Skip to main content

IBM Websphere MQ - Preparing the queue managers to use TLS - Middleware News

The IBM MQ queue manager's key repository is used to store the queue manager's personal certificate and the public Certificate Authority (CA) certificate. The personal certificate request from the IBM MQ queue manager must be signed by a CA, the public certificate is used by the other entities to authenticate the IBM MQ queue manager.

Before you begin

You must have the public Certificate Authority certificate in a file.

About this task

Create the IBM MQ queue manager's key repository, import the certificate authority's signer certificate and create the queue manager's personal certificate request.

Procedure


  1. Create a CMS key repository file for the queue manager called key.kdb. Navigate to the Qmgrs\QM1\ssl directory, and on the command line, type: 
    runmqckm -keydb -create -db key.kdb -pw passw0rd -type cms -stash
    Note: For this simple example we have used a password of passw0rd. You may wish to choose a different password and change each of the following commands to use your own password instead.
  2. Add the CA certificate, which you have in a file, to the key repository, on the command line, type: 
    runmqckm -cert -add -file CA-certificate-file -db key.kdb -pw passw0rd -label TrustedCA
  3. Request a personal certificate that will be written to a request file called QM1req.req. On the command line, enter: 
    runmqckm -certreq -create -db key.kdb -pw passw0rd -label ibmwebspheremqqm1
-dn CN="QM1" -size 1024 -file QM1req.req
-sig_alg SHA1WithRSA
    The default certificate label name is shown in this example. You can set your own name if you prefer. For details, see Digital certificate labels.
  4. Send the certificate request file to your CA, they will issue a digitally signed certificate. Put the received, signed certificate file in a suitable location to be received into the queue manager's key repository.
  5. Receive the signed personal certificate into the queue manager's key repository. 
    runmqckm -cert -receive -file Signed-certificate-file -db key.kdb -pw passw0rd -format ascii
  6. Complete these steps for each queue manager, changing the queue manager name accordingly.

Creating the channels to use TLS

Create a new channel that uses TLS to create a connection.

Before you begin

To communicate over a channel that uses TLS, first you must have the required certificates for each end of the connection. To create the required certificates, follow the instructions in Preparing the queue managers to use TLS.

About this task

Use the MQSC interface to define channels with SSL/TLS attributes set. This task can be done even if you defined your channels without SSL/TLS in a prior step through the use of the REPLACE keyword.

Procedure

  1. On the command-line, type: 
    runmqsc QM1
  2. Create the sender channel on QM1, called TO.QM2, in the MQSC interface, type: 
    DEFINE CHANNEL(TO.QM2) CHLTYPE(SDR) TRPTYPE(TCP)
CONNAME(' remoteHost ') XMITQ(QM2)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
DESCR('Sender channel using TLS from QM1 to QM2')
REPLACE
    Note: The variable remoteHost is the hostname or IP address of the target queue manager.
    You can specify a CERTLABL attribute for the channel. If you do, it must match the value on the -label parameter of the runmqckm command that you previously ran in step 3 of Preparing the queue managers to use TLS. For more information on certificate labels, see Digital certificate labels, understanding the requirements.
  3. Type end to exit the MQSC interface.
  4. On the command-line, type: 
    runmqsc QM2
  5. Create a receiver channel on QM2, called TO.QM2, in the MQSC interface, type: 
    DEFINE CHANNEL(TO.QM2) CHLTYPE(RCVR) TRPTYPE(TCP)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(REQUIRED)
DESCR('Receiver channel using TLS from QM1 to QM2')
REPLACE
  6. Type end to exit the MQSC interface

Verifying the solution

Verify that the source queue manager can put a message onto the remote queue. Verify that the target queue manager can get the message from the queue.

About this task

Use the sample applications, amqsput and amqsget to verify the solution.

Procedure

  1. Send a message to the target queue manager, QM2 from the source queue manager.
    1. In the command-line interface, type: 
      amqsput QUEUE.ON.QM2 QM1
      You must use the name of the remote queue definition to send the message to the target queue manager. The following message is displayed: 
      Sample AMQSPUT0 start
target queue is QUEUE.ON.QM2
    2. Type Hello world., press Enter twice.
  2. Get the message on the target queue manager.
    1. In the command-line interface, type: 
      amqsget RECEIVEQUEUE QM2
      The following message is displayed: 
      Sample AMQSGET0 start
message 
no more messages
Sample AMQSGET0 end

Labels:

Comments

  1. UnknownMay 23, 2016 at 3:36 AM


    I appreciate all the work you put into this site, helping out others with your fun and creative works.
    Dotnet training in Chennai

    ReplyDelete

Post a Comment

adsrerrapop