Queue manager certificate administration

When using IBM® MQ as a Service it is important to protect data that flows through your queue managers.

Public certificates and private keys can be used to encrypt data in transit and at rest using transport layer security (TLS) and Advanced Message Security (AMS). IBM MQ as a Service provides a default certificate and private key pair for your queue manager on creation. The certificate and private key pair can be used to authenticate the queue manager to connecting IBM MQ clients and encrypt/decrypt data. The IBM MQ as a Service service provides the ability for administrators to use their own customer generated certificates and manage their use within the queue manager. This topic explains how the provided certificates are managed by the service, steps administrators will need to follow to manage expiring certificates, and how to import your own customer generated certificates.

IBM certificate management policy

When a queue manager is created, a default certificate chain is added to the queue manager's key store and trust store. The key store contains the certificate used by the queue manager and the trust store contains the intermediate and root CA certificates used to sign the queue manager certificate. The default certificate is configured for use on the queue manger, the IBM MQ Console and REST APIs. Only the queue manager certificate can be replaced.

Certificates can be viewed in the service by selecting a queue manager and clicking the Key store tab. The image shows a certificate in the key store, the icons (which are greyed out when not in use) from left to right represent:

  • Queue manager default certificate (used when no explicit certificate is chosen in configuration)
  • Used in TLS channel configuration
  • Used in AMS channel configuration
  • Used by IBM MQ Console and REST APIs
Shows certifcate information

The default certificate has a 90-day expiration period. When nearing expiry the following process is invoked by the service:

  • Approximately 30 days before expiration a new certificate is added to the queue manager key store
    • Queue managers that have not been configured to enable TLS use the new certificate by default
    • Queue managers that are configured to use TLS continue to use the old certificate, the new certificate is made available for use
    • The IBM MQ Console and REST APIs for existing queue managers continue to the use the old certificate
    • The IBM MQ Console and REST APIs for new queue managers use the new certificate
  • Approximately 14 days before expiration the new certificate becomes the default
    • Queue managers that are configured to use TLS or AMS have the default certificate replaced with the new certificate (IBM MQ clients will be disconnected for a short time, while the security configuration is refreshed)
    • The IBM MQ Console and REST APIs use the new certificate
    • The old certificate is removed from the queue manager key store
Note:
  • Queue managers that have been configured to use a customer generated certificate remain unaffected by the above process. Customer generated certificate expiry is the responsibility of the queue manager administrator.
  • Certificates originally had an expiration period of 1 year. This has been reduced to 90 days.

Handling certificate expiry

The IBM MQ as a Service service provides notifications in the service console user interface when IBM provided certificates near expiry.

Within 30 and 14 days of expiry increasingly severe warnings are displayed in the queue manager list view and on the queue manager details pages. During this period TLS and AMS enabled IBM MQ clients and connected queue managers require their trust stores to be updated to include the new certificate. To download the new certificate from the service, complete these steps:

  1. Open the Key store tab for the required queue manager
  2. Select the ... icon on the new certificate
  3. Click the Download public certificate button to download the PEM file
  4. Import the certificate into the IBM MQ client trust store
    shows the trust store details

An example of importing a certificate into another queue manager trust store:

# First convert the PEM file to pkcs12# Choose a password when prompted
openssl pkcs12 -export -out qmgrcert_YYYYMM.pfx -in qmgrcert_YYYYMM.pem -nokeys

# Import the certificate into the queue manager trust store
runmqckm -cert -import -file qmgrcert_YYYYMM.pem -type pkcs12 -target /var/mqm/qmgrs/<QM>/ssl/key.kdb -target_pw <password> -target_type cms -label <label>

An example of importing a certificate into a Java client trust store:

# First convert the PEM file to DER
openssl x509 -outform der -in qmgrcert_YYYYMM.pem -out qmgrcert_YYYYMM.der

# Import the certificate into the Java trust store
keytool -import -alias <label> -keystore cacerts -file qmgrcert_YYYYMM.der

After the IBM MQ client or connected queue manager trust stores have been updated, the IBM MQ as a Service queue manager can be configured to use the new certificate.

  1. Open the Key store tab for the required queue manager
  2. Select the ... icon on the new certificate
  3. Click the Manage button
  4. Select the TLS and AMS configuration required
  5. Now refresh the queue manager SSL Security:
    • On the queue manager page, select Configuration.
      Shows the configuration tab
    • Select the Security tab.
      Shows the configuration tab
    • Select the ... icon, then Refresh SSL.
      shows security details
    • Confirm by clicking Refresh.

Your certificate can now be used when configuring TLS and AMS for your queue manager.

Using certificates for AMS

TLS is configured for queue manager by default. For details on how to use certificates for AMS see Enabling queue manager Advanced Message Security (AMS).