Topic
  • 10 replies
  • Latest Post - ‏2017-03-24T20:26:50Z by Angelina1984
Angelina1984
Angelina1984
6 Posts

Pinned topic Creating CSR for no-domain MQ WebSphere Server

‏2017-03-17T20:44:46Z | csr

I have a FIPS requirement that forces us to use MQ Server-connection CHANNEL that is FIPS compliant.

I don't quite understand the whole thing on how to be FIPS compliant, but what I gathered is that our IBM MQ WebSphere Server needs to have certificates that are FIPS compliant for each IBM MQ Manager.

So, I have turned on SSL FIPS on both of ours IBM MQ Managers:

  1. SSL Key repository: "D:\Program Files\IBM\MQ-DataFiles\qmgrs\DPGQM\ssl\ibmwebspheremqdpgqm" (for DPGQM) and D:\Program Files\IBM\MQ-DataFiles\qmgrs\DOLFINQM\ssl\ibmwebspheremqdolfinqm (for DOLFINQM)
  2. Certificate label: ibmwebspheremqdpgqm (DPGQM) , ibmwebspheremqdolfinqm (DOLFINQM)
  3. SSL FIPS required: yes

Created two key repositories, for each MQ Manager:

  • runmqakm -keydb -create -db "D:\Program Files\IBM\MQ-DataFiles\qmgrs\DPGQM\ssl\ibmwebspheremqdpgqm.kdb" -pw P@ssword -type cms -stash -fips
  • runmqakm -keydb -create -db "D:\Program Files\IBM\MQ-DataFiles\qmgrs\DOLFINQM\ssl\ibmwebspheremqdolfinqm.kdb" -pw P@ssword -type cms -stash -fips

Created CSR for our mq managers:

  • runmqakm -certreq -create -db "D:\Program Files\IBM\MQ-DataFiles\qmgrs\DPGQM\ssl\ibmwebspheremqdpgqm.kdb" -pw P@ssword -label ibmwebspheremqdpgqm -dn "CN=DEADSHOT-MQ,O=CACI,OU=DAPS,L=Chantilly,ST=VA,C=US" -size 2048 -file "D:\Program Files\IBM\MQ-DataFiles\qmgrs\DPGQM\ssl\ibmwebspheremqdpgqm.csr" -fips -sig_alg SHA256WithRSA 
  • runmqakm -certreq -create -db "D:\Program Files\IBM\MQ-DataFiles\qmgrs\DOLFINQM\ssl\ibmwebspheremqdolfinqm.kdb" -pw P@ssword -label ibmwebspheremqdolfinqm -dn "CN=DEADSHOT-MQ,O=CACI,OU=DAPS,L=Chantilly,ST=VA,C=US" -size 2048 -file "D:\Program Files\IBM\MQ-DataFiles\qmgrs\DOLFINQM\ssl\ibmwebspheremqdolfinqm.csr" -fips -sig_alg SHA256WithRSA

But our certificate person asked if I can fix errors in attached image and send another 2 csrs.

Well, my problem is our IBM WebSphere MQ Server doesn't have domain name. And from IBM website, I understood that DN should have a value of actual MQ Manager name and not what I put previously (computer name). I tried creating onther CSR but I am not able to, system returns following message:

 


D:\Program Files\IBM\WebSphere MQ\bin>runmqakm -certreq -create -db "D:\Program
Files\IBM\MQ-DataFiles\qmgrs\DOLFINQM\ssl\ibmwebspheremqdolfinqm.kdb" -pw P@ssword 
-label ibmwebspheremqdolfinqm -dn "CN=DOLFINQM,O=CACI, Inc. - Federal,OU=DA
PS,L=Chantilly,ST=Virginia,C=US" -size 2048 -file "D:\Program Files\IBM\MQ-DataF
iles\qmgrs\DOLFINQM\ssl\ibmwebspheremqdolfinqm.csr" -fips -sig_alg SHA256WithRSA

5724-H72 (C) Copyright IBM Corp. 1994, 2015.
CTGSK3039W Certificate request "ibmwebspheremqdolfinqm" could not be created.

