IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Creating SSL certificates for the WebSphere MQ Java Client

The WebSphere® MQ Java™ Client supports SSL-encrypted connections over the server-connection (SVRCONN) channel between an application and the queue manager. To configure SSL-encrypted connections you must first create key stores and certificates.

Before you start:

Each WebSphere MQ queue manager has a key repository for certificates. When an application attempts to connect to a secure queue manager, the application's certificate must be validated against the contents of the queue manager's key repository. One option for configuring SSL for the queue manager is to use a self-signed certificate.

Two certificates must be signed and created. One must be created for the server queue manager, and a second created for the client, for example the IBM Integration Explorer.

The instructions in this topic use the gsk7cmd command to create and sign the certificates. Run the gsk7cmd for a full list of the parameters you can use on the command. To run the gsk7cmd command:
  • On Windows, enter the following command on a command line:
    C:\Program Files\IBM\gsk7\bin\gsk7cmd
  • On Linux, enter the following command on a command line:
    /opt/mqm/ssl/jre/bin/gsk7cmd
Refer to the WebSphere MQ security documentation for more information about SSL, and creating certificates.
Parent topic: Enabling SSL on the WebSphere MQ Java Client

Creating a server certificate for the queue manager

Use the IBM Key Management tools on the command line to create a certificate for the queue manager. In the following example you must replace the following parameters with your own values:
password
A password for the certificate repository.
qmname
The name of the queue manager for which you want to create a certificate in lower case.
QMNAME
The name of the queue manager for which you want to create a certificate in upper case.
  1. Run the following command to create a key repository of type cms: 
    gsk7cmd
  -keydb-create
  -dbkey.kdb
  -pwPASSWORD
  -typecms -stash
    The key.crl, key.kdb, key.rdb, and key.sth key files are created.
  2. Run the following command to create a self-signed certificate, where the -dn flag contains details of your organization: 
    gsk7cmd
  -cert-create
  -dbkey.kdb
  -pwPASSWORD
  -label"qmname"
  -dn"CN=My Queue Manager,O=My Company,C=UK"
  -expire1000
  3. Run the following command to create a request for a personal certificate: 
    gsk7cmd
  -certreq-create
  -dbkey.kdb
  -pwPASSWORD
  -label"ibmwebspheremqqmname"
  -dn"CN=My Queue Manager,O=My Company,C=UK"
  -fileQMNAME_request.arm
  4. Sign the certificate using a certificate authority.
    • To obtain a certificate from a certificate authority, you must send the file containing a certificate signing request to your chosen certificate authority.
    • Alternatively you can use the IBM Key Management tools on the command line to sign the certificate. 
      gsk7cmd
  -cert-sign
  -dbkey.kdb
  -pwPASSWORD
  -label"qmname"
  -fileQMNAME_request.arm
  -targetQMNAME_signed.arm
  -expire364
  5. Run the following command to add the signed certificate to the repository: 
    gsk7cmd
  -cert-receive
  -dbkey.kdb
  -pwPASSWORD
  -fileQMNAME_signed.arm
  6. Run the following command to export the signed client userid certificate in a transferable format (in this case PKCS12), with the associated private key and public CA certificate: 
    gsk7cmd
  -cert-export
  -dbkey.kdb
  -pwPASSWORD
  -label"ibmwebspheremqqmname"
  -targetQMNAME_personal.p12
  -target_pwPASSWORD
  -target_typepkcs12
  7. Delete the certificate from the repository: 
    gsk7cmd
  -cert-delete
  -dbkey.kdb
  -pwPASSWORD
  -label"ibmwebspheremqqmname"
  8. Create a subdirectory called QMNAME_CMS, and navigate to this directory on the command line.
  9. Run the following command to create a certificate repository in the QMNAME_CMS directory: 
    gsk7cmd
  -keydb-create
  -dbkey.kdb
  -pwPASSWORD
  -typecms –stash
  10. Run the following command to import the PKCS12 file into the repository: 
    gsk7cmd
  -cert-import
  -file"QMNAME_personal.p12"
  -pwPASSWORD
  -typepkcs12
  -targetkey.kdb
  -target_pwPASSWORD
  -target_typecms
  11. Return to the original directory in which you created the key repository in step 1.
Follow the steps in the next section to create a client certificate for the IBM Integration Explorer.

