Setting up SSL-based communication between WebSphere MQ and WebSphere Message Broker

Using MQ Secure Sockets Layer (SSL) with Microsoft Windows on z/OS

This tutorial teaches how to setup WebSphere® MQ Secure Sockets Layer (SSL) between Microsoft Windows® and z/OS® using panels, including checking various combinations of SSL Cipher Specification (SSLCIPH), SSL Client Authentication (SSLCAUTH), invalid and expired certificates.

Share:

Prashant R. Muragod (pmuragod@in.ibm.com), Software Engineer, IBM

Photo of Prashant R. MuragodPrashant has a total of 6 years of experience, the majority of which is in the messaging field (WebSphere MQ). He was involved in developing WebSphere MQ-based transactions on z/OS. He has worked in WebSphere MQ Pre-GA testing and is currently working in WebSphere Message Broker Post-GA testing.



Ribu Rajan (ribu_rajan@in.ibm.com), Software Engineer, WebSphere Message Broker Support team, IBM  

Author's photoRibu Rajan is a Software Engineer on the WebSphere Message Broker Level-3 Support team with IBM India. He has a degree in Computer Science and a higher diploma in Software Engineering, and he holds certifications in Java, Microsoft .NET, and WebSphere Application Server. He has four years of IT experience, and has worked with the WebSphere Application Server Services team and with WebSphere Message Broker Post-GA Test team. You can contact Ribu at ribu_rajan@in.ibm.com.



26 August 2009

Also available in Chinese

Before you start

This tutorial shows how to setup SSL-based communication between WebSphere MQ and WebSphere Message Broker products, using MQ SSL with Microsoft Windows on z/OS. It shows how to check various combinations of SSL Cipher Specification (SSLCIPH). It also demonstrates error scenarios like invalid certificates and expired certificates.

We perform all these tasks using panels on the z/OS platform, which makes it very easy for a relatively less experienced user on z/OS. At the end of the article, we list all the RACF commands on z/OS (like a create key ring, add a certificate to the key ring etc). These commands perform the same actions as the panels on z/OS for MQ SSL setup on z/OS platform.

Objectives

  • Set up MQ SSL on z/OS queue manager
  • Establish one-way SSL communication between the z/OS queue manager and WebSphere Message broker toolkit
  • Establish two-way SSL communication between the z/OS queue manager and WebSphere Message broker toolkit
  • Demonstrate SSL communication for various combinations of SSLCIP
  • Demonstrate error scenarios for invalid combination of SSLCIPH, invalid certificates and expired certificates).

Prerequisites

You should be familiar with:

  • The basics of z/OS
  • Usage of various panels (ISPF,RACF etc) on z/OS
  • IBM WebSphere MQ
  • IBM WebSphere Message Broker (runtime and toolkit) concepts,
  • Some familiarity with SSL on Microsoft Windows.

System requirements

To implement the tasks listed in this tutorial, you need:

  • A Microsoft Windows machine
  • IBM WebSphere MQ V6 or above
  • IBM WebSphere Message Broker V6 or V6.1
  • IBM WebSphere Message Broker Toolkit V6 or V6.1
  • A z/OS LPAR with RACF installed on it

Duration

  • 2 hours

Keywords and Definitions

For your convenience, this section provides some key term definitions from the MQ Information Center.

SSL(Secure Sockets Layer)

SSL is an industry-standard protocol that provides a data security layer between application protocols and the communications layer, usually TCP/IP. SSL uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers.

MQ SSL

In WebSphere MQ, you can use SSL for communication between two queue managers using a digital certificate on each of the queue managers.

SSLCIPH (SSL Cipher Specification)

SSLCIPH defines a single CipherSpec for an SSL connection. Both ends of a WebSphere MQ SSL channel definition must include the attribute and the SSLCIPH values must specify the same CipherSpec on both ends of the channel. The value is a string with a maximum length of 32 characters. This attribute is valid for all channel types. It is valid only for channels with a transport type (TRPTYPE) of TCP. If the TRPTYPE is not TCP, the data is ignored and no error message is issued. SSLCIPH is an optional attribute.

To learn more, see the SSL supported by WebSphere MQ.

SSLCAUTH(SSL Client Authentication)

SLCAUTH is used to define whether the channel needs to receive and authenticate an SSL certificate from an SSL client. Possible values are:

  • OPTIONAL - If the peer SSL client sends a certificate, the certificate is processed as normal but authentication does not fail if no certificate is sent.
  • REQUIRED - If the SSL client does not send a certificate, authentication fails.

The default value is REQUIRED.

You can specify a value for SSLCAUTH on a non-SSL channel definition, one on which SSLCIPH is missing or blank. You can use this to temporarily disable SSL for debugging without first having to clear and then re-input the SSL parameters.

SSLCAUTH is an optional attribute.

This attribute is valid on all channel types that can ever receive a channel initiation flow, except for sender channels. This attribute is valid for channel types of:

  • * Server
  • * Receiver
  • * Requester
  • * Server connection
  • * Cluster receiver

SSLPEER(SSL Peer)

The SSLPEER attribute is used to check the Distinguished Name (DN) of the certificate from the peer queue manager or client at the other end of a WebSphere MQ channel. If the DN received from the peer does not match the SSLPEER value, the channel does not start. SSLPEER is an optional attribute. If a value is not specified, the peer DN is not checked when the channel is started. On z/OS the maximum length of the attribute is 256 bytes. On all other platforms it is 1024 bytes. On z/OS the attribute values used are not checked. If you input incorrect values, the channel fails at startup, and error messages are written to the error log at both ends of the channel. A Channel SSL Error event is also generated at both ends of the channel. On platforms that support SSLPEER, other than z/OS®, the validity of the string is checked when it is first input. You can specify a value for SSLPEER on a non-SSL channel definition, one on which SSLCIPH is missing or blank. You can use this to temporarily disable SSL for debugging without having to clear and later re-input the SSL parameters.

You can find more information on these keywords in the WebSphere MQ Information Center.

Assumptions

The following sections provide steps and the screenshots for setting up an MQ SSL connection between the WebSphere Message Broker Toolkit (windows) and the WebSphere MQ queue manager on z/OS.