-Command usage-
-db | -crypto         Required
-tokenlabel           Required if -crypto present
-pw | -stashed        Optional
-label                Required
-dn | -template       Required
-type                 Optional <cms | kdb | pkcs12 | p12>
-size                 Optional
-file | -target       Required
-san_dnsname          Optional
-san_emailaddr        Optional
-san_ipaddr           Optional
-certpolicy           Optional
-eku                  Optional <ocspSigning, timeStamping, emailProtection, codeSigning, clientAuth, serverAuth, SSLStepUpApproval, any>
-ku                   Optional <digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly>
-template             Optional
-sig_alg | -sigalg    Optional < | md5 | MD5_WITH_RSA | MD5WithRSA | sha1 | SHA_
WITH_RSA | SHAWithRSA | SHA1WithRSA | sha224 | SHA224_WITH_RSA | SHA224WithRSA |
 sha256 | SHA256_WITH_RSA | SHA256WithRSA | sha384 | SHA384_WITH_RSA | SHA384Wit
hRSA | sha512 | SHA512_WITH_RSA | SHA512WithRSA | RSASSAPSS | SHA256_WITH_RSASSA
PSS | SHA256WithRSASSAPSS | SHA384_WITH_RSASSAPSS | SHA384WithRSASSAPSS | SHA512
_WITH_RSASSAPSS | SHA512WithRSASSAPSS | SHA_WITH_DSA | SHA1WithDSA | SHAWithDSA
| SHA1WithECDSA | EC_ecdsa_with_SHA1 | SHA224WithECDSA | EC_ecdsa_with_SHA224 |
SHA256WithECDSA | EC_ecdsa_with_SHA256 | SHA384WithECDSA | EC_ecdsa_with_SHA384
| SHA512WithECDSA | EC_ecdsa_with_SHA512 | DH>
-secondarydb          Optional if -crypto present
-secondarydbpw        Optional if -secondarydb present
-secondarydbtype      Optional if -secondarydb present

 

Does anyone have any idea on why CA doesn't like CSR and what would be a proper way to create CSR.

Attachments

  • MoragH
    MoragH
    131 Posts

    Re: Creating CSR for no-domain MQ WebSphere Server

    ‏2017-03-18T04:51:55Z  

    Creating the new CSR failed because you still have the old one with the same label still in the key DB. Remove the old one and then re-run the command.

    There is no requirement from MQ for your CN to contain the queue manager name. If you have to put something specific in it to meet the requirements of the signer, you can do that. MQ won't mind.

  • Angelina1984
    Angelina1984
    6 Posts

    Re: Creating CSR for no-domain MQ WebSphere Server

    ‏2017-03-19T19:54:26Z  
    • MoragH
    • ‏2017-03-18T04:51:55Z

    Creating the new CSR failed because you still have the old one with the same label still in the key DB. Remove the old one and then re-run the command.

    There is no requirement from MQ for your CN to contain the queue manager name. If you have to put something specific in it to meet the requirements of the signer, you can do that. MQ won't mind.

    I created  a self-signed certificate on WebSphere MQ Server.

    On the client side, I am running java that uses ibm.mq apis. I do not have IBM MQ client installed.

    Do I have to create truststore and keystore on client side, and if so can I do it without installing IBM MQ client?

    I am so confused on what exactly needs to be done for our IBM MQ WebSphere to be FIPS compliant :(

     

    I tired following:

    SERVER:

    Once I created self-signed certificate, I extracted the public part of the IBM MQ certificate:

    runmqakm -cert -extract -db "D:\Program Files\IBM\MQ-DataFiles\qmgrs\DPGQM\ssl\ibmwebspheremqdpgqm.kdb" -pw P@ssword -label ibmwebspheremqdpgqm -target "D:\Program Files\IBM\MQ-DataFiles\qmgrs\DPGQM\ssl\ibmwebspheremqdpgqm.crt" -format binary -fips

    Editted Channel's SSL CipherSpecs: TLS_RSA_WITH_AES_256_CBC_SHA256

    SSL Authentication: Optinal

     

    CLIENT:

    And then added it to my client java/jre/lib/security/cacerts file:

    keytool -import -keystore cacerts -alias ibmwebspheremqdpgqm -file D:\TEMP\MsgQueue\ibmwebspheremqdpgqm.crt

    Edited java code that pushes messages onto WebSphere Server:

    MQEnvironment.sslFipsRequired = true;
    MQEnvironment.sslCipherSuite "SSL_RSA_WITH_AES_256_CBC_SHA256"; (tried all FIPS compliant spec/suite combinations, for Oracle jre and IBM jre, but always getting com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2400'.)

