Skip to main content

IBM Websphere MQ - Preparing the queue managers to use TLS - Middleware News

The IBM MQ queue manager's key repository is used to store the queue manager's personal certificate and the public Certificate Authority (CA) certificate. The personal certificate request from the IBM MQ queue manager must be signed by a CA, the public certificate is used by the other entities to authenticate the IBM MQ queue manager.

Before you begin

You must have the public Certificate Authority certificate in a file.

About this task

Create the IBM MQ queue manager's key repository, import the certificate authority's signer certificate and create the queue manager's personal certificate request.

Procedure


  1. Create a CMS key repository file for the queue manager called key.kdb. Navigate to the Qmgrs\QM1\ssl directory, and on the command line, type: 
    runmqckm -keydb -create -db key.kdb -pw passw0rd -type cms -stash
    Note: For this simple example we have used a password of passw0rd. You may wish to choose a different password and change each of the following commands to use your own password instead.
  2. Add the CA certificate, which you have in a file, to the key repository, on the command line, type: 
    runmqckm -cert -add -file CA-certificate-file -db key.kdb -pw passw0rd -label TrustedCA
  3. Request a personal certificate that will be written to a request file called QM1req.req. On the command line, enter: 
    runmqckm -certreq -create -db key.kdb -pw passw0rd -label ibmwebspheremqqm1
-dn CN="QM1" -size 1024 -file QM1req.req
-sig_alg SHA1WithRSA
    The default certificate label name is shown in this example. You can set your own name if you prefer. For details, see Digital certificate labels.
  4. Send the certificate request file to your CA, they will issue a digitally signed certificate. Put the received, signed certificate file in a suitable location to be received into the queue manager's key repository.
  5. Receive the signed personal certificate into the queue manager's key repository. 
    runmqckm -cert -receive -file Signed-certificate-file -db key.kdb -pw passw0rd -format ascii
  6. Complete these steps for each queue manager, changing the queue manager name accordingly.

Creating the channels to use TLS

Create a new channel that uses TLS to create a connection.

Before you begin

To communicate over a channel that uses TLS, first you must have the required certificates for each end of the connection. To create the required certificates, follow the instructions in Preparing the queue managers to use TLS.

About this task

Use the MQSC interface to define channels with SSL/TLS attributes set. This task can be done even if you defined your channels without SSL/TLS in a prior step through the use of the REPLACE keyword.

Procedure

  1. On the command-line, type: 
    runmqsc QM1
  2. Create the sender channel on QM1, called TO.QM2, in the MQSC interface, type: 
    DEFINE CHANNEL(TO.QM2) CHLTYPE(SDR) TRPTYPE(TCP)
CONNAME(' remoteHost ') XMITQ(QM2)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
DESCR('Sender channel using TLS from QM1 to QM2')
REPLACE
    Note: The variable remoteHost is the hostname or IP address of the target queue manager.
    You can specify a CERTLABL attribute for the channel. If you do, it must match the value on the -label parameter of the runmqckm command that you previously ran in step 3 of Preparing the queue managers to use TLS. For more information on certificate labels, see Digital certificate labels, understanding the requirements.
  3. Type end to exit the MQSC interface.
  4. On the command-line, type: 
    runmqsc QM2
  5. Create a receiver channel on QM2, called TO.QM2, in the MQSC interface, type: 
    DEFINE CHANNEL(TO.QM2) CHLTYPE(RCVR) TRPTYPE(TCP)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(REQUIRED)
DESCR('Receiver channel using TLS from QM1 to QM2')
REPLACE
  6. Type end to exit the MQSC interface

Verifying the solution

Verify that the source queue manager can put a message onto the remote queue. Verify that the target queue manager can get the message from the queue.

About this task

Use the sample applications, amqsput and amqsget to verify the solution.