Assumption 1: The queue managers are created and are running, and the channel initiators are running. SSL setup is not yet activated.

Assumption 2: In this tutorial we use two user IDs: MA01USR and MA02USR for queue managers MA01 and MA02 respectively. These user IDs need to have access to issue a RACDERT command. Check with your system administrator to see if the user ID that you will be using has access to the RACDERT command. For more information on various profile definitions, please refer to the topic The RACDCERT COMMAND discussed at the end of this document.

In the below section, you will learn to create a key ring. A key ring can be thought of a repository which holds digital certificates. These certificates are used to ascertain the trustworthiness of the client system.


Creating a key ring

  1. Select option R (RACF) as shown in Figure 1 and press the Enter key.
    Figure 1. WMQI Change Team Menu
    Entering R on the WMQI Change Team Menu
  2. Select option 7 (DIGITAL CERTIFICATES AND KEY RINGS) as shown in Figure 2 and press Enter.
    Figure 2. Services Option Menu
    Entering 7 on the Services Option Menu
  3. Select option 6 (Key Ring Services) as shown in Figure 3 and press Enter.
    Figure 3. Services Option Menu
    Entering 6 on the Services Option Menu
  4. Select option 1 (Create a new key ring), enter the user name (MA01USR in this case) in the For user field as shown in Figure 4, and press Enter.
    Figure 4. Digital Certificate Key Ring Services
    Entering 1 on the Digital Certificate Key Ring Services
  5. Enter MA01 for the name of the ring as shown in Figure 5 and press Enter.
    Figure 5. Digital Certificate Key Ring Name
    Entering MA01 for the Digital Certificate Key Ring Name
  6. Figure 6 shows that the key ring has been successfully created and added to the RACF Database.
    Figure 6. Confirmation that key ring has been added
    Key Ring MA01 has been successfully added
  7. Press the F3 key until you return to the main menu.

In the next section, you will learn to create a CA certificate using RACF.


Creating a client authentication (CA) certificate

  1. Select option 1 (Generate a certificate and a public/private key pair) as shown in Figure 7 and press Enter.
    Figure 7. Digital Certificates and Related Services
    Entering option 1 on Digital Certificates and Related Services
  2. Enter X for requesting for a CA certificate as shown in Figure 8, and press F8. (F8 is the scroll down function key.)
    Figure 8. Generate a Digital Certificate
    Selecting Certificate Authority for the Certification Type
  3. Enter First.M.Last for CommonName, Software Engineer for Title and MVS for Organizational Unit as show in Figure 9:
    Figure 9. Generate a Digital Certificate (More options)
    Options on Generate a Digital Certificate
  4. Enter the values for the start date/time and the end date/time for the CA certificate as shown in Figure 10. These values basically indicate the validity of the certificate. Enter ‘CA01” as the Label name for the CA certificate and press F8.
    Figure 10. Generate a Digital Certificate (More options)
    More options on Generate a Digital Certificate
  5. Enter an X by option Certsign as shown in Figure 11. If you do not get an error message, the CA certificate has been successfully created and added to the RACF database.
    Figure 11. Generate a Digital Certificate (More options)
    Selecting Certsign
  6. To List the CA certificate CA01, select option 4 for listing the CA certificate as shown in Figure 12, and press Enter.
    Figure 12. Digital Certificates and Related Services
    Selecting 4 on Digital Certificates and Related Services
  7. Enter an Xunder Certificate Authority in the For Certificate Type field, and select option 3 as shown in Figure 13. Press Enter.
    Figure 13. Digital Certificate Services Main Panel
    Selecting Certificate Authority for the Certificate Type
  8. Enter CA01 for the label of the certificate, and select option 1 as shown in Figure 14. Press Enter.
    Figure 14. Digital Certificate List Filtering Panel
    Entering 1 on the Digital Certificate List Filtering Panel
  9. Figure 15 shows the contents of the certificate CA01. Press F8 to see more details about the certificate.
    Figure 15. Change Status/Delete Digital Certificate
    Contents of the CA01 certificate

In the next section, you will learn to create a personal certificate which is signed by the CA certificate. The signing CA certificate is the one which you created in the above section with the label of CA01.


Creating a personal certificate

  1. Select option 1 as shown in Figure 16 and press Enter.
    Figure 16. Digital Certificates and Related Services
    Selecting 1 on Digital Certificates and Related Services
  2. Enter the personal user ID with which you would like to generate the personal certificate. Select Certificate Authority for the Signing Certificate type and enter CA01 for the Label as shown in Figure 17. Press F8 to scroll down.
    Figure 17. Generate a Digital Certificate
    Enter values on the Generate a Digital Certificate panel
  3. Enter MAO1.PERSONAL for the Common Name of your choice as shown in Figure 18. Press F8 to scroll down.
    Figure 18. Generate a Digital Certificate (More options)
    Entering MAO1.PERSONAL for the Common name
  4. Enter the name of the personal certificate in the Label field. The usual format is ibmWebSphereMQXXXX where XXXX stands for the four letter queue manager name. Select the option for Handshake as shown in Figure 19, and press Enter.
    Figure 19. Generate a Digital Certificate (More options)
    Entering more options on Generate a Digital Certificate

Connecting the certificates to the key ring

Next we need to add both the CA certificate and the personal certificate to the key ring, because the queue manager looks at the list of the certificates in its key ring when performing the SSL handshake with the client system.

Connect the CA certificate CA01 to the key ring MA01

In this section, you will learn to connect (add) the CA certificate to the key ring.

  1. Select option 6(Create, List, or Delete an entire key ring or Connect or Remove a certificate to/from a key ring) as shown in Figure 20, and press Enter.
    Figure 20. Digital Certificates and Related Services
    Selecting 6 on Digital Certificates and Related Services
  2. Select option 4 for connecting a digital certificate to a key ring as shown in Figure 21, and press Enter.
    Figure 21. Digital Certificate Key Ring Services
    Selecting 4 on Digital Certificate Key Ring Services
  3. Enter MA01 for the ring name and select Certificate Authority option for the Certificate Type. Enter CA01for the Label name, select Certificate Authority as the Usage certificate as shown in Figure 22, and press Enter.
    Figure 22. Connect a Digital Certificate to a Key Ring
    Entering ring name and Certificate Type.
  4. Figure 23 shows that the CA certificate CA01 has been successfully connected to the key ring MA01.
    Figure 23. Digital Certificate Key Ring Services
    Certificate sucessfully connected to key ring

In the next section, you will learn to connect (add) the personal certificate to the key ring.

