Follow these instructions to set up one-way authentication.
Before you begin
- Create a queue manager, channels, and transmission queues.
- Create a server or client certificate on the server queue manager.
- Transfer the CA certificate to the client queue manager and imported
it into the key repository.
- Start a listener on the server and client queue managers.
About this task
To use one-way authentication, using a computer running IBM® i as the TLS server, set the SSL Key Repository (SSLKEYR) parameter to *SYSTEM. This setting registers the IBM MQ queue manager as an application. You can then assign a certificate to the queue manager to enable one-way authentication.
You can also use private keystores to implement one-way authentication by creating a dummy certificate for the client queue manager in the key repository.
Procedure
-
Perform the following steps on the server and client queue managers:
-
Alter the queue manager to set the SSLKEYR parameter by issuing the command
CHGMQM MQMNAME(SSL) SSLKEYR(*SYSTEM)
.
-
Stash the password for the default key repository by issuing the command
CHGMQM MQMNAME(SSL) SSLKEYRPWD('xxxxxxx')
.
The password must be in single quotation marks.
-
Alter the channels to have the correct CipherSpec in the SSLCIPHER parameter.
-
Refresh TLS security by issuing the command
RFRMQMAUT QMNAME(QMGRNAME) TYPE(*SSL)
.
-
Assign the certificate to the server queue manager using DCM, as follows:
-
Access the DCM interface, as described in Accessing DCM.
-
In the navigation panel, click Select a Certificate Store.
The Select a Certificate Store page is displayed in the task frame.
-
Select the *SYSTEM certificate store and click Continue.
-
In the left panel, expand Manage Applications.
-
Select the View Application definition to check that the queue manager has been registered as an application.
SSL (WMQ) is listed in the table.
-
Select Update Certificate Assignment.
-
Select Server and click Continue.
-
Select QMGRNAME (WMQ) and click Update certificate assignment.
-
Select the certificate and click Assign New Certificate. A window opens stating that the certificate has been assigned to the application.