Optional: Extracting and acquiring the queue manager keys and certificates

IBM MQ can be configured using TLS to encrypt traffic into the queue manager. Use this task to verify if your queue manager is using TLS, to extract keys and certificates, and to configure TLS on the migrated queue manager.

Before you begin

This task assumes that you have extracted the queue manager configuration.

About this task

Do I need to do this?

IBM MQ can be configured to encrypt traffic into the queue manager. This encryption is completed using a key repository configured on the queue manager. IBM MQ channels then enable the TLS communication. If you are unsure if it is configured in your environment, run the following command to verify:


If no results are found, TLS is not being used. However, this does not mean that TLS should not be configured in the migrated queue manager. There are several reasons why you might want to change this behavior:

  • The security approach on the OpenShift® environment should be enhanced compared to the previous environment.
  • If you need to access the migrated queue manager from outside of the OpenShift environment, TLS is required to pass through the OpenShift Route.


  1. Extract any trusted certificates from the existing store.

    If TLS is currently in use on the queue manager, the queue manager might have a number of trusted certificates stored. These need to be extracted and copied to the new queue manager. Complete one of the following optional steps:

    • To streamline the extraction of the certificates, run the following script on the local system:
      keyr=$(grep SSLKEYR $1)
      if [ -n "${keyr}" ]; then
      	keyrlocation=$(sed -n "s/^.*'\(.*\)'.*$/\1/ p" <<< ${keyr})
      	mapfile -t runmqckmResult < <(runmqckm -cert -list -db ${keyrlocation}.kdb -stashed)
      	for i in "${runmqckmResult[@]:1}"
                 certlabel=$(echo ${i} | xargs) 
          	   echo Extracting certificate $certlabel to $cert.cert
      	   runmqckm -cert -extract -db ${keyrlocation}.kdb -label "$certlabel" -target ${cert}.cert -stashed
      When running the script, specify the location of the IBM MQ backup as an argument and the certificates are extracted. For instance, if the script is called extractCert.sh and the IBM MQ backup is located at /tmp/backup.mqsc then run the following command:
      extractCert.sh /tmp/backup.mqsc
    • Alternatively, run the following commands in the order shown:
      1. Identify the location of the TLS store:
        grep SSLKEYR /tmp/backup.mqsc 
        Sample output:
        SSLKEYR('/run/runmqserver/tls/key') +
        where the key store is located at /run/runmqserver/tls/key.kdb
      2. Based on this location information, query the key store to determine the stored certificates:
        runmqckm -cert -list -db /run/runmqserver/tls/key.kdb -stashed
        Sample output:
        Certificates in database /run/runmqserver/tls/key.kdb:
      3. Extract each of the listed certificates. Do this by running the following command:
        runmqckm -cert -extract -db KEYSTORE_LOCATION -label "LABEL_NAME" -target OUTPUT_FILE -stashed
        In the samples previously shown this equates to the following:
        runmqckm -cert -extract -db /run/runmqserver/tls/key.kdb -label "CN=cs-ca-certificate,O=cert-manager" -target /tmp/cert-manager.crt -stashed
        runmqckm -cert -extract -db /run/runmqserver/tls/key.kdb -label "default" -target /tmp/default.crt -stashed
  2. Acquire a new key and certificate for the queue manager

    To configure TLS on the migrated queue manager, you generate a new key and certificate. This is then used during the deployment. In many organizations this means contacting your security team to request a key and certificate. In some organizations this option is not available, and self-signed certificates are used.

    The following example generates a self-signed certificate where the expiry is set to 10 years:

    openssl req \
           -newkey rsa:2048 -nodes -keyout qmgr.key \
           -subj "/CN=mq queuemanager/OU=ibm mq" \
           -x509 -days 3650 -out qmgr.crt

    Two new files are created:

    • qmgr.key is the private key for the queue manager
    • qmgr.crt is the public certificate

What to do next

You are now ready to configure LDAP.