Connect the personal certificate ibmWebSphereMQMA01 to the key ring MA01

  1. Enter the user ID with which you had created the personal certificate (MA01USR) and select option 4 (Connect a digital certificate to a key ring) as shown in Figure 24, and press Enter.
    Figure 24. Digital Certificate Key Ring Services
    Entering user ID and selecting option 4.
  2. Enter MA01 for the ring name, and enter the user ID MA01USR for the Certificate Type (because this is a personal certificate). Next enter ibmWebsphereMQMA01 for the Label name, select Personal for the Usage field as shown in the Figure 25, and press Enter.
    Figure 25. Connect a Digital Certificate to a Key Ring
    Entering values for Connect a Digital Certificate to a Key Ring
  3. Figure 26 shows that the personal certificate ibmWebsphereMQMA01 has been connected to the key ring MA01.
    Figure 26. Digital Certificate Key Ring Services
    Certificate successfully connected to key ring

In the next section, you learn to list all the certificates that are connected (added) to the key ring.

List the certificates connected to the key ring

  1. Select option 3 (List existing key ring(s)), enter MA01USR for the user ID as in Figure 27, and press Enter.
    Figure 27. Digital Certificate Key Ring Services
    Entering 3 on Digital Certificate Key Ring Services panel
  2. Enter MA01 for the key ring name as shown in Figure 28, and press Enter.
    Figure 28. Digital Certificate List Key Ring Services
    Entering MA01 for the key ring name
  3. Figure 29 shows all the certificates that are connected to the key ring MA01.
    Figure 29. List Ring Names
    List of certificates

Listing 1 shows a snippet of the channel initiator log (MA01CHIN). Note the values of the variables SSLTASKS (=0), SSLKEYR (=' ') and the message 0 SSL server subtasks started, 0 failed”which indicates that the queue manager is not yet set up for SSL communication.

Also note that the message that the listener at port addresses 1501 has been started.

Listing 1. A snippet of the channel initiator (MA01CHIN) log
CSQX080I MA01 CSQXGIP SSLTASKS=0, SSLRKEYC=0                    
CSQX081I MA01 CSQXGIP SSLKEYR=                                  
CSQX082I MA01 CSQXGIP SSLCRLNL=                                 
CSQX085I MA01 CSQXGIP LU62CHL=200, LUGROUP= , 
  LUNAME= , LU62ARM=
CSQX090I MA01 CSQXGIP TCPCHL=200, 
  TCPKEEP=NO, TCPNAME=TCPIP     
CSQX091I MA01 CSQXGIP TCPSTACK=SINGLE, IPADDRV=IPV4             
CSQX092I MA01 CSQXGIP OPORTMIN=0, OPORTMAX=0                    
CSQX093I MA01 CSQXGIP DNSWLM=NO, DNSGROUP=                      
CSQX094I MA01 CSQXGIP RCVTIME=0, 
  RCVTTYPE=MULTIPLY, RCVTMIN=0   
CSQX011I MA01 CSQXGIP Client attachment feature available       
CSQX141I MA01 CSQXADPI 8 adapter subtasks started, 0 failed     
CSQX151I MA01 CSQXSSLI 0 SSL server subtasks started, 0 failed 
CSQX410I MA01 CSQXREPO Repository manager started               
CSQX015I MA01 CSQXSPRI 5 dispatchers started, 0 failed          
CSQX022I MA01 CSQXSUPR Channel initiator initialization complete
CSQX251I MA01 CSQXSTRL Listener started, 
  TRPTYPE=TCP INDISP=QMGR
CSQX023I MA01 CSQXLSTT Listener started,                        
port 1501 address *,

Extracting the CA certificate

Now the queue manager has a certificate. The queue manager presents this certificate to the Toolkit when the Toolkit connects (as an MQ Client). To validate the queue manager’s certificate, the Toolkit needs the CA certificate.

Prior to this, create a configuration manager and define an ACL entry for the user ID with which the WebSphere Message Broker toolkit has been started. For more information on creating the configuration manager and ACL’s refer to the IBM WebSphere Message Broker Information Center.

To extract the CA file into a physical sequential (PS) file follow these steps.

  1. Create a PS file using the parameters as shown in Figure 30. This file will be used to extract the CA certificate CA01.
    Figure 30. Data Set Information
    General Data = Current Allocation, Management class = STANDARD, Allocated tracks = 5, Storage class = STANDARD, Allocated extents = 1, Volume serial = PSP028, Device type= 3390, Data class = **None**, Organization = PS , Used tracks = 1, Record format = VB, Used extents = 1, Record length = 84, Block size = 27998,st extent tracks = 5, Secondary tracks = 5, Data set name type=SMS Compressible = NO
  2. Select option 3 (Write a certificate to a data set) as shown in Figure 31, and press Enter.
    Figure 31. Digital Certificates and Related Services
    Entering 3 on Digital Certificates and Related Services
  3. Since we are transferring the CA certificate to the windows machine, select option Certificate Authority for the Certificate Type, as shown in Figure 32. Enter the label name as CA01 and enter the dataset name where you would want the extracted certificate to be in. Select option for Base64 encoded X.509 certificate, which is the default format type of the extracted certificate. Press Enter.
    Figure 32. Write a Certificate to a Data Set
    Entering values for Write a Certificate to a Data Set panel
  4. Using the ISPF 3.4 option, you can view the extracted certificate,

Listing 2 shows the contents of the extracted certificate CA01.

