Configuring SSL on queue managers

About this task

Use the IBM® Key Management (iKeyman) GUI to manage the SSL certificates. For more information, see Starting the IBM Key Management GUI .

Creating the queue manager key repository

The key repository is where certificates used by the queue manager are stored. On Windows, Linux®, and UNIX platforms, the key repository is known as the key database file.

The location of the key repository of a queue manager is specified in the queue manager's Key Repository attribute. Before you can store the queue manager certificates in the key repository, you must ensure that a key database file exists in this location. If you need to create the key database file, use the iKeyman GUI. For more information, see Security in the IBM online IBM WebSphere® MQ product documentation.

Changing the queue manager key repository

About this task

In certain circumstances you might want to change the key repository; for example, to use a single location that is shared by all queue managers on one operating system.

To change a queue manager key repository location:

Procedure

  1. Change the key repository location in the queue manager properties:
    1. Open WebSphere MQ Explorer and expand the Queue Managers folder.
    2. Right-click the queue manager, then click Properties.
    3. On the SSL property page, edit the path in the Key repository field to point to your chosen directory.
    4. On the warning dialog, click Yes.
  2. Transfer the queue manager personal certificates to the new location using the iKeyman GUI. For more information, see Security in the IBM online IBM WebSphere MQ product documentation.

Authenticating certificates using Certificate Revocation Lists

About this task

Certification Authorities (CAs) can revoke certificates that are no longer trusted by publishing them in a Certification Revocation List (CRL). When a certificate is received by a queue manager or a WebSphere MQ MQI client, it can be checked against the CRL to ensure that it has not been revoked. CRL checking is not mandatory for SSL-enabled messaging to be achieved, but is recommended to ensure the trustworthiness of user certificates.

For more information about how to set up a CRL in this way, see Security in the IBM online IBM WebSphere MQ product documentation.

To set up a connection to an LDAP CRL server:

Procedure

  1. In WebSphere MQ Explorer, expand the queue manager.
  2. Create an authentication information object of type CRL LDAP. For more information, see Creating and configuring queue managers and objects.
  3. Repeat Step 2 to create as many CRL LDAP authentication information objects as you need.
  4. Create a namelist and add the names of the authentication information objects that you created in Steps 2 and 3 to the new namelist. For more information, see Creating and configuring queue managers and objects.
  5. Right-click the queue manager, then click Properties.
  6. On the SSL page, in the Revocation namelist field, type the name of the namelist that you created in Step 4.
  7. Click OK.

Results

The certificates that the queue manager receives can now be authenticated against the CRL held on the LDAP server.

You can add to the namelist up to 10 connections to alternative LDAP servers to ensure continuity of service if one or more LDAP servers are inaccessible.

Authenticating certificates using OCSP authentication

About this task

On UNIX systems and Windows systems, WebSphere MQ SSL support checks for revoked certificates using OCSP (Online Certificate Status Protocol) or using CRLs and ARLs on LDAP (Lightweight Directory Access Protocol) servers. OCSP is the preferred method. IBM WebSphere MQ classes for Java and IBM WebSphere MQ classes for JMS cannot use the OCSP information in a client channel definition table file. However, you can configure OCSP as described in the section Using Online Certificate Protocol. z/OS and i5/OS systems do not support OCSP checking, but they do allow the generation of client channel definition tables (CCDTs) containing OCSP information. For more information about CCDTs and OCSP, see Client channel definition table in the IBM online IBM WebSphere MQ product documentation.

To set up a connection to an OCSP server:

Procedure

  1. In WebSphere MQ Explorer, expand the queue manager.
  2. Create an authentication information object of type OCSP. For more information, see: Creating and configuring queue managers and objects.
  3. Repeat Step 2 to create as many OCSP authentication information objects as you need.
  4. Create a namelist and add the names of the OCSP authentication information objects that you created in Steps 2 and 3 to the new namelist. For more information, see: Creating and configuring queue managers and objects.
  5. Right-click the queue manager, then click Properties.
  6. On the SSL page, in the Revocation namelist field, type the name of the namelist that you created in Step 4.
  7. Click OK.

Results

The certificates that the queue manager receives are authenticated against the OCSP responder.

The queue manager writes OCSP information to the CCDT.

Only one OCSP object can be added to the namelist because the SSL socket library can only use one OCSP responder URL at a time.

Configuring cryptographic hardware

About this task

WebSphere MQ can support cryptographic hardware, and the queue manager must be configured accordingly. For further information about cryptographic hardware, see: WebSphere MQ Security in the online IBM WebSphere MQ product documentation.

To configure the queue manager for cryptographic hardware:

Procedure

  1. Start WebSphere MQ Explorer.
  2. In the Navigator view, right-click the queue manager, then click Properties. The Properties dialog opens.
  3. On the SSL page, click Configure The Cryptographic Hardware Settings dialog opens.
  4. In the Cryptographic Hardware Settings dialog: All supported cryptographic cards now use PKCS #11, so ignore references to the Rainbow Cryptoswift or nCipher nFast cards. Enter the path to the PKCS #11 driver, and the token label, the token password, and the symmetric cipher setting.
  5. Click OK.

Results

The queue manager is now configured to use the cryptographic hardware.

You can also work with certificates that are stored on PKCS #11 hardware using iKeyman.

For more information, see Security in the IBM online IBM WebSphere MQ product documentation.