Using CA-signed certificates for mutual authentication of two queue managers
Follow these sample instructions to implement mutual authentication between two queue managers, using CA-signed TLS certificates.
About this task
Scenario:
- You have two queue managers called QM1 and QM2, which need to communicate securely. You require mutual authentication to be carried out between QM1 and QM2.
- In the future you are planning to use this network in a production environment, and therefore you have decided to use CA-signed certificates from the beginning.
In Figure 1, the key repository for QM1 contains QM1's certificate and the CA certificate. The key repository for QM2 contains QM2's certificate and the CA certificate.
In this example both QM1's certificate and QM2's certificate were issued by the same CA. If QM1's certificate and QM2's certificate were issued by different CAs then the key repositories for QM1 and QM2 must contain both CA certificates.
Procedure
Results
What to do next
Check that the task has been completed successfully by using DISPLAY commands. If the task was successful, the resulting output is like that shown in the following examples.
DISPLAY CHS(TO.QM2) SSLPEER SSLCERTI
The resulting output is like the
following example:
DISPLAY CHSTATUS(TO.QM2) SSLPEER SSLCERTI
4 : DISPLAY CHSTATUS(TO.QM2) SSLPEER SSLCERTI
AMQ8417: Display Channel Status details.
CHANNEL(TO.QM2) CHLTYPE(SDR)
CONNAME(192.0.0.2) CURRENT
RQMNAME(QM2)
SSLCERTI("CN=<Division> CA,OU=<Department>,O=<Organization>,ST=<State>,C=<Country>")
SSLPEER("SERIALNUMBER=4C:D0:49:D5:02:5F:38,CN=QM2,OU=<Department>,O=<Organization>,ST=<State>,C=<Country>")
STATUS(RUNNING) SUBSTATE(MQGET)
XMITQ(QM2)
DISPLAY CHS(TO.QM2) SSLPEER SSLCERTI
The resulting output is like the
following example:
DISPLAY CHSTATUS(TO.QM2) SSLPEER SSLCERTI
5 : DISPLAY CHSTATUS(TO.QM2) SSLPEER SSLCERTI
AMQ8417: Display Channel Status details.
CHANNEL(TO.QM2) CHLTYPE(RCVR)
CONNAME(192.0.0.1) CURRENT
RQMNAME(QM1)
SSLCERTI("CN=<Division> CA,OU=<Department>,O=<Organization>,ST=<State>,C=<Country>")
SSLPEER("SERIALNUMBER=4C:D0:49:D5:02:5F:38,CN=QM1,OU=<Department>,O=<Organization>,ST=<State>,C=<Country>")
STATUS(RUNNING) SUBSTATE(RECEIVE)
XMITQ( )
In each case, the value of SSLPEER must match that of the Distinguished Name (DN) in the partner certificate that was created in Step 2. The issuer name matches the subject DN of the CA certificate that signed the personal certificate added in Step 4.