Creating a client certificate for the IBM Integration Explorer

Use the IBM Key Management tools on the command line to create a certificate for the IBM Integration Explorer. In the following example you must replace the following parameters with your own values:
password
A password for the certificate repository.
qmname
The name of the queue manager for which you want to create a certificate in lower case. This is the same value used in the steps to create a client certificate for the queue manager.
USERID
The user id for which you want to create a certificate.
  1. In the directory where you created a key repository for the server queue manager in step 1 above, run the following command to create a request (private key plus certificate details) for a certificate to be signed for the server queue manager: 
    gsk7cmd
  -certreq-create
  -dbkey.kdb
  -pwPASSWORD
  -label"ibmwebspheremqqmname"
  -dn"CN=userid@mycompany.com,O=My Company,C=UK"
  -fileUSERID_request.arm
  2. Run the following command to sign the certificate: 
    gsk7cmd
  -cert-sign
  -dbkey.kdb
  -pwPASSWORD
  -label"qmname"
  -fileUSERID_request.arm
  -targetUSERID_signed.arm
  -expire364
  3. Run the following command to add the signed certificate to the repository: 
    gsk7cmd
  -cert-receive
  -dbkey.kdb
  -pwPASSWORD
  -fileUSERID_signed.arm
  4. Run the following command to export the signed client userid certificate in a transferable format (in this case pkcs12), with the associated private key and public CA certificate: 
    gsk7cmd
  -cert-export
  -dbkey.kdb
  -pwPASSWORD
  -label"ibmwebspheremqqmname"
  -targetUSERID_personal.p12
  -target_pwPASSWORD
  -target_typepkcs12
  5. Delete the certificate from the repository: 
    gsk7cmd
  -cert-delete
  -dbkey.kdb
  -pwPASSWORD
  -label"ibmwebspheremqqmname"
  6. Create a subdirectory called USERID_JKS, and navigate to this directory on the command line.
  7. Run the following command to create a certificate repository in the USERID_JKS directory: 
    gsk7cmd
  -keydb-create
  -dbkeyStore.jks
  -pwPASSWORD
  -typejks
  8. Run the following command to import the pkcs12 file into the repository: 
    gsk7cmd
  -cert-import
  -file"USERID_personal.p12"
  -pwPASSWORD
  -typepkcs12
  -targetkeyStore.jks
  -target_pwPASSWORD
  -target_typejks"
  9. Return to the original directory in which you created the key repository in step 1.

You must now copy the files from the Label_CMS directory to your queue manager's SSL directory. For example, /var/mqm/qmgrs/QM1/ssl or C:\Program Files\IBM\WebSphere MQ\Qmgrs\QM1\ssl. The keystore.jksfile in the LABEL_JKS directory must be on the same machine as the IBM Integration Explorer. You might also require the AMQCLCHL.TAB file to be copied to the same system as the IBM Integration Explorer. This file can be found in the queue manager's @ipcc directory, for example, /var/mqm/qmgrs/QM1/@ipcc or C:\Program Files\IBM\WebSphere MQ\qmgrs\QM1\@ipcc.

When you configure the SSL settings in the IBM Integration Explorer you must specify the full path to the keystore.jksfile.

Related concepts:
Security overview
Related tasks:
Using security exits
Implementing SSL authentication
Enabling SSL on the WebSphere MQ Java Client
Related reference:
Security requirements for administrative tasks
Related information:
WebSphere MQ Version 7 product documentation
bp10610_.htm | Last updated Friday, 21 July 2017