IBM MQ can be configured using TLS to encrypt traffic into the queue manager. Use this
task to verify if your queue manager is using TLS, to extract keys and certificates, and to
configure TLS on the migrated queue manager.
About this task
Do I need to do this?
IBM MQ can be configured to encrypt traffic into the queue manager. This encryption is completed using a key repository configured on the queue manager. IBM MQ channels then enable the TLS communication. If you are unsure
if it is configured in your environment, run the following command to verify:
grep 'SECCOMM(ALL\|SECCOMM(ANON\|SSLCIPH' backup.mqsc
If no results are found, TLS is not being used. However, this does not mean that TLS should not
be configured in the migrated queue manager. There are several reasons why you might want to change
this behavior:
- The security approach on the OpenShift® environment should be enhanced compared to the previous environment.
- If you need to access the migrated queue manager from outside of the OpenShift environment, TLS is required to pass through the OpenShift Route.
Procedure
-
Extract any trusted certificates from the existing store.
If TLS is currently in use on the queue manager, the queue manager might have a number of trusted
certificates stored. These need to be extracted and copied to the new queue manager. Complete one of
the following optional steps:
- To streamline the extraction of the certificates, run the following script on the local
system:
#!/bin/bash
keyr=$(grep SSLKEYR $1)
if [ -n "${keyr}" ]; then
keyrlocation=$(sed -n "s/^.*'\(.*\)'.*$/\1/ p" <<< ${keyr})
mapfile -t runmqckmResult < <(runmqckm -cert -list -db ${keyrlocation}.kdb -stashed)
cert=1
for i in "${runmqckmResult[@]:1}"
do
certlabel=$(echo ${i} | xargs)
echo Extracting certificate $certlabel to $cert.cert
runmqckm -cert -extract -db ${keyrlocation}.kdb -label "$certlabel" -target ${cert}.cert -stashed
cert=$[$cert+1]
done
fi
When running the script, specify the location of the IBM MQ backup as an argument and the certificates are extracted.
For instance, if the script is called extractCert.sh and the IBM MQ backup is located at /tmp/backup.mqsc
then run the following command:
extractCert.sh /tmp/backup.mqsc
- Alternatively, run the following commands in the order shown:
- Identify the location of the TLS store:
grep SSLKEYR /tmp/backup.mqsc
Sample output:
SSLKEYR('/run/runmqserver/tls/key') +
where the key store is
located at /run/runmqserver/tls/key.kdb
- Based on this location information, query the key store to determine the stored certificates:
runmqckm -cert -list -db /run/runmqserver/tls/key.kdb -stashed
Sample
output:
Certificates in database /run/runmqserver/tls/key.kdb:
default
CN=cs-ca-certificate,O=cert-manager
- Extract each of the listed certificates. Do this by running the following command:
runmqckm -cert -extract -db KEYSTORE_LOCATION -label "LABEL_NAME" -target OUTPUT_FILE -stashed
In the samples previously shown this equates to the following:
runmqckm -cert -extract -db /run/runmqserver/tls/key.kdb -label "CN=cs-ca-certificate,O=cert-manager" -target /tmp/cert-manager.crt -stashed
runmqckm -cert -extract -db /run/runmqserver/tls/key.kdb -label "default" -target /tmp/default.crt -stashed
-
Acquire a new key and certificate for the queue manager
To configure TLS on the migrated queue manager, you generate a new key and certificate. This is
then used during the deployment. In many organizations this means contacting your security team to
request a key and certificate. In some organizations this option is not available, and self-signed
certificates are used.
The following example generates a self-signed certificate where the expiry is set to 10
years:
openssl req \
-newkey rsa:2048 -nodes -keyout qmgr.key \
-subj "/CN=mq queuemanager/OU=ibm mq" \
-x509 -days 3650 -out qmgr.crt
Two new files are created:
- qmgr.key is the private key for the queue manager
- qmgr.crt is the public certificate
What to do next
You are now ready to configure LDAP.