To Configure the Message Server URL

External JMS Clients

Changing the Self-Signed Server Certificate

To Change the Self-Signed Server Certificate

Configuring the Repository to Use SSL

Generating a Key Pair and a Self-Signed Certificate

To Generate a Key Pair and a Self-Signed Certificate

Obtaining a Signed Certificate

To Obtain a Digitally Signed Certificate from a Certificate Authority

To Obtain a Self-Signed Certificate from a Local Keystore

Importing the Certificate

To Import the Certificate

Configuring the server.xml File

To Configure the server.xml File

Testing the New SSL Connection

To Test the New SSL Connection

Configuring Enterprise Manager to Use SSL

Creating the Keystore and Trust Store

To Create the Keystore and Trust Store

Importing the Domain Certificate

To Import the Domain Certificate

Enabling Security on the Application Server

To Enable Security on the Application Server

Logging In to Enterprise Manager

To Log In to Enterprise Manager

Using SSL With the WebSphere MQ Adapter

Creating a Certification Authority

To Create a Certification Authority

To Issue a Certificate to a Queue Manager

To Issue a Certificate to Java CAPS

Using the OpenSSL Utility for the LDAP and HTTPS Adapters

Creating a Sample CA Certificate

To Create a Sample CA Certificate

Signing Certificates With Your Own CA

To Create a CSR with keytool and Generate a Signed Certificate for the Certificate Signing Request

Windows OpenSSL.cnf File Example

Index

Using SSL With the WebSphere MQ Adapter

Perform the following tasks:

Creating a Certification Authority

The following steps describe how to create a Certification Authority (CA) using the command-line utilities supplied with WebSphere MQ.

To Create a Certification Authority

  1. Create a key repository for the CA.
  2. Create a directory and in that directory, create a key repository file by entering the text shown below:
    C:\> mkdir \myCAdir
    C:\> cd \myCAdir
    C:\myCAdir> runmqckm -keydb -create -db myCA.kdb -type cms

    When prompted to create a password, type the password you want to use for the CA’s key repository.

  3. Create a self-signed CA certificate, which will be used to identify your CA:
    C:\myCAdir> runmqckm -cert -create -db myCA.kdb -type cms -label "myCAcertificate" 
    -dn "CN=myCAName,O=myOrganisation,OU=myDepartment,L=myLocation,C=IN" -expire 1000 
    -size 1024
  4. Extract the CA certficate into a file called myCAcertfile.cer, which you will later transfer to the key repositories of the queue manager and client application:
    C:\myCAdir> runmqckm -cert -extract -db myCA.kdb -type cms -label "myCAcertificate" 
    -target myCAcertfile.cer -format ascii

To Issue a Certificate to a Queue Manager

Each queue manager in your infrastructure should have its own certificate, with an appropriate Distinguished Name (DN). The DN should be unique within the WebSphere MQ network.

  1. Create the queue manager’s key repository
    C:\myCAdir> mkdir \REPOS
    C:\myCAdir> cd \REPOS
  2. Issue the following command to create a key database for the queue manager:
    C:\REPOS> runmqckm -keydb -create -db myqmgr.kdb -type cms -stash

    When prompted to create a password, type the password you want to use for the queue manager’s key repository.

    The -stash option is important, as it causes a stash file to be created. This file is called myqmgr.sth. It allows the queue manager to open the key repository without requesting a password from the user.

  3. Generate a certificate request file for the queue manager, along with a private key:
    C:\REPOS> runmqckm -certreq -create -db myqmgr.kdb -type cms 
    -dn "CN=QMNAME,O=ORACLE,OU=BI,L=BLR,C=IN" -label "ibmwebspheremqmyqmgr" -file myqmgr.req

    The label (as specified with the -label parameter) must be of the form ibmwebspheremqmyqmgr, all in lower case. This is important, as otherwise the queue manager will fail to find the certificate.