    Added -Dcom.ibm.mq.cfg.useIBMCipherMappings=false  to java 

    Copied: local_policy.jar & US_Export_policy.jar into JAVA/jre/lib/security

     

    But this is not working.

     

    Updated on 2017-03-19T20:00:18Z at 2017-03-19T20:00:18Z by Angelina1984
  • MoragH
    MoragH
    131 Posts

    Re: Creating CSR for no-domain MQ WebSphere Server

    ‏2017-03-19T22:56:26Z  

    I created  a self-signed certificate on WebSphere MQ Server.

    On the client side, I am running java that uses ibm.mq apis. I do not have IBM MQ client installed.

    Do I have to create truststore and keystore on client side, and if so can I do it without installing IBM MQ client?

    I am so confused on what exactly needs to be done for our IBM MQ WebSphere to be FIPS compliant :(

     

    I tired following:

    SERVER:

    Once I created self-signed certificate, I extracted the public part of the IBM MQ certificate:

    runmqakm -cert -extract -db "D:\Program Files\IBM\MQ-DataFiles\qmgrs\DPGQM\ssl\ibmwebspheremqdpgqm.kdb" -pw P@ssword -label ibmwebspheremqdpgqm -target "D:\Program Files\IBM\MQ-DataFiles\qmgrs\DPGQM\ssl\ibmwebspheremqdpgqm.crt" -format binary -fips

    Editted Channel's SSL CipherSpecs: TLS_RSA_WITH_AES_256_CBC_SHA256

    SSL Authentication: Optinal

     

    CLIENT:

    And then added it to my client java/jre/lib/security/cacerts file:

    keytool -import -keystore cacerts -alias ibmwebspheremqdpgqm -file D:\TEMP\MsgQueue\ibmwebspheremqdpgqm.crt

    Edited java code that pushes messages onto WebSphere Server:

    MQEnvironment.sslFipsRequired = true;
    MQEnvironment.sslCipherSuite "SSL_RSA_WITH_AES_256_CBC_SHA256"; (tried all FIPS compliant spec/suite combinations, for Oracle jre and IBM jre, but always getting com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2400'.)

    Added -Dcom.ibm.mq.cfg.useIBMCipherMappings=false  to java 

    Copied: local_policy.jar & US_Export_policy.jar into JAVA/jre/lib/security

     

    But this is not working.

     

    Thanks for supplying the details of what you did. What would also help hugely is if you also showed the error reported, both at the java end and at the queue manager end (look in the AMQERR01.LOG).

  • Angelina1984
    Angelina1984
    6 Posts

    Re: Creating CSR for no-domain MQ WebSphere Server

    ‏2017-03-19T23:07:27Z  
    • MoragH
    • ‏2017-03-19T22:56:26Z

    Thanks for supplying the details of what you did. What would also help hugely is if you also showed the error reported, both at the java end and at the queue manager end (look in the AMQERR01.LOG).

    Yea, about that... Nothing is written to error log. at least not since 6 days ago.

    And for the java client side, I am getting com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2400'.

    Despite the fact that I tried every possible FIPS compliant cipherCuite both for IBM JRE and Oracle JRE, with no luck. Also refreshed SSL on MQ WebSphere Server and restarted machines thinking that would help.

    I am burned out :/

    Server: IBM MQ WebSphere v8.0.0.4 trial

    Client:  com.ibm.mq.allclient-8.0.0.4.jar

    Updated on 2017-03-19T23:32:41Z at 2017-03-19T23:32:41Z by Angelina1984
  • MoragH
    MoragH
    131 Posts

    Re: Creating CSR for no-domain MQ WebSphere Server

    ‏2017-03-20T01:16:38Z  

    If there is nothing mentioned in the queue manager error log, then that means that the connection is not getting that far. The MQRC 2400 is reporting only that the combination at the client end doesn't work.

    My advice would be to try a little at a time. You ar jumping in at the deep end a little by trying to do it all FIPS compliant at once. Start without FIPS, make sure that you have the certificates working with some Cipherspecs, then try to turn on FIPS and change the Cipherspecs then if you need to. That way you'll be able to rule out various things as the problems and concentrate on a smaller change.

    You may also find these 3 blog posts useful.

    https://www.ibm.com/developerworks/community/blogs/messaging?tags=ciphersuite

    Cheers,
    Morag

  • Angelina1984
    Angelina1984
    6 Posts

    Re: Creating CSR for no-domain MQ WebSphere Server

    ‏2017-03-22T14:33:17Z  
    • MoragH
    • ‏2017-03-20T01:16:38Z

    If there is nothing mentioned in the queue manager error log, then that means that the connection is not getting that far. The MQRC 2400 is reporting only that the combination at the client end doesn't work.