Procedure

  1. Send a message to the target queue manager, QM2 from the source queue manager.
    1. In the command-line interface, type: 
      amqsput QUEUE.ON.QM2 QM1
      You must use the name of the remote queue definition to send the message to the target queue manager. The following message is displayed: 
      Sample AMQSPUT0 start
target queue is QUEUE.ON.QM2
    2. Type Hello world., press Enter twice.
  2. Get the message on the target queue manager.
    1. In the command-line interface, type: 
      amqsget RECEIVEQUEUE QM2
      The following message is displayed: 
      Sample AMQSGET0 start
message 
no more messages
Sample AMQSGET0 end

Labels:

Comments

  1. UnknownMay 23, 2016 at 3:36 AM


    I appreciate all the work you put into this site, helping out others with your fun and creative works.
    Dotnet training in Chennai

    ReplyDelete

Post a Comment

adsrerrapop

Popular posts from this blog

IBM Websphere MQ interview Questions Part 5

MQ Series: - It is an IBM web sphere product which is evolved in 1990’s. MQ series does transportation from one point to other. It is an EAI tool (Middle ware) VERSIONS:-5.0, 5.1, 5.3, 6.0, 7.0(new version). The currently using version is 6.2 Note: – MQ series supports more than 35+ operating systems. It is platform Independent. For every OS we have different MQ series software’s. But the functionality of MQ series Default path for installing MQ series is:- C: programfiles\BM\clipse\SDK30 C: programfiles\IBM\WebsphereMQ After installation it will create a group and user. Some middleware technologies are Tibco, SAP XI. MQ series deals with two things, they are OBJECTS, SERVICES. In OBJECTS we have • QUEUES • CHANNELS • PROCESS • AUTHENTICATION • QUERY MANAGER. In SERVICES we have LISTENERS. Objects: – objects are used to handle the transactions with the help of services. QUEUE MANAGER maintains all the objects and services. QUEUE: – it is a database structure
136 comments
Read more

IBM Websphere MQ Reason code list / mq reason codes / websphere mq error codes / mq error messages

Reason code list ================= The following is a list of reason codes, in numeric order, providing detailed information to help you understand them, including: * An explanation of the circumstances that have caused the code to be raised * The associated completion code * Suggested programmer actions in response to the code * 0 (0000) (RC0): MQRC_NONE * 900 (0384) (RC900): MQRC_APPL_FIRST * 999 (03E7) (RC999): MQRC_APPL_LAST * 2001 (07D1) (RC2001): MQRC_ALIAS_BASE_Q_TYPE_ERROR * 2002 (07D2) (RC2002): MQRC_ALREADY_CONNECTED * 2003 (07D3) (RC2003): MQRC_BACKED_OUT * 2004 (07D4) (RC2004): MQRC_BUFFER_ERROR * 2005 (07D5) (RC2005): MQRC_BUFFER_LENGTH_ERROR * 2006 (07D6) (RC2006): MQRC_CHAR_ATTR_LENGTH_ERROR * 2007 (07D7) (RC2007): MQRC_CHAR_ATTRS_ERROR * 2008 (07D8) (RC2008): MQRC_CHAR_ATTRS_TOO_SHORT * 2009 (07D9) (RC2009): MQRC_CONNECTION_BROKEN * 2010 (07DA) (RC2010): MQRC_DATA_LENGTH_ERROR * 2011 (07DB) (RC2011): MQRC_DYNAMIC_Q_NAME_ERROR * 2012 (07DC) (RC201
2 comments
Read more

IBM WebSphere MQ – Common install/uninstall issues for MQ Version on Windows - Middleware News

Creating a log file when you install or uninstall WebSphere MQ WebSphere MQ for Windows is installed using the Microsoft Installer (MSI). If you install the MQ server or client through launchpad , MQPARMS or setup.exe , then a log file is automatically generated in %temp% during installation. Alternatively you can supply parameters on the installation MSI command msiexec to generate a log file, or enable MSI logging system-wide (which generates MSI logs for all install and uninstall operations). If you uninstall through the Windows Add/Remove programs option, no log file is generated. You should either uninstall from the MSI command line and supply parameters to generate a log file, or enable MSI logging system-wide (which generates MSI logs for all install and uninstall operations). For details on how to enable MSI logging, see the following article in the WebSphere MQ product documentation: Advanced installation using msiexec For details on how to enable system-w
Post a Comment
Read more