Using CA-signed certificates for mutual authentication of two queue managers

Follow these sample instructions to implement mutual authentication between two queue managers, using CA-signed SSL or TLS certificates.

About this task

Scenario:

  • You have two queue managers called QMA and QMB, which need to communicate securely. You require mutual authentication to be carried out between QMA and QMB.
  • In the future you are planning to use this network in a production environment, and therefore you have decided to use CA-signed certificates from the beginning.
The resulting configuration looks like this:
Figure 1. Configuration resulting from this task
Queue managers QMA and QMB are linked by the channel TO.QMB. Each queue manager has a key repository, described in the following text.

In Figure 1, the key repository for QMA contains QMA's certificate and the CA certificate. The key repository for QMB contains QMB's certificate and the CA certificate. In this example both QMA's certificate and QMB's certificate were issued by the same CA. If QMA's certificate and QMB's certificate were issued by different CAs then the key repositories for QMA and QMB must contain both CA certificates.

Procedure

  1. Prepare the key repository on each queue manager, according to operating system:
  2. Request a CA-signed certificate for each queue manager.
    You might use different CAs for the two queue managers.
  3. Add the Certificate Authority certificate to the key repository for each queue manager:
    If the Queue managers are using different Certificate Authorities then the CA certificate for each Certificate Authority must be added to both key repositories.
  4. Receive the CA-signed certificate to the key repository for each queue manager:
  5. On QMA, define a sender channel and associated transmission queue by issuing commands like the following example:
    
    DEFINE CHANNEL(TO.QMB) CHLTYPE(SDR) TRPTYPE(TCP) 
    CONNAME(QMB.MACH.COM) XMITQ(QMB) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA) 
    DESCR('Sender channel using TLS from QMA to QMB')
    
    DEFINE QLOCAL(QMB) USAGE(XMITQ)
    
    This example uses CipherSpec RC4_MD5. The CipherSpecs at each end of the channel must be the same.
  6. On QMB, define a receiver channel by issuing a command like the following example:
    
    DEFINE CHANNEL(TO.QMB) CHLTYPE(RCVR) TRPTYPE(TCP) 
    SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA) SSLCAUTH(REQUIRED) 
    DESCR('Receiver channel using TLS to QMB')
    
    The channel must have the same name as the sender channel you defined in step 6, and use the same CipherSpec.
  7. Start the channel: [IBMi][z/OS]

Results

Key repositories and channels are created as illustrated in Figure 1.

What to do next

Check that the task has been completed successfully by using DISPLAY commands. If the task was successful, the resulting output is like that shown in the following examples.

From queue manager QMA, enter the following command:

DISPLAY CHS(TO.QMB) SSLPEER SSLCERTI
The resulting output is like the following example:

DISPLAY CHSTATUS(TO.QMB) SSLPEER SSLCERTI
     4 : DISPLAY CHSTATUS(TO.QMB) SSLPEER SSLCERTI
AMQ8417: Display Channel Status details.
   CHANNEL(TO.QMB)                         CHLTYPE(SDR)
   CONNAME(9.20.25.40)                     CURRENT
   RQMNAME(QMB)
   SSLCERTI("CN=WebSphere MQ CA,OU=WebSphere MQ Devt,O=IBM,ST=Hampshire,C=UK")
   SSLPEER("SERIALNUMBER=4C:D0:49:D5:02:5F:38,CN=QMB,OU=WebSphere MQ Development,O=IBM,ST=Hampshire,C=UK")
   STATUS(RUNNING)                         SUBSTATE(MQGET)
   XMITQ(QMB)
From the queue manager QMB, enter the following command:

DISPLAY CHS(TO.QMB) SSLPEER SSLCERTI
The resulting output is like the following example:

DISPLAY CHSTATUS(TO.QMB) SSLPEER SSLCERTI
     5 : DISPLAY CHSTATUS(TO.QMB) SSLPEER SSLCERTI
AMQ8417: Display Channel Status details.
   CHANNEL(TO.QMB)                         CHLTYPE(RCVR)
   CONNAME(9.20.35.92)                     CURRENT
   RQMNAME(QMA)
   SSLCERTI("CN=WebSphere MQ CA,OU=WebSphere MQ Devt,O=IBM,ST=Hampshire,C=UK")
   SSLPEER("SERIALNUMBER=4C:D0:49:D5:02:5F:38,CN=QMA,OU=WebSphere MQ Development,O=IBM,ST=Hampshire,C=UK")
   STATUS(RUNNING)                         SUBSTATE(RECEIVE)
   XMITQ( )

In each case, the value of SSLPEER must match that of the Distinguished Name (DN) in the partner certificate that was created in Step 2. The issuer name matches the subject DN of the CA certificate that signed the personal certificate added in Step 4.