Listing 2. Contents of the CA certificate CA01
********************************* Top of Data **********************************
-----BEGIN CERTIFICATE-----                                                     
MIICfTCCAeagAwIBAgIBADANBgkqhkiG9w0BAQUFADBBMQwwCgYDVQ
QLEwNNVlMxGjAYBgNVBAwTEVNvZnR3YXJlIEVuZ2luZWVyMRUwEwYDV
QQDEwxGaXJzdC5NLkxhc3QwHhcNMDkwMzI5MTgzMDAwWhcNMTAwMz
MwMTgyOTU5WjBBMQwwCgYDVQQLEwNNVlMxGjAYBgNVBAwTEVNvZn
R3YXJlIEVuZ2luZWVyMRUwEwYDVQQDEwxGaXJzdC5NLkxhc3QwgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMUbsc1Z5TNBP0GIGcWvSJZ
2Mh7WV3lsbA80z9KeXKEI+pHwePrKttk3Xbz3EHwk6ImiaFlMEdwdfCaib5/I             
5chXa5qXrQRknpMywCBvbBYvnX0IK/eX2OushIIxOecDoCdejNZPucq2qjc
bhKX5kXqvE0CeMxUWoZJWBcbcVwEjAgMBAAGjgYQwgYEwPwYJYIZIAYb
4QgENBDITMEdlbmVyYXRlZCBieSB0aGUgU2VjdXJpdHkgU2VydmVyIGZv
ciB6L09TIChSQUNGKTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BA
UwAwEB/zAdBgNVHQ4EFgQUhc9SF6OS/fmxfZhbWeyXiKPg6dUwDQYJKo
ZIhvcNAQEFBQADgYEAceSBdwf6cU6vc/O63WE8E6kB/lY1XLwSIWefEa6L
MicJHu+sbgsf/tRTu8L47D/wbo7JEEoCV3kYWvkFV3QasjFmCch9MfR0SP
FKXmUpcLPVtaHTyb+gSvCe5ZaOeCDlxbp2SZpNdKF2r2OLmhrssfAuNIa
+fE5l9Ed3nIMrpTE=                                                        
-----END CERTIFICATE-----                                                       
******************************** Bottom of Data ********************************

Transfer the CA certificate file to Windows Toolkit’s repository

Follow these steps to transfer the CA certificate file to Windows:

  1. Using Windows Explorer, or a Command Prompt, create a directory called C:\MQSSL\MA01:
    C:\>md MQSSL
    C:\>cd MQSSL
    C:\MQSSL>md MA01

    The Toolkit’s key repository will be created in C:\MQSSL\MA01.

  2. FTP the PS file from z/OS machine to the Windows machine in ASCII mode. Rename the file on the Windows machine as qmgrname.arm. In our example it is MA01.arm.
    ftp> lcd C:\MQSSL\MA01
    Local directory now C:\MQSSL\MA01.
    ftp> cd 'HLQ'
    250 "HLQ." is the working directory name prefix.
    ftp> ascii
    200 Representation type is Ascii NonPrint
    ftp> mget 'HLQ.SSLCA.MA01'
    200 Representation type is Ascii NonPrint
    mget 'HLQ.SSLCA.MA01'? y
    200 Port request OK.
    125 Sending data set HLQ.SSLCA.MA01
    250 Transfer completed successfully.
    ftp: 1596 bytes received in 0.02Seconds 99.75Kbytes/sec.

    Note that HLQ is the high level qualifier and varies for each of the z/OS LPARs. Contact your system administrator to know the value of HLQ for your system.

  3. Open a Windows Command prompt and enter the command strmqikm. This opens a GUI.
  4. Create a key repository for the Toolkit, by selecting Key Database File - New, and create a repository using the following parameters:
    • Key Database Type: JKS
    • File name: key.jks
    • Location: C:\MQSSL\MA01

    Note: The Key Database Type is important. It must be a JKS key repository since the Toolkit is an MQ Java Client, which uses JKS repositories by default.

  5. At the password prompt, enter changeit as the password for this repository, twice.

    This is the default password for a JKS repository. This wouldn’t be used in a production system, but for this exercise, it is easier to just let the Toolkit take the defaults. Don’t forget the password as access to the key repository will be needed later. You can see the list of CA certificates provided by default.

  6. Click Add (top right hand corner).
  7. At the dialog prompt, enter MA01.arm for the Certificate file name and C:\MQSSL\MA01\ for the location. Click OK.
  8. When prompted to enter a label for the certificate, enter the label name given while creating the CA certificate, which is CA01. This is very important as any change in the label name will not allow the Toolkit to connect to the queue manager. Click OK.
  9. The certificate now appears in the Signer Certificates repository. Close the file (Key Database File - Close). Close the iKeyMan GUI.

So now we can perform a one way SSL communication where the queue manager MA01 (residing on the z/OS platform) presents the certificate to the Toolkit. We need to make two changes:

  1. Alter the queue manager to refer to the key ring repository.
  2. Alter the channel SYSTEM.BRK.CONFIG to use the correct SSCIPH values.

Note: You use the SYSTEM.BRK.CONFIG channel to connect the z/OS queue manager to the Windows Toolkit.

Once the key ring is defined and the certificates are created and connected to the key ring, you have to alter the queue manager so that it picks up the SSL configuration details using the key ring.

Alter the queue manager MA01 to refer to the key ring repository

  1. Using the MQ panels (check with your system administrator for access), update the SSL Key repository field to refer to the key ring MA01.
  2. Select option 3 (Alter) and enter Manager for the Object type. Enter MA01 for the name of the queue manager as shown in Figure 33, and press Enter. Note that the name of the menu can be different on different machines.
    Figure 33. IBM WebSphere MQ for z/OS - Main Menu
    Selecting 3 on the BM WebSphere MQ for z/OS - Main Menu
  3. Figure 34 displays.
    Figure 34. Alter a Queue Manager - 1
    Alter a Queue manager - 1 panel
  4. Press F8 key multiple times until you reach the panel in Figure 37. Enter MA01 for the SSL key repository (which is the key ring) and specify 8 for the SSL server tasks field (this indicates that 8 SSL server tasks will be started to service the SSL communications) as shown in Figure 35. Press Enter.
    Figure 35. Alter a Queue Manager - 7
    Entering MA01 for the SSL key repository and 8 for the SSL server tasks
  5. Figure 36 shows that the queue manager MA01 has been altered successfully to use the SSL facility.
    Figure 36. Alter a Queue Manager – 7 (More options)
    CSQ9022I MA01 CSQMAMMS ' ALTER QMGR' NORMAL COMPLETION

    Alternatively, you can use this command to alter all the queue managers:

    Qmgrname ALTER SSLKEYR(‘MA01’) SSLTASKS(8)

    Note: The change mentioned above is only temporary change. Once the queue manager is restarted/recreated the above change has to be repeated.

