Deploying CA-signed SSL certificates to the LGI scenario

Transcription

1 Deploying CA-signed SSL certificates to the LGI scenario This document details, by example, the steps required to create Secure Sockets Layer (SSL) certificates for a WebSphere MQ (WMQ) network, including z/os and AIX queue managers and WebSphere Process Server (WPS). The scenario includes the following components: Certificate Authority (CA) The term CA refers to both the entity (e.g. Organisation or department) responsible for signing certificates and the CA certificate itself. In this example, the CA is an internal CA based on z/os. z/os queue managers The LGI scenario includes two z/os queue managers which are both members of the LGI.Z.CLUSTER WMQ cluster. The LGI.Z.CLUSTER cluster channels are secured with SSL. AIX queue managers The LGI scenario includes several AIX queue managers which are members of the LGI.Z.CLUSTER cluster. The LGI.Z.CLUSTER cluster channels are secured with SSL. The LGI.Z.CLUSTER also contains Linux for System z queue managers which can be configured using the AIX instructions. WPS for z/os WPS is connect to one of the z/os queue managers using the MQLink. The following administration interfaces are used: RACF RACDCERT commands Used to administrate SSL artifacts (i.e. Keyrings and certificates) in RACF. They are executed in JCL on z/os. gsk7cmd commands Used to administrate SSL artifacts (i.e. Key databases and certificates) in GSKit. They are executed from the command line on AIX (and other Unix platforms, such as, Linux for System z). FTP commands Used to transfer certificates between machines. MQSC commands Used to administrate WMQ artifacts (e.g. Queue managers). They are executed using runmqsc on distributed platforms and from SDSF on z/os. WPS Integrated Solutions Console (ISC) Used to administrate the cluster WPS (via the deployment manager) from a web browser. This document contains the following sections: 1. CA configuration 2. SSL configuration for a z/os queue manager 3. SSL configuration for a AIX queue manager 4. SSL configuration for WPS Note: Section 1 must be completed first. Once section 1 is complete, sections 2 to 4 can be carried out in any order. Note: This document describes the creation of SSL artifacts (i.e. keyrings and certificates) to support SSL on queue manager to queue manager channels (e.g. sender-receiver channels or cluster channels) and MQLink channels. It does not include instructions to create the WMQ channel definitions themselves.

2 1 CA configuration In this section you will create the CA keyring and CA certificate on z/os. The CA is an internal-only CA which means that it is self signed and not signed by an external party. I. RACDCERT on winmvs70 Create and list the CA certificate. RACDCERT CERTAUTH GENCERT + SUBJECTSDN(CN('WMQ CA') + OU('LGI') + O('FIT') + L('Hursley') + SP('Hampshire') + C('UK')) + WITHLABEL('LGIWMQCA') RACDCERT CERTAUTH + LIST(LABEL('LGIWMQCA')) Create the CA keyring, connect the CA certificate, and list the CA keyring contents. ADDRING(LGICAKR) CONNECT(CERTAUTH LABEL('LGIWMQCA') + RING(LGICAKR) USAGE(CERTAUTH)) LISTRING(LGICAR)

3 2 SSL configuration for a z/os queue manager (ST03) In this section you will create a z/os queue manager certificate, signed by the CA. The queue manager and CA reside on the same z/os machine. Note: Section 1 must be carried out before starting this section. I. RACDCERT on winmvs70 Create and list the queue manager certificate. RACDCERT ID(SYSTASK) GENCERT + SUBJECTSDN(CN('ST03') + OU('LGI') + O('IBM') + L('Hursley') + SP('Hampshire') + C('UK')) + WITHLABEL('ibmWebSphereMQST03') + SIGNWITH(CERTAUTH LABEL('LGIWMQCA')) LIST(LABEL('ibmWebSphereMQST03')) Create the queue manager keyring, connect the CA certificate, connect the queue manager certificate, and list the queue manager keyring contents. ADDRING(WMQST03KR) CONNECT(CERTAUTH LABEL('LGIWMQCA') + RING(WMQST03KR) USAGE(CERTAUTH)) CONNECT(ID(SYSTASK) LABEL('ibmWebSphereMQST03') + RING(WMQST03KR) USAGE(PERSONAL)) LISTRING(WMQST03KR) II. MQSC on winmvs70 Set the queue manager keyring and refresh the WMQ SSL configuration. /ST03 ALTER QMGR SSLKEYR(WMQST03KR) /ST03 REFRESH SECURITY TYPE(SSL)