    My advice would be to try a little at a time. You ar jumping in at the deep end a little by trying to do it all FIPS compliant at once. Start without FIPS, make sure that you have the certificates working with some Cipherspecs, then try to turn on FIPS and change the Cipherspecs then if you need to. That way you'll be able to rule out various things as the problems and concentrate on a smaller change.

    You may also find these 3 blog posts useful.

    https://www.ibm.com/developerworks/community/blogs/messaging?tags=ciphersuite

    Cheers,
    Morag

    I disabled FIPS mode and created self-signed certificates using iKeyman on both sides.

    See attached image: client certs.PNG for client certificates.

    In my java code I added following properties:

          MQEnvironment.sslFipsRequired = 
    false;
          MQEnvironment.sslCipherSuite = 
    "TLS_RSA_WITH_AES_128_CBC_SHA";
    //"TLS_RSA_WITH_AES_256_CBC_SHA256";//"TLS_RSA_WITH_AES_128_CBC_SHA";
     
         System.setProperty(
    "javax.net.ssl.trustStore", 
    "D:/Software/IBM/WebSphere MQ/java/jre/lib/security/trustStore.jks"); 
         System.setProperty(
    "javax.net.ssl.trustStoreType", 
    "jks");
          System.setProperty(
    "javax.net.ssl.keyStore", 
    "D:/Software/IBM/WebSphere MQ/java/jre/lib/security/keyStore.jks");
          System.setProperty(
    "javax.net.ssl.keyStorePassword", 
    "P@ssword");
    
    //    System.setProperty("com.ibm.jsse2.disableSSLv3","false");
    
    //    System.setProperty("com.ibm.mq.cfg.preferTLS", "true");
    
    //    System.setProperty("com.ibm.mq.cfg.useIBMCipherMappings", "false");
    
    //    System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2"); 
         MQQueueManager qMgr;
    
          
    try
     
         {
    
    //       SSLContext context = SSLContext.getInstance("TLSv1.2");
    
    //       SSLContext.setDefault(context);
    

     

    On The Server side:

    See attached images server certs.PNG and java.channel.PNG

    If I set SSL Authentication to required I get:                     

                         
    AMQ9637: Channel is lacking a certificate.
    EXPLANATION:
    The channel is lacking a certificate to use for the SSL handshake. The channel
    name is 'JAVA.CHANNEL' (if '????' it is unknown at this stage in the SSL
    processing).
    

    And on java side, I get:

        com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2059'.
            at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:249)
            at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:450)
            at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:487)
            at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:97)
            at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:194)
            at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:868)
            at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:816)
            at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:758)
            at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:200)
            at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:682)
            at MsgQueue.DPGInputTestProvider.putMessages(DPGInputTestProvider.java:195)
            at MsgQueue.DPGInputTestProvider.main(DPGInputTestProvider.java:115)
        Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host '192.168.0.8(1414)' rejected. 
           [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed. 
           [3=JAVA.CHANNEL]],3=192.168.0.8(1414),5=RemoteConnection.analyseErrorSegment]
            at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2282)
            at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1294)
            at com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJmqiImpl.java:376)
            at com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:560)
            at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:916)
            at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:235)
            ... 11 more
         Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=JAVA.CHANNEL]
            at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4344)
            at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnect 
         ...
    

    Otherwise, it works, if I don't require SSL Authentication on CHANNEL.

     

    I run my java file like this:

         java -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -classpath.;lib/com.ibm.mq.allclient-8.0.0.4.jar;  ......

    I am running IBM WebSphere MQ 7.5.0.7 on server

    I don't know what else to try.

    CA Signed certificates? Upgrade IBM MQ to 8.0.0.6?

  • MoragH
    MoragH
    131 Posts

    Re: Creating CSR for no-domain MQ WebSphere Server

    ‏2017-03-23T05:17:26Z  

    The fact that the connection works when you have SSLCAUTH(OPTIONAL) on the SVRCONN shows that you have the trustStore set up correctly with the queue manager's certificate, so that's a good start. In fact, a good recommendation is to start without client authentication and then once that is working move to authenticating the client too.