  6. Restart the channel initiator. Don’t forget to start the listener.

Listing 3 shows that the channel initiator will now use the key ring MA01 using 8 SSLTASKS.

Listing 3. Channel Initiator(MA01CHIN) logs
STC00503  +CSQX080I MA01 CSQXGIP SSLTASKS=8, SSLRKEYC=0                    
STC00503  +CSQX081I MA01 CSQXGIP SSLKEYR=MA01                              
STC00503  +CSQX082I MA01 CSQXGIP SSLCRLNL=                                 
STC00503  +CSQX085I MA01 CSQXGIP LU62CHL=200, LUGROUP= , LUNAME= , LU62ARM=
STC00503  +CSQX090I MA01 CSQXGIP TCPCHL=200, TCPKEEP=NO, TCPNAME=TCPIP     
STC00503  +CSQX091I MA01 CSQXGIP TCPSTACK=SINGLE, IPADDRV=IPV4             
STC00503  +CSQX092I MA01 CSQXGIP OPORTMIN=0, OPORTMAX=0                    
STC00503  +CSQX093I MA01 CSQXGIP DNSWLM=NO, DNSGROUP=                      
STC00503  +CSQX094I MA01 CSQXGIP RCVTIME=0, RCVTTYPE=MULTIPLY, RCVTMIN=0   
STC00503  +CSQX011I MA01 CSQXGIP Client attachment feature available       
STC00503  +CSQX141I MA01 CSQXADPI 8 adapter subtasks started, 0 failed     
STC00503  +CSQX410I MA01 CSQXREPO Repository manager started               
STC00503  +CSQX151I MA01 CSQXSSLI 8 SSL server subtasks started, 0 failed  
STC00503  +CSQX015I MA01 CSQXSPRI 5 dispatchers started, 0 failed          
STC00503  +CSQX022I MA01 CSQXSUPR Channel initiator initialization complete
STC00503  +CSQX251I MA01 CSQXSTRL Listener started, TRPTYPE=TCP INDISP=QMGR
STC00503  +CSQX023I MA01 CSQXLSTT Listener started,  298

Now that you have set up the queue manager to use the SSL configuration settings, you need to update the channel SYSTEM.BRK.CONFIG to use the SSL cipher specification attribute while performing the connection. The next section shows how to update the SSLCIPH attribute.

Update the channel SYSTEM.BKR.CONFIG to use the SSL cipher specification as NULL_SHA

  1. Using MQ panels, select option 3 (Alter) to alter the channel properties. Select Channel for the Object type and enter MA01 for the queue manager name as shown in Figure 37. Press Enter.
    Figure 37. IBM WebSphere MQ for z/OS - Main Menu
    Setting the Object type and queue manager name
  2. Update the SSL cipher specification field to have a value of NULL_SHA and SSL certificate required to N (since we are using one way communication) as shown in Figure 38.
    Figure 38. Alter a Server-connection Channel - 3
    Setting the SSL cipher specification and SSL certificate required fields
  3. Next we need to update the Domain connection setting as shown in Figure 39.
    Figure 39. Updating the Cipher Suite, Key Store and Trust Store
    Setting the Cipher Suite to SSL_RSA_WITH_NULL_SHA, and both Key Store and Trust Store to C:\MQSSL\MA01\key.jks
  4. Now try reconnecting the toolkit domain to the z/OS queue manager. The connection should be successful.

Setting up two-way (mutual) communication

Now that the one way communication is working, in the next section you'll learn how to perform mutual communication, which is SSL communication from Message Broker on the Windows platform to the z/OS queue manager.

Create a certificate on Windows

  1. From a Windows command prompt, start the iKeyMan GUI by running the strmqikm command. Select Key Database File - Open and set the following values at the dialog prompt:
    • File name: key.jks
    • Location:C:\MQSSL\MA01
  2. Click OK. At the password prompt, enter changeit.
  3. Switch to the Personal Certificates repository (pull-down near top right hand corner) and click New Self-Signed (bottom right-hand corner).
  4. Enter the following values for the certificate:
    • Key Label:toolkit
    • Common name: Will contain the IP address of the Windows box>

    Allow everything else to default and click OK. The new certificate will appear in the Personal Certificates list.

  5. We now need to extract the Certification Authority part of the certificate and install it on the Queue Manager repository. The process is the same as before, but in reverse. Click Extract Certificate (bottom right-hand corner) and extract the CA certificate using these values:
    • Certificate file name: toolkit.arm
    • Location: C:\MQSSL\MA01

    Click OK. This creates a file called toolkit.arm in C:\MQSSL\MA01.

  6. FTP (in ASCII mode) toolkit.arm to the Queue Manager on z/OS and store it in a physical sequential file.
    ftp> put toolkit.arm 'hlq.SSL.TOOL'
    200 Port request OK.
    125 Storing data set hlq.SSL.TOOL
    250 Transfer completed successfully.
    ftp: 730 bytes sent in 0.00Seconds 730000.00Kbytes/sec.

Now that the certificate is stored in the PS file, we need to connect this certificate to the Key ring MA01. We’ll cover that in the next section.

Add the Windows certificate to the key ring

Before sending the certificate, you need to create the target PS file with the following parameters (see Figure 40).

