Using CA-signed certificates for mutual authentication of two queue managers
Follow these sample instructions to implement mutual authentication between two queue managers, using CA-signed SSL or TLS certificates.
About this task
Scenario:
- You have two queue managers called QMA and QMB, which need to communicate securely. You require mutual authentication to be carried out between QMA and QMB.
- In the future you are planning to use this network in a production environment, and therefore you have decided to use CA-signed certificates from the beginning.
In Figure 1, the key repository for QMA contains QMA's certificate and the CA certificate. The key repository for QMB contains QMB's certificate and the CA certificate. In this example both QMA's certificate and QMB's certificate were issued by the same CA. If QMA's certificate and QMB's certificate were issued by different CAs then the key repositories for QMA and QMB must contain both CA certificates.
Procedure
Results
What to do next
Check that the task has been completed successfully by using DISPLAY commands. If the task was successful, the resulting output is like that shown in the following examples.
DISPLAY CHS(TO.QMB) SSLPEER SSLCERTI
The resulting output is like the following example:
DISPLAY CHSTATUS(TO.QMB) SSLPEER SSLCERTI
4 : DISPLAY CHSTATUS(TO.QMB) SSLPEER SSLCERTI
AMQ8417: Display Channel Status details.
CHANNEL(TO.QMB) CHLTYPE(SDR)
CONNAME(9.20.25.40) CURRENT
RQMNAME(QMB)
SSLCERTI("CN=WebSphere MQ CA,OU=WebSphere MQ Devt,O=IBM,ST=Hampshire,C=UK")
SSLPEER("SERIALNUMBER=4C:D0:49:D5:02:5F:38,CN=QMB,OU=WebSphere MQ Development,O=IBM,ST=Hampshire,C=UK")
STATUS(RUNNING) SUBSTATE(MQGET)
XMITQ(QMB)
DISPLAY CHS(TO.QMB) SSLPEER SSLCERTI
The resulting output is like the following example:
DISPLAY CHSTATUS(TO.QMB) SSLPEER SSLCERTI
5 : DISPLAY CHSTATUS(TO.QMB) SSLPEER SSLCERTI
AMQ8417: Display Channel Status details.
CHANNEL(TO.QMB) CHLTYPE(RCVR)
CONNAME(9.20.35.92) CURRENT
RQMNAME(QMA)
SSLCERTI("CN=WebSphere MQ CA,OU=WebSphere MQ Devt,O=IBM,ST=Hampshire,C=UK")
SSLPEER("SERIALNUMBER=4C:D0:49:D5:02:5F:38,CN=QMA,OU=WebSphere MQ Development,O=IBM,ST=Hampshire,C=UK")
STATUS(RUNNING) SUBSTATE(RECEIVE)
XMITQ( )
In each case, the value of SSLPEER must match that of the Distinguished Name (DN) in the partner certificate that was created in Step 2. The issuer name matches the subject DN of the CA certificate that signed the personal certificate added in Step 4.