Skip to main content

IBM Websphere MQ - Preparing the queue managers to use TLS - Middleware News

The IBM MQ queue manager's key repository is used to store the queue manager's personal certificate and the public Certificate Authority (CA) certificate. The personal certificate request from the IBM MQ queue manager must be signed by a CA, the public certificate is used by the other entities to authenticate the IBM MQ queue manager.

Before you begin

You must have the public Certificate Authority certificate in a file.

About this task

Create the IBM MQ queue manager's key repository, import the certificate authority's signer certificate and create the queue manager's personal certificate request.

Procedure


  1. Create a CMS key repository file for the queue manager called key.kdb. Navigate to the Qmgrs\QM1\ssl directory, and on the command line, type: 
    runmqckm -keydb -create -db key.kdb -pw passw0rd -type cms -stash
    Note: For this simple example we have used a password of passw0rd. You may wish to choose a different password and change each of the following commands to use your own password instead.
  2. Add the CA certificate, which you have in a file, to the key repository, on the command line, type: 
    runmqckm -cert -add -file CA-certificate-file -db key.kdb -pw passw0rd -label TrustedCA
  3. Request a personal certificate that will be written to a request file called QM1req.req. On the command line, enter: 
    runmqckm -certreq -create -db key.kdb -pw passw0rd -label ibmwebspheremqqm1
-dn CN="QM1" -size 1024 -file QM1req.req
-sig_alg SHA1WithRSA
    The default certificate label name is shown in this example. You can set your own name if you prefer. For details, see Digital certificate labels.
  4. Send the certificate request file to your CA, they will issue a digitally signed certificate. Put the received, signed certificate file in a suitable location to be received into the queue manager's key repository.
  5. Receive the signed personal certificate into the queue manager's key repository. 
    runmqckm -cert -receive -file Signed-certificate-file -db key.kdb -pw passw0rd -format ascii
  6. Complete these steps for each queue manager, changing the queue manager name accordingly.

Creating the channels to use TLS

Create a new channel that uses TLS to create a connection.

Before you begin

To communicate over a channel that uses TLS, first you must have the required certificates for each end of the connection. To create the required certificates, follow the instructions in Preparing the queue managers to use TLS.

About this task

Use the MQSC interface to define channels with SSL/TLS attributes set. This task can be done even if you defined your channels without SSL/TLS in a prior step through the use of the REPLACE keyword.

Procedure

  1. On the command-line, type: 
    runmqsc QM1
  2. Create the sender channel on QM1, called TO.QM2, in the MQSC interface, type: 
    DEFINE CHANNEL(TO.QM2) CHLTYPE(SDR) TRPTYPE(TCP)
CONNAME(' remoteHost ') XMITQ(QM2)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
DESCR('Sender channel using TLS from QM1 to QM2')
REPLACE
    Note: The variable remoteHost is the hostname or IP address of the target queue manager.
    You can specify a CERTLABL attribute for the channel. If you do, it must match the value on the -label parameter of the runmqckm command that you previously ran in step 3 of Preparing the queue managers to use TLS. For more information on certificate labels, see Digital certificate labels, understanding the requirements.
  3. Type end to exit the MQSC interface.
  4. On the command-line, type: 
    runmqsc QM2
  5. Create a receiver channel on QM2, called TO.QM2, in the MQSC interface, type: 
    DEFINE CHANNEL(TO.QM2) CHLTYPE(RCVR) TRPTYPE(TCP)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(REQUIRED)
DESCR('Receiver channel using TLS from QM1 to QM2')
REPLACE
  6. Type end to exit the MQSC interface

Verifying the solution

Verify that the source queue manager can put a message onto the remote queue. Verify that the target queue manager can get the message from the queue.

About this task

Use the sample applications, amqsput and amqsget to verify the solution.

