Securing communication between the WebSphere MQ queue manager and the IBM Business Monitor server

To secure communication between the WebSphere MQ queue manager and the IBM® Business Monitor server or cluster, configure SSL for the server-connection channel, exchange signer certificates between the queue manager and the IBM Business Monitor server, and grant access to the WebSphere MQ server for the primary administrative user name that the IBM Business Monitor server uses.

Before you begin

An application that is running in WebSphere MQ can send event XML either by putting the event XML directly onto a specific MQ queue or by publishing the event XML to a specific topic. Either way, the application can use either a message listener port or a JMS activation specification.

Before you secure communication between the WebSphere MQ queue manager and the IBM Business Monitor server or cluster, make sure you create the necessary resources (the message listener port or the JMS activation specification), as described in the related tasks.

About this task

This task is required unless both the IBM Business Monitor server and the WebSphere MQ queue manager have security turned off.

Procedure

To enable secure communication, complete the following steps:

Optional: To have the server-connection channel accept connections only from a specific IBM Business Monitor server, note the user distinguished name (DN) of the personal certificate of the server:
1. In the administrative console where the IBM Business Monitor server is installed, select Security > SSL certificate and key management > Key stores and certificates.
2. Click NodeDefaultKeyStore and click Personal certificates.
3. In the personal certificate list, look at the row with default in the Alias column and note the DN in the Issued to column. For example: CN=Monitor12, OU=Monitor12Node05Cell, OU=Monitor12Node05, O=IBM, C=US. You need this information in step 6.d.
Extract the signer certificate of the IBM Business Monitor server. In step 4, you add this signer certificate to the trust store of the WebSphere MQ queue manager.
1. In the administrative console, select Security > SSL certificate and key management > Key stores and certificates.
2. Click NodeDefaultTrustStore and click Signer certificates.
3. In the signer certificate list, select the row with root in the Alias column and click Extract.
4. Enter a fully qualified file name (for example, C:/IBM/WebSphereMon80/AppServer/profiles/AppSrv01/etc/MonitorSignerCertificate.arm) and leave the default data type (.arm) unchanged.
5. Click OK. You see a message that the signer certificate was successfully extracted to the file.
Create a key store for the queue manager, create a self-signed certificate for the queue manager, and extract the signer certificate for exchange with the IBM Business Monitor server:
1. In the WebSphere MQ Explorer, right-click the queue manager (for example, MQQmgr), click Properties, and click SSL to determine the key repository.
  By default, the repository is MQ_home\Qmgrs\qmgr_name\ssl\key (for example, C:\Program Files\IBM\WebSphere MQ\Qmgrs\MQQmgr\ssl\key.kdb).
  This entry has two parts:
  - MQ_home\Qmgrs\qmgr_name\ssl is the location of the key database file.
  - key is the name of the file.
  Note the location and key name for use in step 3.c, and click OK.
2. In the WebSphere MQ Explorer, right-click IBM WebSphere MQ and click Manage SSL Certificates to open IBM Key Management (the ikeyman utility).
3. In IBM Key Management, click Key Database File > New to create a key store. In the Key database type field, select CMS. Click Browse and select the file name (for example, key.kdb) and location (for example, MQ_home\Qmgrs\qmgr_name\ssl) that you provided in step 3.a. When prompted, enter a password to secure the key store. Select Stash the password to a file, and click OK.
4. Switch to Personal Certificates and click New Self-Signed. When prompted, enter ibmwebspheremq<your_qmgr_name> (for example ibmwebspheremqmqmqgr). It is important to follow this naming rule for the key label. For the other fields, enter anything you like. Click OK. You have created a personal certificate for your queue manager.
5. Click Extract Certificate. At the prompt, enter a name for this certificate and save it to any location. Click OK.
You have created and extracted the signer certificate for your queue manager.
Add the signer certificate of the IBM Business Monitor server to the trust store of the queue manager. In step 3.c, you created a key store for the queue manager. To have a successful SSL handshake between the queue manager and the IBM Business Monitor server, you must add the signer certificate of the IBM Business Monitor server (which was extracted in step 2) to the trust store of the queue manager. The trust store has the same name as the key store.
1. In IBM Key Management, switch to Signer Certificates in the Key database content list, and click Add.
2. Click Browse, select the signer certificate that you extracted in step 2 (for example, C:/IBM/WebSphereMon80/AppServer/profiles/AppSrv01/etc/MonitorSignerCertificate.arm) and click Open.
3. Click Browse to make sure that the file in the location is correct, and then click OK.
4. When you are prompted for the certificate label, enter a name (for example, MonitorSignerCertificate) and click OK.
5. Close the IBM Key Management tool.
Add the signer certificate of the queue manager to the trust store of the IBM Business Monitor server:
1. In the administrative console, select Security > SSL certificate and key management > Key stores and certificates. Click NodeDefaultTrustStore and click Signer certificates. Click Add.
2. Enter the fully qualified path and file name of the signer certificate of the queue manager that you extracted in step 3.a (for example, C:\Program Files\IBM\WebSphere MQ\Qmgrs\MQQmgr\ssl\MQSignerCertificate.arm).
3. Add an alias (for example, MQSignerCertificate) and click OK.
4. Click Save.
You have exchanged signer certificates between the queue manager and the IBM Business Monitor server.
Configure SSL for the server-connection channel:
1. In the WebSphere MQ Explorer, open the Navigator and Content views. Click the queue manager (for example, MQQmgr), open the QM folder, and right-click the Channels folder.
2. From the Channels folder, right-click the server-connection channel, and click Properties.
3. In the Properties wizard, click SSL and select an SSL CipherSpec from the list (for example, TRIPLE_DES_SHA_US).
  Note the name because you need it for the SSL configuration for the IBM Business Monitor server.
  
