You can generate IBM MQ certificates in Self Service, download
the generated certificates, and import the certificates in your client application.
Before you begin
You must have the Developer role or the Organization
Administrator role to generate
an IBM MQ certificate.
About this task
Your old certificates that are generated before the November 2020 release continue to work in
addition to the newly generated certificates. You must gradually migrate to new certificates. For
more information, see Migrating MQ certificates.
A certificate is valid for one year. You can view the expiry date of the certificate under the
Certificates tab. A notification alert is sent to the owner of the
certificate for the certificates that are going to expire after a month. Alerts are sent even for
certificates that are expiring after a week and after a day. When you receive a notification, you
must generate a new certificate manually and use the new certificate. The
Organization
Administrator
receives a summary of all the certificates that are going to expire in a month or in a
week.
Note: Expired certificates are removed from the application and database after 90 days of
expiration.
The following table lists the actions for the IBM MQ certificates that a user with the
Developer and the
Organization
Administrator role can do.
| Role |
Actions |
| Developer |
- Generate IBM MQ certificates.
- View all IBM MQ certificates that are generated by the user themselves.
- Download all IBM MQ certificates that are generated by the user themselves.
- Apply changes after generating and revoking IBM MQ certificates..
|
| Organization
Administrator |
- View all IBM MQ certificates.
- Generate IBM MQ certificates.
- Download all IBM MQ certificates.
- Revoke all IBM MQ certificates.
- Apply changes after generating and revoking all IBM MQ certificates.
|
Procedure
To generate an IBM MQ certificate, complete the following steps.
-
Access Self Service with your
IBMid.
-
From the Self Service menu, click
Environments.
- From the list of environments, select an environment.
- In the Certificates tab, click
Inbound.
- Select the certificate type as MQ certificates.
- Click Generate certificate.
- In the Add certificate page, enter the following details.
- Certificate owner - If the certificate is for a person, enter their name
or email address. If the certificate is for a device, enter an ID to identify the device. For
example, enter the store name and a serial number for the device such as 'Store123-serial
456789'.
- Integration platform - Enter the MQ server supply integration platform
name. It can contain alphanumeric characters in uppercase and lowercase, a period, or a hyphen. It
does not support spaces or any other special characters.
- Click Generate.
What to do next
Download the IBM MQ certificate and import it in your client to access the IBM MQ servers.
For more information, see Downloading inbound certificates.You must apply the generated IBM
MQ certificate on your IBM MQ servers. To apply a certificate, select the certificate and click
Apply changes. A user with Organization
Administrator and Developer role can apply the changes.
In the
Apply IBM MQ
certificate page, select the date and time at which you want to start applying the
certificates for your IBM MQ servers.
Note: If you select a date prior to the current date, the
process to apply changes is started immediately.
When you apply the IBM MQ certificates
on the IBM MQ servers, the SSL enabled channels are cycled and all IBM MQ clients need to reconnect.
Therefore, you might want to schedule this action for a low volume period of the day to minimize the
impact of connections being reestablished.
When the change is scheduled, you can view it as a
process in the queue. The following two processes are run according to the schedule.
- The first process applies the new certificate to the truststore of IBM MQ.
- The second process refreshes the IBM MQ security and the channel bounces.