  4. Transfer the certificate request file, myqmgr.req , to the directory where the CA files are located. Then change to the following directory:
    C:\REPOS> copy myqmgr.req \myCAdir
    C:\REPOS> cd \myCAdir
  5. Sign the queue manager’s certificate by running the following command:
    C:\myCAdir> runmqckm -cert -sign -db myCA.kdb -label "myCAcertificate" -expire 365 
    -format ascii -file myqmgr.req -target myqmgr.cer

    When prompted for the password, supply the CA key repository’s password. Refer to the first step in To Create a Certification Authority.

  6. Transfer the signed certificate (myqmgr.cer) and the public certificate of the CA (myCAcertfile.cer) back to C:\REPOS
    C:\myCAdir> copy myqmgr.cer \REPOS
    C:\myCAdir> copy myCAcertfile.cer \REPOS
    C:\myCAdir> cd \REPOS
  7. Add the public certificate of the CA to the key repository of the queue manager:
    C:\REPOS> runmqckm -cert -add -db myqmgr.kdb -type cms -file myCAcertfile.cer 
    -label "theCAcert"

    When prompted for a password, supply the queue manager key repository’s password.

  8. Receive the certificate (now signed by the CA) into the queue manager’s key repository:
    C:\REPOS> runmqckm -cert -receive -db myqmgr.kdb -type cms -file myqmgr.cer

    When prompted for a password, supply the queue manager key repository’s password. Refer to step 1 (above).

To Issue a Certificate to Java CAPS

  1. Create a certificate request to the application server domain default keystore.jks.
    <JavaCAPS>\appserver\domains\<domain_name>\config> runmqckm -certreq -create 
    -db keystore.jks -type jks -dn "CN=Client Identifier,O=ORACLE,OU=BI,L=BLR,C=IN" 
    -label "ibmwebspheremqmyuserid" -file myappj.req

    When prompted to create a password, type the default password changeit for the application server. The certificate label chosen was ibmwebspheremqmyuserid.

  2. Transfer the certificate request file (myappj.req) to the directory where the CA files are located, then change to this directory:
    <JavaCAPS>\appserver\domains\<domain_name>\config> copy myappj.req C:\myCAdir
    <JavaCAPS>\appserver\domains\<domain_name>\config> cd  C:\myCAdir
  3. Sign the application’s certificate by running the following:
    C:\myCAdir> runmqckm -cert -sign -db myCA.kdb -label "myCAcertificate" -expire 365 
    -format ascii -file myappj.req -target myappj.cer

    When prompted for a password, supply the CA key repository’s password. Refer to the first step in To Create a Certification Authority.

  4. Transfer the signed certificate (myappj.cer) and the public certificate of the CA (myCAcertfile.cer) back to C:\MYAPPJ:
    C:\myCAdir> copy myappj.cer <JavaCAPS>\appserver\domains\<domain_name>\config\
    C:\myCAdir> copy myCAcertfile.cer<JavaCAPS>\appserver\domains\<domain_name>\config
    C:\myCAdir> cd <JavaCAPS>\appserver\domains\<domain_name>\config
  5. Add the CA certificate to the Java CAPS keystore.
    <JavaCAPS>\appserver\domains\<domain_name>\config> runmqckm -cert -add 
    -db keystore.jks -type jks -file myCAcertfile.cer -label "theCAcertificate"

    When prompted for a password, supply the Java CAPS keystore password as changeit.

  6. Receive the certificate (now signed by the CA) into the Java CAPS keystore:
    <JavaCAPS>\appserver\domains\<domain_name>\config> runmqckm -cert -receive 
    -db keystore.jks -type jks -file myappj.cer

    When prompted for a password, supply the Java CAPS keystore password as changeit.

  7. Add the CA certificate to truststore:
    <JavaCAPS>\appserver\domains\<domain_name>\config> runmqckm -cert -add 
    -db cacerts.jks -type jks -file myCAcertfile.cer -label "theCAcertificate"