4 3 SSL config for an AIX queue manager (LGI.FRONT.AIX.01) In this section you will create a key database and certificate request for the queue manager. The certificate request is signed by the CA and then received into the key database. Note: Section 1 must be carried out before starting this section. Note: These instructions work on others platform which use the GSKit gsk7cmd command interface (e.g. Linux for System Z). I. Command line on fitmps02 Create the queue manager key database. gsk7cmd -keydb -create -db "/var/mqm/qmgrs/lgi!front!aix!01/ssl/ LGIFRONTAIX01.kdb" -pw password -type cms -expire 365 -stash Create the queue manager certificate request. gsk7cmd -certreq -create -db "/var/mqm/qmgrs/lgi!front!aix!01/ssl/ LGIFRONTAIX01.kdb" -pw password -label ibmwebspheremqlgi.front.aix.01 -dn " CN=LGI.FRONT.AIX.01, OU=LGI, O=IBM, L=Hursley, ST=Hampshire, C=UK" - file lgi01.req FTP the queue manager certificate request to the CA machine. ftp winmvs70.cpit -> asc -> quote site recfm=vb -> put lgi01.req SSL.LGI01.REQ II. RACDCERT on winmvs70 Sign the queue manager certificate request and list the certificate. RACDCERT ID(SYSTASK) GENCERT(SSL.LGI01.REQ) + SIGNWITH(CERTAUTH LABEL('LGIWMQCA')) + WITHLABEL('ibmwebspheremqlgi.front.aix.01') LIST(LABEL('ibmwebspheremqlgi.front.aix.01')) Export the signed queue manager certificate request and the public CA certificate. RACDCERT ID(SYSTASK) EXPORT( + LABEL('ibmwebspheremqlgi.front.aix.01')) + DSN(SSL.LGI01.CRT) + FORMAT(CERTB64) + PASSWORD('password') RACDCERT CERTAUTH EXPORT( + LABEL('LGIWMQCA')) + DSN(SSL.WMQCA.CRT) + FORMAT(CERTDER) III.Command line on fitmps02 FTP the signed queue manager certificate request and the public CA certificate from the CA machine. ftp winmvs70.cpit -> asc -> quote site recfm=vb -> get SSL.LGI01.CRT lgi01.crt -> bin -> get SSL.WMQCA.CRT wmqca.crt Add the public CA certificate to the queue manager's key database. gsk7cmd -cert -add -db "/var/mqm/qmgrs/lgi!front!aix!01/ssl/ LGIFRONTAIX01.kdb" -pw password -label LGIWMQCA -file wmqca.crt -format ascii Receive the signed queue manager certificate request into the queue manager's key database and list contents of the the queue manager's key database.

5 gsk7cmd -cert -receive -db "/var/mqm/qmgrs/lgi!front!aix!01/ssl/ LGIFRONTAIX01.kdb" -pw password -file lgi01.crt -format ascii gsk7cmd -cert -list -db "/var/mqm/qmgrs/lgi!front!aix!01/ssl/ LGIFRONTAIX01.kdb" -pw password Set the queue manager key database and refresh the WMQ SSL configuration. runmqsc LGI.FRONT.AIX.01 -> ALTER QMGR SSLKEYR('/var/mqm/qmgrs/LGI!FRONT!AIX!01/ssl/LGIFRONTAIX01') -> REFRESH SECURITY TYPE(SSL)

6 4 SSL configuration for WPS In this section you will create a certificate request for WPS. The certificate request is signed by the CA and then received into WPS. Note: Section 1 must be carried out before starting this section. I. WPS ISC on winmvs71 Create the queue manager certificate request. Navigate to Security->SSL certificate and key management > Key stores and certificates > BPCBusKeyStore > Personal certificate requests Click New and fill in the fields as follows Filename=/WebSphere/V6CSBDM/DeploymentManager/profiles/default/config/ cells/cellsbdplexedmgr/bpc.req Key label=bpcbuscert Key size=1024 CN=BPC O=IBM OU=LGI L=Hursley S=Hampshire C=GB II. USS Command line on winmvs71 Convert the queue manager certificate request from ASCII to EBCDIC. cd /WebSphere/V6CSBDM/DeploymentManager/profiles/default/config/cells/ CellSBDPlexEDmgr iconv -f 819 -t 1047 bpc.req > bpcconv.req FTP the WPS certificate request to the CA machine. ftp winmvs70.cpit -> asc -> quote site recfm=vb -> put bpcconv.req SSL.BPC.REQ III.RACDCERT on winmvs70 Sign the WPS certificate request and list the certificate. RACDCERT ID(SYSTASK) GENCERT(SSL.BPC.REQ) + SIGNWITH(CERTAUTH LABEL('LGIWMQCA')) + WITHLABEL('BPCBusCert') LIST(LABEL('BPCBusCert')) Export the signed WPS certificate request and the public CA certificate. RACDCERT ID(SYSTASK) EXPORT( + LABEL('BPCBusCert')) + DSN(SSL.BPC.CRT) + FORMAT(CERTDER) + PASSWORD('password') RACDCERT CERTAUTH EXPORT( + LABEL('LGIWMQCA')) + DSN(SSL.WMQCA.CRT) + FORMAT(CERTDER)