Figure 40. Updating the Cipher Suite, Key Store and Trust Store
Organization = PS, Record format = VB, Record length = 84, Block size = 27998

Next you need to add the extracted certificate from the Windows machines to the RACF database on the z/OS machine. Follow these steps to add the certificate to the RACF database:

  1. Select option 4 as shown in Figure 41, and press Enter:
    Figure 41. Digital Certificates and Related Services
    Selecting 4 on the Digital Certificates and Related Services panel
  2. Select option 1, enter MA01USR for the user ID that owns the key ring MA01,as shown in Figure 42. Press Enter.
    Figure 42. Add Digital Certificate
    Entering MA01USR for the user ID that owns the key ring MA01
  3. Enter hlq.SSL.TOOL for the dataset name and toolkit for the Label name of the certificate created on the Windows machine. Select option T for Trust status as shown in Figure 43, and press Enter. hlq is the high level qualifier specific to your system.
    Figure 43. Add Digital Certificate
    Entering values on the Add Digital Certificate panel

Connect the Windows certificate to the MA01 key ring on z/OS

  1. Select option 1, enter MA01USR for the user ID as shown in Figure 44, and press Enter.
    Figure 44. Digital Certificate Key Ring Services
    Selecting option 1 and entering MA01USR
  2. Enter MA01for the Ring Name and user ID MA01USRfor the Certificate Type. For the Label name of the certificate enter toolkit, and select Personal for the Usage field, as shown in Figure 45. Press Enter.
    Figure 45. Connect a Digital Certificate to a Key Ring
    Entering values for the Connect a Digital Certificate to a Key Ring
  3. Figure 46 shows that the certificate with the label name toolkit has been connected to the key ring MA01.
    Figure 46. Digital Certificate Key Ring Services
    Certificate sucessfully connected to key ring

You can confirm that the certificate has been added to the key ring by using the List Certificate feature as described in the following section.

List all the certificates connected to the MA01 key ring

  1. Select option 3, enter MA01USR for the user ID as shown in Figure 47, and press Enter.
    Figure 47. Digital Certificate Key Ring Services
    Selecting 3 on the Digital Certificate Key Ring Services panel
  2. Enter the key ring name MA01 as shown in Figure 48 and press Enter.
    Figure 48. Digital Certificate List Key Ring Services
    Entering the key ring name MA01
  3. Figure 49 shows all the certificates that are connected to the key ring MA01.
    Figure 49. Figure 49. List Ring Names Services
    List of Ring Names
  4. Make sure that the Toolkit is disconnected from the Configuration Manager (disconnect if it isn’t).

  5. Enter the following command to change the SSLCAUTH to REQUIRED Alternatively, you can make this change using the MQ panels.
    Command -> ALT CHL(SYSTEM.BKR.CONFIG) CHLTYPE(SVRCONN) SSLCAUTH(REQUIRED)

    No changes are needed in the Toolkit.

  6. Close the Toolkit, stop the CHANNEL initiator and restart both of them. Connect the Toolkit to the Configuration Manager. The connection should go through successfully.

Avoiding invalid combinations of SSLCIPH

This section demonstrates how to resolve invalid combinations of SSLCIPH between the toolkit Cipher Suite value and the SSL cipher specification on the SYSTEM.BKR.CONFIG channel on the z/OS queue manager. Table 1 lists the different SSLCIPH values

Table 1. List of SSLCIPH values
Ciphersuite (MQ) Cihperspec (Java)
RC4_MD5_US SSL_RSA_WITH_RC4_128_MD5
RC4_SHA_US SSL_RSA_WITH_RC4_128_SHA
RC4_MD5_EXPORT SSL_RSA_EXPORT_WITH_RC4_40_MD5
RC2_MD5_EXPORT SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
DES_SHA_EXPORT SSL_RSA_WITH_DES_CBC_SHA
NULL_MD5 SSL_RSA_WITH_NULL_MD5
NULL_SHA SSL_RSA_WITH_NULL_SHA
RC4_56_SHA_EXPORT1024 SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
DES_SHA_EXPORT1024 SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
TRIPLE_DES_SHA_US SSL_RSA_WITH_3DES_EDE_CBC_SHA
  1. Update the value of Cipher Suite (on the toolkit) to be SSL_RSA_WITH_DES_CBC_SHA as shown in Figure 50.
    Figure 50. Update SSLCIPH value
    Setting Cipher Suite to SSL_RSA_WITH_DES_CBC_SHA
  2. Update the SSCIPH value on the queue manager. Using the MQ panels, select option 3 and enter the following values (also in Figure 51). Press Enter.
    • Object type: Channel
    • Name: *
    • Connect name: MA01
    • Target queue manager: MA01
    • Action queue manager: MA01
    Figure 51. Update SSLCIPH value on the channel
    Setting fields to update SSCIPH on the queue manager
  3. Select the channel SYSTEM.BKR.CONFIG by using option 3 for altering the channel as shown in Figure 52. Press Enter.
    Figure 52. Update SSLCIPH value on the channel
    Selecting 3 on the List Channels panel
  4. Figure 53 shows the first panel to alter the server-connection channel:
    Figure 53. Altering the server-connection channel
    Altering the server-connection channel
  5. Press F8 multiple times until you reach the panel in Figure 54 (Alter a Server-connection Channel – 3). Ideally you should have given the value DES_SHA_EXPORT for the SSL cipher specification field, but to demonstrate the error condition of invalid combinations of the SSCIPH values, we are giving a value of NULL_SHA. Set SSL certificate required to Y and press Enter.
    Figure 54. Changing the SSL cipher specification
    Setting SSL cipher specification to NULL_SHA
  6. Figure 55 shows the error message when you attempt to connect the WebSphere Message Broker toolkit to the z/OS queue manager.
    Figure 55. Update SSLCIPH value on the channel
    Error codes 2059 and 2009

Discovering an expired certificate

We have created an expired CA certificate CA02 for a different queue manager MA02. An expired certificate has an End Date that has passed. Follow these steps to view the expired certificate:

  1. Select option R as shown in Figure 56, and press Enter.
    Figure 56. WMQI Change Team Menu
    Selectign R on the WMQI Change Team Menu
  2. Select option 7 as shown in Figure 57, and press Enter.
    Figure 57. RACF – Services Option Menu
    Selecting 7 on the RACF – Services Option Menu
  3. Select option 4 as shown in Figure 58, and press Enter.
    Figure 58. Digital Certificates and Related Services
    Selecting 4 on the Digital Certificates and Related Service panel
  4. Select option 3 and Certificate Authority for Certificate Type as shown in Figure 59. Press Enter.
    Figure 59. Digital Certificate Services Main Panel
    Setting Certificate Type to Certificate Authority
  5. Select 1 and enter CA02 for the Label name of the CA certificate as shown in Figure 60, and press Enter.
    Figure 60. Digital Certificate List Filtering Panel
    Setting the Label name to CA02
  6. Figure 61 shows the CA certificate with the End Date as a date in the past.
    Figure 61. Change Status/Delete Digital Certificate
    End Date is 2009/04/02 21:00:00
  7. Figure 62 shows an error message that the connection could not be established because the certificates have expired.
    Figure 62. Error due to expired certificate
    BIP0915E: The Message Brokers Toolkit cannot connect to the queue manager MA02
  8. Listing 4 also shows the channel initiator (MA02CHIN) logs indicating that connection could not be established because the certificate has expired. (DNSname is marked out for security reasons.)
    Listing 4. Error in the channel initiator log due to expired certificate
    connection DNSname (x.xxx.xxx.xx)                                               
    CSQX658E MA02 CSQXRESP SSL certificate has expired,                             
    channel ????,                                                                   
    connection DNSname (x.xxx.xxx.xx)                                               
    CSQX658E MA02 CSQXRESP SSL certificate has expired,                             
    channel ????,                                                                   
    connection DNSname (x.xxx.xxx.xx)                                               
    CSQX658E MA02 CSQXRESP SSL certificate has expired,                             
    channel ????,                                                                   
    connection DNSname (x.xxx.xxx.xx)                                               
    CSQX658E MA02 CSQXRESP SSL certificate has expired,                             
    channel ????,                                                                   
    connection DNSname (x.xxx.xxx.xx)                                               
    CSQX658E MA02 CSQXRESP SSL certificate has expired,                             
    channel ????,                                                                   
    connection DNSname (x.xxx.xxx.xx)

Discovering an invalid certificate

Now we will delete the queue certificates and the key ring for this queue manager and add the certificate (CA) created for queue manager MA01, which is CA01. This would be an invalid certificate, and hence the connection cannot be established.

Figure 63 shows the error message while trying to connect the toolkit to the z/OS queue manager.

Figure 63. Error due to Invalid certificate
BIP10915E: The Message Brokers Toolkit cannot connect to the queue manager MA02

Listing 5 shows the channel initiator log (MA02CHIN) indicating that the channel could not be started which is due to the invalid certificate.

Listing 5. Error in the channel initiator log due to expired certificate
CSQX634E MA02 CSQXRESP SSL certificate failed remote check,
channel ????,                                              
connection DNSname (xx.xx.xx.xxx)                          
CSQX634E MA02 CSQXRESP SSL certificate failed remote check,
channel ????,                                              
connection DNSname (xx.xx.xx.xxx)                          
CSQX634E MA02 CSQXRESP SSL certificate failed remote check,
channel ????,                                              
connection DNSname (xx.xx.xx.xxx)                          
CSQX634E MA02 CSQXRESP SSL certificate failed remote check,
channel ????,                                              
connection DNSname (xx.xx.xx.xxx)                          
CSQX634E MA02 CSQXRESP SSL certificate failed remote check,
channel ????,                                              
connection DNSname (xx.xx.xx.xxx)

Note that the certificate in the client repository on the toolkit side is unaltered.


RACF on z/OS command reference

This section lists all the RACF commands on z/OS (For Ex: create key ring, add a certificate to the key ring etc). You can use these commands to perform the same actions as the panels on z/OS for to set up MQ SSL the z/OS platform.

The RACDCERT COMMAND

The RACDCERT command stands for RACF digital certificate. You use it to create and maintain the digital certificates, and create the key rings which act as a repository for the digital certificate.

Check with your system administrator to set up access to the following profiles, which are

are sample RACF profile definitions for using the RACDCERT command.

Listing 6. Sample RACF profile definitions
RDEFINE FACILITY IRR.DIGTCERT.ADD      UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.ADDRING  UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.ALTER    UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.CONNECT  UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LIST     UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)

PERMIT IRR.DIGTCERT.ADD      CLASS(FACILITY) ID(userid) ACCESS(CONTROL)
PERMIT IRR.DIGTCERT.ADDRING  CLASS(FACILITY) ID(userid) ACCESS(READ)
PERMIT IRR.DIGTCERT.ALTER    CLASS(FACILITY) ID(userid) ACCESS(READ)
PERMIT IRR.DIGTCERT.CONNECT  CLASS(FACILITY) ID(userid) ACCESS(UPDATE)
PERMIT IRR.DIGTCERT.LIST     CLASS(FACILITY) ID(userid) ACCESS(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(userid) ACCESS(READ)

The following sections list the RACDCERT commands that you can use instead of the RACF panels to perform various actions like Create a certificate, Add a certificate to the key ring etc. Note that this listing of the commands does not include the complete list of parameters for the commands.

Create a key ring

Issue the following command to create the key-ring:

  RACDCERT ID (userid1) ADDRING (ring-name)
  • ID = User ID of the channel initial address space, or the user ID owning the key ring.
  • ADDRING = Desired key ring name with a maximum length of 237 characters.
  • ring-name is case-sensitive, so uppercase is preferred.

For example:

   RACDCERT ID (MA01USR) ADDRING (MA01)

Create a client authentication certificate

Issue the following command to create a client authentication (CA) certificate:

RACDCERT CERTAUTH GENCERT [(request-data-set-name)]
[SUBJECTSDN(
[CN('common-name')]
[T('title')]
[OU('organizational-unit-name1'
[, 'organizational-unit-name2', ...] )]
[O('organization-name')] 
[L('locality')]
[SP('state-or-province')]
[C('country')]
[WITHLABEL('label-name')]
[NOTBEFORE([DATE(yyyy-mm-dd)] [TIME(hh:mm:ss)])]
[NOTAFTER([DATE(yyyy-mm-dd)] [TIME(hh:mm:ss)])]
  • CN = Common name
  • T = Title
  • OU = Organizational Unit name
  • O = Organization name
  • L = Location
  • SP = State or Province
  • C = Country
  • WITHLABEL = Label of the certificate
  • NOTBEFORE = Date and time before which the certificate is not valid
  • NOTAFTER = Date and time after which the certificate is not valid(i.e expired)

For Example:

RACDCERT CERTAUTH GENCERT -                
SUBJECTSDN (CN ('CA01') -             
T (‘CA Certificate’) -                                 
OU (‘TEST’) -                                
O (‘IBM’) -                                 
L (‘BANGALORE’) -                             
SP (‘KARNATAKA’) -                          
C (‘INDIA’)) -                                 
WITHLABEL (‘CA01’) -
NOTBEFORE([DATE(2000-12-20)] [TIME(12:00:00)])] -
NOTAFTER([DATE(2009-12-20)] [TIME(12:00:00)])]

Create a personal certificate

Issue the following command to generate the Personal certificate for the queue manager signed-certificate:

RACDCERT ID (TESTUSER) GENCERT [(request-data-set-name)]
[SUBJECTSDN(
[CN('common-name')]
[T('title')]
[OU('organizational-unit-name1'
[, 'organizational-unit-name2', ...] )]
[O('organization-name')]
[L('locality')]
[SP('state-or-province')]
[C('country')]
[WITHLABEL('label-name')]
[SIGNWITH([ CERTAUTH|SITE ] LABEL ('label-name'))]
[NOTBEFORE([DATE(yyyy-mm-dd)] [TIME(hh:mm:ss)])]
[NOTAFTER([DATE(yyyy-mm-dd)] [TIME(hh:mm:ss)])]
  • CN = Common Name
  • T = Title
  • OU = Organizational Unit name
  • O = Organization name
  • L = Location
  • SP = State or Province
  • C = Country
  • WITHLABEL= Label of the certificate
  • NOTBEFORE = Date and time before which the certificate is not valid
  • NOTAFTER = Date and time after which the certificate is not valid(i.e expired)
  • SIGNWITH = CERTAUTH or SITE with
  • label-name = label of the signing certificate

For example:

RACDCERT ID (TESTUSER) GENCERT -
 SUBJECTSDN (CN (‘MA01’) -
 T (‘Personal Certificate for MA01’) - 
 OU (‘TEST’) - 
 O (‘IBM’) - 
 L (‘BANGALORE’) - 
 SP (‘KARNATAKA’) -
 C (‘INDIA’) -
WITHLABEL (‘ibmWebSphereMQMA01’) -
 SIGNWITH (CERTAUTH LABEL (‘CA01’)) -
 NOTBEFORE([DATE(2000-12-20)] [TIME(12:00:00)])] -
 NOTAFTER([DATE(2009-12-20)] [TIME(12:00:00)])]

Add or connect the certificates to the key ring:

RACDCERT ID(Userid) -
CONNECT(
[ID(userid) | SITE | CERTAUTH]
LABEL('label-name')
RING(ring-name)
[USAGE(PERSONAL | SITE | CERTAUTH)]
  • ID = User ID of the channel initial address space, or the user ID owning the key ring
  • LABEL = Name of the label of the certificate
  • RING = Name of the key ring to which the certificate needs to be connected or added.

For example:

RACDCERT ID (TESTUSER) -
CONNECT (CERTAUTH LABEL ('CA01') 
   RING (MA01) USAGE (CERTAUTH))

RACDCERT ID (TESTUSER) - 
CONNECT (ID (TESTUSER) LABEL ('ibmWebSphereMQMA01')  
    RING (MA01) USAGE(PERSONAL))

List a key ring

RACDCERT ID(userid) LISTRING(keyringname)
  • ID = User ID of the channel initial address space, or the user ID owning the key ring.
  • LISTRING = Name of the key ring to be listed

For example:

RACDCERT ID(MA01USR) LISTRING(MA01)

List certificates in a Key ring

RACDCERT CERTAUTH LIST(LABEL('CAcertificatelabelname'))
RACDCERT ID(userid) LIST(LABEL('Personalcertificatelabelname'))
  • LABEL = Label of the certificate to be listed

For example:

RACDCERT CERTAUTH LIST(LABEL('CA01'))
RACDCERT ID(UserID) LIST(LABEL(‘ibmWebSphereMQMA01'))

Delete a key ring

RACDCERT ID(userid) DELRING(keyringname)
  • ID = User ID of the channel initial address space, or the user ID owning the key ring.
  • DELRING = Name of the key ring to be deleted.

For example:

RACDCERT ID(MA01USR) DELRING(MA01)

Delete a certificate from the key ring

RACDCERT CERTAUTH DELETE(LABEL('certificatelabelname'))
  • LABEL = Label of the certificate to be deleted

For example, to delete a CA certificate:

RACDCERT CERTAUTH DELETE(LABEL('CA01'))

To delete a personal certificate:

RACDCERT ID(UserID) DELETE(LABEL('ibmWebSphereMQMA01'))

Export the certificate to the PS file

RACDCERT CERTAUTH 
EXPORT(LABEL('label-name')) DSN(output-data-set-name)
[FORMAT(
CERTDER | CERTB64 | PKCS7DER 
| PKCS7B64 | PKCS12DER | PKCS12B64
)]
  • LABEL = Label name of the certificate to be exported
  • DSN = Physical sequential dataset name where the certificate will be exported to.

For example:

RACDCERT CERTAUTH EXPORT
(- LABEL ('CA01')) -                   
DSN (' HLQ.SSLCA.MA01'') -  
FORMAT (CERTDER)
  • HLQ = High Level Qualifier. Check with your system administrator to know the value of HLQ on your system

Import a certificate from the PS file to the key ring

RACDCERT ID(userid) ADD(dataset-name) TRUST WITHLABEL('label-name')
  • ID = User ID of the channel initial address space, or the user ID owning the key ring
  • ADD = Physical sequential dataset name where the certificate is stored and is imported from.
  • WITHLABEL = Label name of the certificate that is being imported

For Example:

RACDCERT ID(MA01USR) ADD('HLQ.SSLCA.MA01) TRUST WITHLABEL('CA01')

For more information on the RACDCERT command please refer to the product documentation.


Conclusion

This tutorial showed how you can use the RACF panels on z/OS to:

  • Create a key ring.
  • Create CA and personal certificates.
  • Add or connect the certificates to the key ring.
  • List and delete the key rings and certificates.

Using these features, you can quickly configure SSL on z/OS, without investing in new skills. This tutorial also showed you various error scenarios to help you to debug specific problems during SSL setup.

Resources

Learn

Get products and technologies

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere
ArticleID=422716
ArticleTitle=Setting up SSL-based communication between WebSphere MQ and WebSphere Message Broker
publish-date=08262009