  Important: Make sure that this CipherSpec has also been configured in WebSphere MQ.
  
  For more information about CipherSpecs and choosing the appropriate Cipher Suite, see the related link to IBM WebSphere Developer Technical Journal: Securing connections between WebSphere Application Server and WebSphere MQ.
4. Select Accept only certificates with Distinguished Names matching these values and enter the DN from the IBM Business Monitor server that you noted in step 1. Click OK. This channel accepts connections from this IBM Business Monitor server only.
Create an SSL configuration for the specific CipherSpec that was chosen for the server-connection channel. Because the default SSL setting for the IBM Business Monitor server has several Cipher Suites in the list and the one that you chose in step 6 is not the default, you must create an SSL configuration. Otherwise, the SSL handshake will fail.
1. In the administrative console, select Security > SSL certificate and key management > SSL configurations, and click New.
2. Enter a name (such as MQQmgrSSLSetting) and select the NodeDefaultTrustStore and NodeDefaultKeyStore that you used in the earlier steps. Click Apply and save the change.
3. Open the SSL configuration that you just created and click Quality of protection (QoP) from Additional Properties. In the list of Cipher Suites, select only SSL_RSA_WITH_3DES_EDE_CBC_SHA (which corresponds to the TRIPLE_DES_SHA_US CipherSpec that you selected in step 6) and click Add to add it to the list of selected ciphers. Click Apply and Save.
  For more information about CipherSpecs and choosing the appropriate Cipher Suite, see the related link to IBM WebSphere Developer Technical Journal: Securing connections between WebSphere Application Server and WebSphere MQ.
  The Selected ciphers list should contain only one cipher.
Create an authentication alias for the IBM Business Monitor server to use to connect to the queue manager and access the WebSphere MQ resources. The default user name is the same as the primary administrative user name for the IBM Business Monitor server. You must create an alias for that name. In the next step, you assign that alias to the JMS connection factory or activation specification that you created previously.
1. In the administrative console, select Security > Global security > Java Authentication and Authorization Service > J2C authentication data, and click New.
2. Enter a name for the alias (for example, MQAlias). In the User ID and Password fields, enter the user ID (for example, wasadmin) and password for the primary administrative user.
3. Click OK and click Save.
Configure the SSL setting and alias for JMS resources. You must update the JMS connection factory or activation specification that you created previously.
Important: If you have not already created a resource, see the links in the Related tasks section and follow the appropriate procedure for creating the resource.
1. In the WebSphere® Application Server administrative console, select Resources > JMS and the appropriate type of resource that you created (Queue connection factories, Topic connection factories, or Activation specifications). Click the resource that you created earlier (for example, MQQCF, MQTCF, MQActSpecQueue, or MQActSpecTopic).
2. In the Connection section, select Use SSL to secure communication with WebSphere MQ. Select Specific configuration and select the SSL configuration that you created in step 7 (for example, MQQmgrSSLSetting).
3. In the Security settings section, update the security settings to use the authentication alias that you created in step 8 (for example, MQAlias).
Create a system user for the IBM Business Monitor server and grant access to the WebSphere MQ resources. In step 8, you assigned a user name to access the WebSphere MQ resources from the IBM Business Monitor server, but this user is not yet authorized to access those WebSphere MQ resources. Create a WebSphere MQ system user, add the user to the WebSphere MQ Administration Group mqm, and grant the user access to the resources.
1. From the administrative console, click Users and Groups > Manage Users. Click Create to create a system user with the same name as the primary administrative user for the IBM Business Monitor (for example, admin).
2. Create the mqm group by clicking Users and Groups > Manage Groups and clicking Create. On the Create a Group page, enter mqm for Group name, and click Create.
3. Add the user to the mqm group by clicking Users and Groups > Manage Groups and clicking the mqm group. Then click the tab and click Search. Select admin and click Add.
4. To grant access to the system user, use DCOMCNFG.EXE to add the required access permission. For more information, see Using DCOMCNFG.EXE to change access in the related links.
Restart the IBM Business Monitor server.