    Since the error message on the queue manager suggests the client hasn't sent a certificate, that suggests that your keyStore isn't correctly set up somehow. It's not immediately jumping out at me what is wrong. But there is an excellent walk-through here: SSL configuration of the Websphere MQ Java/JMS client. It's quite an old article (2005!) but honestly this stuff hasn't changed much in the basics, new cipher specs have been added to the list and you have some more up-to-date resources for those already. Perhaps walk through that article and see if you can spot what you did differently so figure out what you need to change?

    You shouldn't need to upgrade either end or use CA Signed certificates to get this to work. There shouldn't be any incompatibilities between the versions and certainly the reported error is not saying anything like that. Also until you get it working with your self-signed certificates, using a CA signed one is just more to juggle, suggest you take that step later once you have proved to yourself you can get it working with self-signed.

    Hope some of this helps!

    Cheers
    Morag

  • Angelina1984
    Angelina1984
    6 Posts

    Re: Creating CSR for no-domain MQ WebSphere Server

    ‏2017-03-23T13:26:30Z  
    • MoragH
    • ‏2017-03-23T05:17:26Z

    The fact that the connection works when you have SSLCAUTH(OPTIONAL) on the SVRCONN shows that you have the trustStore set up correctly with the queue manager's certificate, so that's a good start. In fact, a good recommendation is to start without client authentication and then once that is working move to authenticating the client too.

    Since the error message on the queue manager suggests the client hasn't sent a certificate, that suggests that your keyStore isn't correctly set up somehow. It's not immediately jumping out at me what is wrong. But there is an excellent walk-through here: SSL configuration of the Websphere MQ Java/JMS client. It's quite an old article (2005!) but honestly this stuff hasn't changed much in the basics, new cipher specs have been added to the list and you have some more up-to-date resources for those already. Perhaps walk through that article and see if you can spot what you did differently so figure out what you need to change?

    You shouldn't need to upgrade either end or use CA Signed certificates to get this to work. There shouldn't be any incompatibilities between the versions and certainly the reported error is not saying anything like that. Also until you get it working with your self-signed certificates, using a CA signed one is just more to juggle, suggest you take that step later once you have proved to yourself you can get it working with self-signed.

    Hope some of this helps!

    Cheers
    Morag

    Thanks for responding. 

    I indeed used that very article to create trustStore and keyStore :)

    I did however use:

    
    Key size: 2048
    
    Signature Algorithm: SHA256WithRSA
    

    For both client and server Self-signed certificates.

    Could this be a problem?

  • MoragH
    MoragH
    131 Posts

    Re: Creating CSR for no-domain MQ WebSphere Server

    ‏2017-03-23T21:00:49Z  

    You've stated earlier that you are using:

    Server: IBM MQ WebSphere v8.0.0.4 trial

    Client:  com.ibm.mq.allclient-8.0.0.4.jar

    I believe V8 is OK with SHA-2 signatures and that key size.

    However, I'm not sure what else to suggest, so maybe it is worth trying. Also maybe try having the trustStore and keyStore as the same file. Although I can't see why either of these suggestions would make a difference!

  • Angelina1984
    Angelina1984
    6 Posts

    Re: Creating CSR for no-domain MQ WebSphere Server

    ‏2017-03-24T20:26:50Z  
    • MoragH
    • ‏2017-03-23T21:00:49Z

    You've stated earlier that you are using:

    Server: IBM MQ WebSphere v8.0.0.4 trial

    Client:  com.ibm.mq.allclient-8.0.0.4.jar

    I believe V8 is OK with SHA-2 signatures and that key size.

    However, I'm not sure what else to suggest, so maybe it is worth trying. Also maybe try having the trustStore and keyStore as the same file. Although I can't see why either of these suggestions would make a difference!

    That is true. I had 8.0.0.4 trial on server.

    However, I thought that having a trial version could cause some of my problems, so I uninstalled it and installed 7.5.0.7 on server.

    I followed your advice and added self-signed certificate to trustStore so now it is acting as trustStore and keyStore. I set SSLCAUTH(REQUIRED) on the SVRCONN and now it works.

    Now that I know that 2-way TLS authentication works,  next step is making FIPS work. This means that trustStore, self-signed certificates, ibmwebspheremqdpgqm.kdb have to be deleted and recreated with -fips option.

    I know I can use runmqakm to accomplish this.

