Setting up security in IBM® WebSphere® MQ
This topic describes how to set up security in IBM® WebSphere® MQ.
JNDI security
Now that you have configured and bound the queues to the JNDI, you can now start to secure the JMS by configuring SSL on the JMS channels and enforcing the clients to authenticate to the message queue.
Queue authentication
The queue users and their privileges are defined using the setmqaut command. The IBM® agents need to pass in the sci.queuebasedsecurity.userid and sci.queuebasedsecurity.password parameters in the agent criteria in order to authenticate.
SSL with WebSphere MQ
IBM WebSphere® MQ supports one-way and two-way SSL. This procedure presents configuration of one-way SSL where the client verifies that the identity of the Queue Manager it is connecting to can be verified through a certificate. This concept can be extended to enable two-way SSL.
- Use the runmqsc command to verify the location of the keystore
and to create a channel that will be secured with SSL:
mqm@devdell04:/opt/mqm/bin> ./runmqsc sciqm dis qmgr sciqm AMQ8404: Display Queue Manager details. QMNAME (sciqm) SSLKEYR (/var/mqm/qmgrs/sciqm/ssl/key) - Create a channel to be secured via
SSL:
define channel(SSL_SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_3DES_EDE_CBC_SHA) SSLCAUTH(OPTIONAL) TRPTYPE(TCP) 4 : define channel(SSL_SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_3DES_EDE_CBC_SHA) SSLCAUTH(OPTIONAL) TRPTYPE(TCP) AMQ8014: WebSphere MQ channel created. Set up the environment and start the strmqikm command.
The strmqikm tool is used to create the required keystores and certificates.
Export the JAVA_HOME and DISPLAY variables for your environment.Note: These steps assume that you have xwindowing support. If you are using PuTTY, Windows, or the WebSphere® MQ GUI-based configuration utilities, the steps may differ./opt/mqm/bin/strmqikm- In the location discovered by the dis qmgr SSLKEYR command, create the server keystore file:
- From IBM Key Management menu bar, select to display the New dialog box.
- From the Key database type drop down, select CMS.
- Enter the key file name in the File Name: text box. Example: key.kdb
- In the Location: text box, enter the path
returned by dis qmgr SSLKEYR and press OK.
The Password Prompt dialog box displays.
- Set the server keystore password:
- In the Password Prompt dialog box, type a password in the Password: text box.
Retype the password in the Confirm Password: text box.
- For Set expiration time?, accept the default.
Select Stash the password to a file? and press OK.
A dialog displays, confirming that the password has been encrypted and saved.
- Create a self-signed certificate in the server keystore:
From the IBM Key Management menu bar, select
The Create New Self-Signed Certificate dialog box displays.
In the Key Label text box, type in lower case: ibmwebspheremq<queue-manager-name>.
Example: If your queue manager name is SSL_QMGR, set the Key Label to ibmwebspheremqssl_qmgr.
Important: Set the Key Label correctly on the self-signed certificate. Not doing so will cause the SSL connections to fail.From the Version drop down box, select the certificate version. Example: X509 V3
From the Key Size drop down, select the key size for the key pair to be generated. Example: 1024
In the Common Name text box, type the fully qualified name of the host machine and press OK. Example: SSL_QMGR
The certificate is created.
- Extract the certificate to an .arm file:
Select the newly created certificate and press Extract Certificate...
Note: The Extract Certificate… button is located in the bottom-right corner of the Key database content section.The Extract Certificate to a File dialog box displays.
From the Data Type drop down box, select the data type for the target file. Example: Base64-encoded ASCII data
In the Certificate File name: text box, type a file name for the data to be created or obtained. Example: cert.arm
In the Location: text box, type the location in which the specified file is located and press OK. Example: <dir>/resources/ssl/mq/ssl_qmgr
The certificate is extracted to the .arm file.
- Create the new client keystore file:
From the IBM Key Management menu bar, select .
From the Key database type drop down, select JKS.
Type the key file name in the File Name: text box. Example: key.jks
In the Location: text box, type the path where the file will be saved. Example: <dir>/resources/ssl/mq/ssl_qmgr
Press OK to bring up the Password Prompt dialog box.
Type a password and press OK.
The client keystore is created.
- Add the server's signer certificate to the client keystore:
From the Key database content section, press the Add… button.
The Add CA's Certificate from a File dialog box displays.
From the Data Type drop down, select the data type for the target file. Example: Base64-encoded ASCII data
In the Certificate file name: text box, type a file name for the data to be created or obtained. Example: cert.arm
In the Location: text box, type the file location and press OK.
The Enter a Label dialog box displays.
- In the Enter a label for the certificate: text box, type (e.g. ibmwebspheremqssl_qmgr) and press OK.
Type a label name for the certificate, using the name you created for your server keystore. Example: ibmwebspheremqssl_qmgr
Important: Take care to provide the correct label. Not doing so will cause the SSL connections to fail.
Implementation notes
When getting a connection the queue manager via fscontext, you may see a MQJMS2013 error. Often, it can be solved by passing blank (single space) for username and password. These correlate to sci.queuebasedsecurity.userid and sci.queuebasedsecurity.password in agents and services.
It is possible to use nearly any JNDI repository to store the queue connection factory and queue lookups. IBM provides the following page for troubleshooting issues with WebSphere MQ when registered on WebSphere Application Server's JNDI. Specifically, this page explains issues found with BINDINGS transport and security.