ICE MQ Open Internet Connectivity Technical Guide to Encrypt Data Version 1.0
Setup MQ SSL communication: Technical Instructions Introduction All digital certificates are stored in a key database file that is managed with ikeyman or IKEYCMD. These digital certificates have labels. A specific label associates a personal certificate with a queue manager or WebSphere MQ client. SSL uses that certificate for authentication purposes. On UNIX, WebSphere MQ uses the ibmwebspheremq prefix on a label to avoid confusion with certificates for other products. ** The prefix is followed by the name of the queue manager. Ensure that you specify the entire certificate label in lower case. Example: ibmwebspheremqyour_queue_manager_name Before you execute following command, please make sure your environment variable (JAVA_HOME) has been setup. Otherwise, you might see this error below. The Java Cryptographic Extension(JCE) files were not found. Please check that the JCE files have been installed in the correct directory Step 1: JAVA_HOME Setup (AIX) export JAVA_HOME=/opt/mqm/java/jre (Solaris) export JAVA_HOME=/opt/mqm/ssl/jre Step 2: Determine the default queue manager key database location dis qmgr SSLKEYR - Run this MQ Command AMQ8408: Display Queue Manager Details. QMNAME(ACSQMGR) SSLKEYR(/var/mqm/qmgrs/ACSQMGR/ssl/key)
Above result shows that queue manager is looking for 'key' in /var/mqm/qmgrs/$your_qm_name/ssl directory. However, if your key data file was named 'mykey', then you need to change qmgr SSLKEYR property: change this: SSLKEYR(/var/mqm/qmgrs/ACSQMGR/ssl/key) To this: SSLKEYR(/var/mqm/qmgrs/ACSQMGR/ssl/myKey) Step 1. Prepare SSL key repository (key store/key database) Use the following command to create key database file on UNIX: gsk7cmd -keydb -create -db key.kdb password -type cms -stash -keydb -db filename -type -stash Create a key database file is the fully qualified file name of a CMS key database, and must have a file extension of.kdb. * You must keep the key database file in /var/mqm/qmgrs/$qmgr/ssl directory. * use MQ default file name: key.kdb Password for the key database They type of database (for MQ, must be CMS) Create a password file for MQ to access key database Step 2. Create a self-signed certificate for the queue manager
Use the following command to create self-signed certificate on UNIX: gsk7cmd cert create db filename pw password label ibmwebspheremq$qmgr_name dn distinguished_name size key_size x509version version expire days -cert create create a certificate -db filename the key database file name password for the key database -label the key label attached to the certificate (*must be in lower case!); see example above. -dn is the X.500 distinguished name enclosed in double quotes. Note that only the CN attribute is required. You can also supply multiple OU attributes. -size 512, or 1024 -x509version the version of X.509 certificate to create, the value can be 1, 2, or 3. The default is 3. -expire is the expiration time in days of the certificate. The default is 365 days. Please set it for longer period time, i.e. 3650 days. Step 3. Extract a copy of the self-signed certificate Use the following command to create self-signed certificate on UNIX: gsk7cmd cert extract db filename pw password label ibmwebspheremq$qmgr_name target file_name format ascii -cert extract -db filename -label -target extract a certificate the key database file name password for the key database the key label attached to the certificate the file name with.arm file extension
-format the data type of the certificate Step 4. Send extracted certificate to clients Please send extracted certificate to ICE. Please copy your request to all email lists below for all key exchange project requests. 1. syseng@theice.com: Systems Engineering First level ICE MQ Support 2. sean.shih@theice.com: Second level ICE MQ Support 3. ICEClearUS@theice.com: ICE Clear US Support For Tracking and managing your requests until it s completion Step 5. Add client s certificate to key repository ICE will respond to step 4 with a public key. Once you received ICE's public key, please add it to your key database. Use the following command to add self-signed certificate on UNIX: gsk7cmd cert add db filename pw password label ibmwebspheremq$qmgr_name file file_name format ascii -cert extract -db filename -label -target extract a certificate the key database file name password for the key database the key label attached to the certificate the file name with.arm file extension
-format the data type of the certificate Step 6. Modify channel configuration STOP CHANNEL($your_channel_name) ALT CHANNEL($your_channel_name) CHLTYPE(SDR) SSLCIPH(RC4_MD5_US) REFRESH SECURITY TYPE(SSL) START CHANNEL($your_channel_name) Reference: IBM InfoCenter (MQ Security): http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp Verisign: https://knowledge.verisign.com/support/ssl-certificatessupport/index?page=content&id=ar230