Procedure

  1. Send a message to the target queue manager, QM2 from the source queue manager.
    1. In the command-line interface, type: 
      amqsput QUEUE.ON.QM2 QM1
      You must use the name of the remote queue definition to send the message to the target queue manager. The following message is displayed: 
      Sample AMQSPUT0 start
target queue is QUEUE.ON.QM2
    2. Type Hello world., press Enter twice.
  2. Get the message on the target queue manager.
    1. In the command-line interface, type: 
      amqsget RECEIVEQUEUE QM2
      The following message is displayed: 
      Sample AMQSGET0 start
message 
no more messages
Sample AMQSGET0 end

Labels:

Comments

  1. UnknownMay 23, 2016 at 3:36 AM


    I appreciate all the work you put into this site, helping out others with your fun and creative works.
    Dotnet training in Chennai

    ReplyDelete

Post a Comment

adsrerrapop

Popular posts from this blog

IBM Websphere MQ interview Questions Part 5

MQ Series: - It is an IBM web sphere product which is evolved in 1990’s. MQ series does transportation from one point to other. It is an EAI tool (Middle ware) VERSIONS:-5.0, 5.1, 5.3, 6.0, 7.0(new version). The currently using version is 6.2 Note: – MQ series supports more than 35+ operating systems. It is platform Independent. For every OS we have different MQ series software’s. But the functionality of MQ series Default path for installing MQ series is:- C: programfiles\BM\clipse\SDK30 C: programfiles\IBM\WebsphereMQ After installation it will create a group and user. Some middleware technologies are Tibco, SAP XI. MQ series deals with two things, they are OBJECTS, SERVICES. In OBJECTS we have • QUEUES • CHANNELS • PROCESS • AUTHENTICATION • QUERY MANAGER. In SERVICES we have LISTENERS. Objects: – objects are used to handle the transactions with the help of services. QUEUE MANAGER maintains all the objects and services. QUEUE: – it is a database structure ...
139 comments
Read more

IBM Websphere MQ Reason code list / mq reason codes / websphere mq error codes / mq error messages

Reason code list ================= The following is a list of reason codes, in numeric order, providing detailed information to help you understand them, including: * An explanation of the circumstances that have caused the code to be raised * The associated completion code * Suggested programmer actions in response to the code * 0 (0000) (RC0): MQRC_NONE * 900 (0384) (RC900): MQRC_APPL_FIRST * 999 (03E7) (RC999): MQRC_APPL_LAST * 2001 (07D1) (RC2001): MQRC_ALIAS_BASE_Q_TYPE_ERROR * 2002 (07D2) (RC2002): MQRC_ALREADY_CONNECTED * 2003 (07D3) (RC2003): MQRC_BACKED_OUT * 2004 (07D4) (RC2004): MQRC_BUFFER_ERROR * 2005 (07D5) (RC2005): MQRC_BUFFER_LENGTH_ERROR * 2006 (07D6) (RC2006): MQRC_CHAR_ATTR_LENGTH_ERROR * 2007 (07D7) (RC2007): MQRC_CHAR_ATTRS_ERROR * 2008 (07D8) (RC2008): MQRC_CHAR_ATTRS_TOO_SHORT * 2009 (07D9) (RC2009): MQRC_CONNECTION_BROKEN * 2010 (07DA) (RC2010): MQRC_DATA_LENGTH_ERROR * 2011 (07DB) (RC2011): MQRC_DYNAMIC_Q_NAME_ERROR * 2012 (07DC) (RC201...
2 comments
Read more

Installing IBM Integration Bus on Linux - Middleware News

Before you begin Check the readme.html file for any updates to these installation instructions; see the product readmes web page. Check that you have enough memory and disk space; see IBM Integration Bus system requirements. Check that you have completed any prerequisite steps; see Preparing the system. If you are using Red Hat Linux 6.5 with WebKitGTK version webkitgtk.x86_64 1.2.6-5.el6, complete the steps in the following topic to work around problems with the Eclipse SWT browser: IBM Integration Toolkit on RedHat 6.5 crashes with "JVM terminated. Exit code=160" error. If you are using Red Hat Linux 6.x or 7.x, you might need the GTK2 32-bit drivers installed on Linux; for more information, see IBM Integration Toolkit on Linux becomes unresponsive after opening a DFDL or XSD file. If you are using Red Hat Linux 7.1, complete the steps in the following topic to work around problems with the Eclipse SWT browser: Internal web browser in IBM Integration Toolkit ...
19 comments
Read more