     

    This is what I did to recreate fips compliant key stores and certificates:

    --On client java application side:
    
    -- Generate a public/private key pair and a self-signed certificate
    "D:\Software\IBM\WebSphere MQ\java\jre\bin\keytool" -genkeypair -dname "CN=WEB" -validity 1095 -keyalg RSA -keysize 1024 
    -keypass P@ssword -storetype jks -keystore "D:\Software\IBM\WebSphere MQ\java\jre\lib\security\trustStore.jks" 
    -storepass P@ssword -providerClass com.ibm.crypto.fips.provider.IBMJCEFIPS
    
    Open ikeyman and rename cert created to ibmwebspheremqadmin
    
    --Extract the public part of the certificate
    "D:\Software\IBM\WebSphere MQ\java\jre\bin\keytool" -exportcert -alias ibmwebspheremqadmin 
    -file "D:\Software\IBM\WebSphere MQ\java\jre\lib\security\ibmwebspheremqadmin.der" -storetype jks 
    -keystore "D:\Software\IBM\WebSphere MQ\java\jre\lib\security\trustStore.jks" -storepass P@ssword 
    -providerClass com.ibm.crypto.fips.provider.IBMJCEFIPS
    
    copy just created ibmwebspheremqadmin.der over to server machine, 
    under location: D:\Program Files\IBM\WebSphere MQ\DataFiles\Qmgrs\DPGQM\ssl
    
    --On Server side
    --Create two key repositories:
    runmqakm -keydb -create -db "D:\Program Files\IBM\WebSphere MQ\DataFiles\qmgrs\DPGQM\ssl\ibmwebspheremqdpgqm.kdb" 
    -pw P@ssword -type cms -stash -fips
    
    --Create self-signed certificate:
    runmqakm -cert -create -db "D:\Program Files\IBM\WebSphere MQ\DataFiles\qmgrs\DPGQM\ssl\ibmwebspheremqdpgqm.kdb" 
    -pw P@ssword -label ibmwebspheremqdpgqm -dn "CN=DPGQM,O=CACI,OU=DAPS,L=Chantilly,ST=Virginia,C=US" 
    -size 2048 -x509version 3 -expire 1095 -fips -sig_alg SHA256WithRSA
    
    --Extract the public part of the IBM MQ certificate
    runmqakm -cert -extract -db "D:\Program Files\IBM\WebSphere MQ\DataFiles\qmgrs\DPGQM\ssl\ibmwebspheremqdpgqm.kdb" 
    -pw P@ssword -label ibmwebspheremqdpgqm 
    -target "D:\Program Files\IBM\WebSphere MQ\DataFiles\qmgrs\DPGQM\ssl\ibmwebspheremqdpgqm.crt" 
    -format binary -fips
    
    copy just created ibmwebspheremqdpgqm.crt over to client machine, 
    under location: D:\Software\IBM\WebSphere MQ\java\jre\lib\security
    
    --on java client machine:
    
    --Add the public part of the IBM MQ certificate to the JAVA client key repository:
    "D:\Software\IBM\WebSphere MQ\java\jre\bin\keytool" -importcert -alias ibmwebspheremqdpgqm 
    -file "D:\Software\IBM\WebSphere MQ\java\jre\lib\security\ibmwebspheremqdpgqm.crt" 
    -storetype jks -keystore "D:\Software\IBM\WebSphere MQ\java\jre\lib\security\trustStore.jks" 
    -storepass P@ssword -providerClass com.ibm.crypto.fips.provider.IBMJCEFIPS
    
    trust this certificate?[no]: yes
    Certificate was added to keystore
    
    --on server side:
    
    --Add the public part of the our web machine to the DPGQM  key repository:
    runmqakm -fips -cert -add -db "D:\Program Files\IBM\WebSphere MQ\DataFiles\qmgrs\DPGQM\ssl\ibmwebspheremqdpgqm.kdb" 
    -pw P@ssword -file "D:\Program Files\IBM\WebSphere MQ\DataFiles\Qmgrs\DPGQM\ssl\ibmwebspheremqadmin.der" 
    -label ibmwebspheremqadmin -format ascii -trust enable
    
    refresheded SSL
    restarted client server
    

    Tried running:

    java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256 -classpath lib/com.ibm.mq.allclient-8.0.0.4.jar ...
    

    Getting following error:

    A WebSphere MQ error occurred : Completion code 2 Reason code 2400
    

     

    Updated on 2017-03-24T20:33:02Z at 2017-03-24T20:33:02Z by Angelina1984