7 IV.USS Command line on winmvs71 FTP the signed WPS certificate request and the public CA certificate from the CA machine. cd /WebSphere/V6CSBDM/DeploymentManager/profiles/default/config/cells/ CellSBDPlexEDmgr ftp winmvs70.cpit -> bin -> get SSL.WMQCA.CRT wmqca.crt -> get SSL.BPC.CRT bpc.crt V. WPS ISC on winmvs71 Add the public CA certificate to the WPS trust store. Navigate to Security->SSL certificate and key management > Key stores and certificates > BPCBusTrustStore > Signer certificates Click Add and fill in the fields as follows: Alias=LGIWMQCA Filename=/WebSphere/V6CSBDM/DeploymentManager/profiles/default/config/ cells/cellsbdplexedmgr/wmqca.crt Datatype=Binary DER data Receive the signed WPS certificate request into the WPS key store. Navigate to Security->SSL certificate and key management > Key stores and certificates > BPCBusKeyStore > Personal certificates Click Receive a certificate from a certificate authority and fill in the fields as follows: Certificate filename=/websphere/v6csbdm/deploymentmanager/profiles/ default/config/cells/cellsbdplexedmgr/bpc.crt Data type=binary DER data Enable the WPS certificate for Inbound on cluster member WPSSBN3. Navigate to Security->SSL certificate and key management > Manage endpoint security configurations->inbound-cellsbdplexedmgr (CellDefaultSSLSettings,null)->nodes->NodeSBDMVS71N3 (NodeDefaultSSLSettings,null)->servers->WPSSBN3- >SIB_MQ_ENDPOINT_SECURE_ADDRESS(BPCBusSSLConfig,bpcbuskey) Select bpsbuscert from Certificate alias in key store Enable the WPS certificate for Inbound on cluster member WPSSBN4. Navigate to Security->SSL certificate and key management > Manage endpoint security configurations->inbound-cellsbdplexedmgr (CellDefaultSSLSettings,null)->nodes->NodeSBDMVS70N4 (NodeDefaultSSLSettings,null)->servers->WPSSBN4- >SIB_MQ_ENDPOINT_SECURE_ADDRESS(BPCBusSSLConfig,bpcbuskey) Select bpsbuscert from Certificate alias in key store Enable the WPS certificate for Outbound on cluster member WPSSBN3. Navigate to Security->SSL certificate and key management > Manage endpoint security configurations->outbound-cellsbdplexedmgr (CellDefaultSSLSettings,null)->nodes->NodeSBDMVS71N3 (NodeDefaultSSLSettings,null)->servers->WPSSBN3->Bus to WebSphere MQ (BPCBusSSLConfig,bpc self signed certificate_2) Select bpsbuscert from Certificate alias in key store

8 Enable the WPS certificate for Outbound on cluster member WPSSBN4. Navigate to Security->SSL certificate and key management > Manage endpoint security configurations->outbound-cellsbdplexedmgr (CellDefaultSSLSettings,null)->nodes->NodeSBDMVS70N4 (NodeDefaultSSLSettings,null)->servers->WPSSBN4->Bus to WebSphere MQ (BPCBusSSLConfig,bpc self signed certificate_2) Select bpsbuscert from Certificate alias in key store Set the WPS certificate as the default client and server certificate. Navigate to Security->SSL certificate and key management > SSL configurations > BPCBusSSLConfig Fill in the fields as follows: Default server certificate alias=bpcbuscert Default client certificate alias=bpcbuscert Restart both application servers. Navigate to Servers->Application Servers Select WPSSBN3 and WPSSBN4. Click Stop. Wait for the servers to stop. Click Start. Wait for the servers to start. Put the receiver channel to WPS into inactive state. Navigate to Service integration->buses > BPC.CellSBDPlexEDmgr.Bus > Foreign buses > ST03 Click WebSphere MQ link Click Receiver channel Select Force for Quiesce state. Select Stopped for Target state. Select TO.BPCZ.qmgr and click Stop. Wait for the channel to stop. Start the sender channel from WPS. Navigate to Service integration->buses > BPC.CellSBDPlexEDmgr.Bus > Foreign buses > ST03 Click WebSphere MQ link Click Sender channel Select Stopped for Target state. Select BPC.TO.ST03 and click Stop. Wait for the channel to stop. Select BPC.TO.ST03 and click Start. Wait for the channel to start. VI.MQSC on winmvs70 Start the sender channel from the z/os queue manager. /ST03 STA CHL('TO.BPCZ.qmgr') Display the channel status to ensure that channels in both directions are running. /ST03 DIS CHS('TO.BPCZ.qmgr') /ST03 DIS CHS('BPC.TO.ST03 ') Author: Ian Vanstone >