28°Cwhite: WebSphere MQ - SSL connection

Create Queue manager

1. Create the queue manager named 'QMSSL' by issuing the following command:

crtmqm -u SYSTEM.DEAD.LETTER.QUEUE -p 1416 QMSSL

2. Start queue manager

strmqm QMSSL

3. Queue manager listener and channel setting.

To automatically start the IBM MQ listener with the queue manager, disable connection auth, use the following MQSC command:

mqsiuid@ftmaixt1:/home/mqsiuid>runmqsc QMSSL
5724-H72 (C) Copyright IBM Corp. 1994, 2015.
Starting MQSC for queue manager QMSSL.

ALTER LISTENER(SYSTEM.DEFAULT.LISTENER.TCP) TRPTYPE(TCP) PORT(1416) CONTROL(QMGR)
1 : ALTER LISTENER(SYSTEM.DEFAULT.LISTENER.TCP) TRPTYPE(TCP) PORT(1416) CONTROL(QMGR)
AMQ8623: WebSphere MQ listener changed.
ALTER QMGR CHLAUTH(DISABLED)
2 : ALTER QMGR CHLAUTH(DISABLED)
AMQ8005: WebSphere MQ queue manager changed.
ALTER QMGR CONNAUTH(' ')
3 : ALTER QMGR CONNAUTH(' ')
AMQ8005: WebSphere MQ queue manager changed.
refresh security
4 : refresh security
AMQ8560: WebSphere MQ security cache refreshed.
define channel(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) REPLACE
5 : define channel(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) REPLACE
AMQ8014: WebSphere MQ channel created.
end
6 : end
6 MQSC commands read.
No commands have a syntax error.
All valid MQSC commands were processed.

After these step, you can connect to remote queue manager QMSSL via SYSTEM.ADMIN.SVRCONN channel by MQ Explorer.

Keystore creation and SSL setting on MQ Server side

The certificate are stored in /var/mqm/qmgrs/[qmgr_name]/ssl, you have to use MQ admin user to create certificate.

In order to use ikeycmd, export the PATH with the path where ikeycmd command exist:

mqsiuid@ftmaixt1:/var/mqm/qmgrs/QMSSL/ssl>export PATH=/usr/mqm/java/jre64/jre/bin:$PATH

1. Create QM key store

ikeycmd -keydb -create -db /var/mqm/qmgrs/QMSSL/ssl/qmssl.kdb -pw pwd123 -type cms -expire 365 -stash

2. Create CA store

ikeycmd -keydb -create -db /var/mqm/qmgrs/QMSSL/ssl/wmqca.kdb -pw pwd123 -type cms -expire 365 -stash

3. Create CA certificate

ikeycmd -cert -create -db /var/mqm/qmgrs/QMSSL/ssl/wmqca.kdb -pw pwd123 -label wmqssl -dn "CN=QMSSL" -expire 365

4. Extract CA certificate

ikeycmd -cert -extract -db /var/mqm/qmgrs/QMSSL/ssl/wmqca.kdb -pw pwd123 -label wmqssl -target /var/mqm/qmgrs/QMSSL/ssl/wmqca.crt -format ascii

5. Add CA certificate on QM key store

ikeycmd -cert -add -db /var/mqm/qmgrs/QMSSL/ssl/qmssl.kdb -pw pwd123 -label wmqssl -file /var/mqm/qmgrs/QMSSL/ssl/wmqca.crt -format ascii

6. Create certificate request

ikeycmd -certreq -create -db /var/mqm/qmgrs/QMSSL/ssl/qmssl.kdb -pw pwd123 -label ibmwebspheremqqmssl -dn "CN=QMSSL" -file /var/mqm/qmgrs/QMSSL/ssl/qmssl_req.arm

Note: the label name should be ibmwebspheremq+lowercasequeuemanagername.

7. CA sign the certificate

ikeycmd -cert -sign -file qmssl_req.arm -db /var/mqm/qmgrs/QMSSL/ssl/wmqca.kdb -pw pwd123 -label wmqssl -target /var/mqm/qmgrs/QMSSL/ssl/QMSSLcert1.arm -format ascii -expire 365

8. Receive the certificate on QM key store

ikeycmd -cert -receive -db /var/mqm/qmgrs/QMSSL/ssl/qmssl.kdb -pw pwd123 -file /var/mqm/qmgrs/QMSSL/ssl/QMSSLcert1.arm -format ascii

9. Run MQSC command to adapt the queue manager and channel setting.

(1) Changing the key repository location for a queue manager

ALTER QMGR SSLKEYR('/var/mqm/qmgrs/QMSSL/ssl/qmssl');

Note: the stem name 'qmssl' is the QM key store name without file extension .kdb

(2) Define the server connection channel with SSL Cipher Specification (SSLCIPH) by MQSC command

DEFINE CHANNEL('TEST.SSL.SVRCONN') CHLTYPE(SVRCONN) SSLCIPH('TLS_RSA_WITH_AES_128_CBC_SHA256') SSLCAUTH(OPTIONAL);