Creating a certificate for a secure backup

You require a TLS certificate to create and restore a secure backup.

About this task

You can create a certificate on the appliance, or upload a certificate created elsewhere. The certificate is required for a secure backup. Both the certificate and the certificate's private key are required for a secure restore.

You use the keygen command to generate a certificate. When using keygen you must specify additional options to copy the generated certificate and private key files to the temporary: directory so that you can subsequently download them to a location where you can use them for a secure restore. You should delete the certificate files from temporary: after you have downloaded them.

After you generate (or upload) the certificate, you must use it to create a certificate object on the appliance. It is this certificate object that you use to create the secure backup.

Procedure

  • To create a certificate:
    1. Connect to the IBM® MQ Appliance as described in Command line access.
    2. Log in as a user in the administrators group.
    3. Enter crypto configuration mode: 
      crypto
    4. Type the following command: 
      keygen CN "common-cert_name" gen-sscert file-name ss_cert_name export-key export-sscert
      Where:
      conmon-cert-name
      Is the common name of the certificate.
      ss-cert-name
      Is the name of the self-signed certificate.
      The export-key and export-sscert parameters specify that copies of the certificates and keys are written to the temporary: directory, from where you can copy them to an external location.
  • To create a certificate object on the appliance using the generated (or uploaded) certificate:
    1. Connect to the IBM MQ Appliance as described in Command line access.
    2. Log in as a user in the administrators group.
    3. Enter crypto configuration mode: 
      crypto
    4. Type the following command: 
      certificate object_name ss_cert_name
      Where:
      object_name
      Is the name of the certificate object that you are creating.
      ss_cert_name
      Is the name of the self-signed certificate that you specified when the certificate was created.

Example

The following command creates a certificate and copies it to the temporary: directory:
mqa(config-crypto)# keygen CN "My Backup Cert" gen-sscert file-name mybackupcert export-key export-sscert

keygen: Generating a 2048 bit RSA private key
keygen: This could take some time, please be patient
keygen: Saved private key in 'cert:///mybackupcert-privkey.pem'
keygen: Saved private key in 'temporary:///mybackupcert-privkey.pem' [INSECURE DIRECTORY]
keygen: Saved certificate signing request in 'temporary:///mybackupcert.csr'
keygen: Saved self-signed certificate in 'cert:///mybackupcert-sscert.pem'
keygen: Saved self-signed certificate in 'temporary:///mybackupcert-sscert.pem'

The files mybackupcert-privkey.pem, mybackupcert.csr, and mybackupcert-sscert.pem are created and copied to the temporary: directory.

The following command creates a certificate object that can be used for creating a secure backup:
mqa(config-crypto)# certificate mybackupcert cert:///mybackupcert-sscert.pem
The object mybackupcert is created and can then be used to create a secure backup of the appliance.