Ive been playing with the MQ Web console on z/OS in MQ901 and had a few problems getting digital certificates to work.
Below are the definitions I used, and some hints on getting it working.
The MQ Console is a web based tool for administering queue managers that runs in a version of WebSpshere Liberty Profile that is shipped with MQ.
I created a file ssl.xml to holf the configuratton and put <include location="ssl.xml" optional="true"/> in the mqwebuser.xml file.
The ssl.xml file has
<?xml version="1.0" encoding="UTF-8"?>
Where the two mqDefaultSSLConfig and defaultKeyStore match up.
The keyring is SCENSTC.RING for userid SCENSTC.
The certificate to use to send to the web clients is serverKeyAlias="DEFOU"
I set up SSL port 9444
<httpEndpoint id="defaultHttpEndpoint" host="WINMVSCA" httpsPort="9444">
I created a certificate, signed it, downloaded it to my redhat machine, and imported it.
When I connected chrome to https://winmvsca.hursley.ibm.com:9444/ibmmq/console I got
which is the my web browsers certificate ( which originated fom z/OS). This was expected.
I then got
Your connection is not private
Attackers might be trying to steal your information from winmvsca.hursley.ibm.com (for example, passwords, messages, or credit cards).
and on Firefox I got
Your connection is not secure
The owner of winmvsca.hursley.ibm.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
winmvsca.hursley.ibm.com:9444 uses an invalid security certificate.
The certificate is only valid for SCENSTDEFAULTOU
Error code: SSL_ERROR_BAD_CERT_DOMAIN
After week of playing around and not getting anywhere, someone (Jon Rumsey) told me to check the CN ( as the google message says).
The magic incantation to get it to work was to change the CN in my certificate to match the URL.
I set up
RACDCERT ID(SCENSTC) GENCERT -
WITHLABEL('WINMVSCA') SIGNWITH(CERTAUTH LABEL('SCENCAOU') -
KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN)-
RACDCERT ID(SCENSTC) ALTER (LABEL('winmvsca')) TRUST
so the CN is the url I need to connect to 'winmvsca.Hursley.ibm.com
I changed serverKeyAlias="DEFOU" to be serverKeyAlias="'WINMVSCA"
After a few seconds, the liberty detects the parameters changed, and I was able to logon successfully.
Someone pointed out the ALTNAME option on the RACDCERT command.
You can add the following to you define certificate
So I could have specified