Configuring SSL on queue managers
About this task
Use the IBM® Key Management (iKeyman) GUI to manage the SSL certificates. For more information, see Starting the IBM Key Management GUI .
Creating the queue manager key repository
The key repository is where certificates used by the queue manager are stored. On Windows, Linux®, and UNIX platforms, the key repository is known as the key database file.
The location of the key repository of a queue manager is specified in the queue manager's Key Repository attribute. Before you can store the queue manager certificates in the key repository, you must ensure that a key database file exists in this location. If you need to create the key database file, use the iKeyman GUI. For more information, see Security in the IBM online IBM WebSphere® MQ product documentation.
Changing the queue manager key repository
About this task
In certain circumstances you might want to change the key repository; for example, to use a single location that is shared by all queue managers on one operating system.
To change a queue manager key repository location:
Procedure
Authenticating certificates using Certificate Revocation Lists
About this task
Certification Authorities (CAs) can revoke certificates that are no longer trusted by publishing them in a Certification Revocation List (CRL). When a certificate is received by a queue manager or a WebSphere MQ MQI client, it can be checked against the CRL to ensure that it has not been revoked. CRL checking is not mandatory for SSL-enabled messaging to be achieved, but is recommended to ensure the trustworthiness of user certificates.
For more information about how to set up a CRL in this way, see Security in the IBM online IBM WebSphere MQ product documentation.
To set up a connection to an LDAP CRL server:
Procedure
- In WebSphere MQ Explorer, expand the queue manager.
- Create an authentication information object of type CRL LDAP. For more information, see Creating and configuring queue managers and objects.
- Repeat Step 2 to create as many CRL LDAP authentication information objects as you need.
- Create a namelist and add the names of the authentication information objects that you created in Steps 2 and 3 to the new namelist. For more information, see Creating and configuring queue managers and objects.
- Right-click the queue manager, then click Properties.
- On the SSL page, in the Revocation namelist field, type the name of the namelist that you created in Step 4.
- Click OK.
Results
The certificates that the queue manager receives can now be authenticated against the CRL held on the LDAP server.
You can add to the namelist up to 10 connections to alternative LDAP servers to ensure continuity of service if one or more LDAP servers are inaccessible.
Authenticating certificates using OCSP authentication
About this task
To set up a connection to an OCSP server:
Procedure
- In WebSphere MQ Explorer, expand the queue manager.
- Create an authentication information object of type OCSP. For more information, see: Creating and configuring queue managers and objects.
- Repeat Step 2 to create as many OCSP authentication information objects as you need.
- Create a namelist and add the names of the OCSP authentication information objects that you created in Steps 2 and 3 to the new namelist. For more information, see: Creating and configuring queue managers and objects.
- Right-click the queue manager, then click Properties.
- On the SSL page, in the Revocation namelist field, type the name of the namelist that you created in Step 4.
- Click OK.
Results
The certificates that the queue manager receives are authenticated against the OCSP responder.
The queue manager writes OCSP information to the CCDT.
Only one OCSP object can be added to the namelist because the SSL socket library can only use one OCSP responder URL at a time.
Configuring cryptographic hardware
About this task
WebSphere MQ can support cryptographic hardware, and the queue manager must be configured accordingly. For further information about cryptographic hardware, see: WebSphere MQ Security in the online IBM WebSphere MQ product documentation.
To configure the queue manager for cryptographic hardware:
Procedure
- Start WebSphere MQ Explorer.
- In the Navigator view, right-click the queue manager, then click Properties. The Properties dialog opens.
- On the SSL page, click Configure The Cryptographic Hardware Settings dialog opens.
- In the Cryptographic Hardware Settings dialog: All supported cryptographic cards now use PKCS #11, so ignore references to the Rainbow Cryptoswift or nCipher nFast cards. Enter the path to the PKCS #11 driver, and the token label, the token password, and the symmetric cipher setting.
- Click OK.
Results
The queue manager is now configured to use the cryptographic hardware.
You can also work with certificates that are stored on PKCS #11 hardware using iKeyman.
For more information, see Security in the IBM online IBM WebSphere MQ product documentation.