Using CA-signed certificates for mutual authentication of two queue managers

Follow these sample instructions to implement mutual authentication between two queue managers, using CA-signed TLS certificates.

About this task

Scenario:

You have two queue managers called QM1 and QM2, which need to communicate securely. You require mutual authentication to be carried out between QM1 and QM2.
In the future you are planning to use this network in a production environment, and therefore you have decided to use CA-signed certificates from the beginning.

The resulting configuration looks like this:

Queue managers QM1 and QM2 are linked by the channel TO.QM2. Each queue manager has a key repository, described in the following text. — Figure 1. Configuration resulting from this task

In Figure 1, the key repository for QM1 contains QM1's certificate and the CA certificate. The key repository for QM2 contains QM2's certificate and the CA certificate.

In this example both QM1's certificate and QM2's certificate were issued by the same CA. If QM1's certificate and QM2's certificate were issued by different CAs then the key repositories for QM1 and QM2 must contain both CA certificates.

Procedure

Prepare the key repository on each queue manager, according to the operating system, or systems, your enterprise uses:
Request a CA-signed certificate for each queue manager.
You might use different CAs for the two queue managers.
Add the Certificate Authority certificate to the key repository for each queue manager:
If the Queue managers are using different Certificate Authorities then the CA certificate for each Certificate Authority must be added to both key repositories.
- Do not perform this step on IBM i systems.
- On UNIX, Linux, and Windows systems.
- On z/OS systems.
Receive the CA-signed certificate to the key repository for each queue manager:
On QM1, define a sender channel and associated transmission queue by issuing commands like the following example:
```
DEFINE CHANNEL(TO.QM2) CHLTYPE(SDR) TRPTYPE(TCP) 
CONNAME(QM2.MACH.COM) XMITQ(QM2) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) 
DESCR('Sender channel using TLS from QM1 to QM2')

DEFINE QLOCAL(QM2) USAGE(XMITQ)
```
This example uses CipherSpec TLS_RSA_WITH_AES_128_CBC_SHA256. The CipherSpecs at each end of the channel must be the same.
On QM2, define a receiver channel by issuing a command like the following example:
```
DEFINE CHANNEL(TO.QM2) CHLTYPE(RCVR) TRPTYPE(TCP) 
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(REQUIRED) 
DESCR('Receiver channel using TLS to QM2')
```
The channel must have the same name as the sender channel you defined in Step 5, and use the same CipherSpec.
Start the channel:

Results

Key repositories and channels are created as illustrated in Figure 1.

What to do next

Check that the task has been completed successfully by using DISPLAY commands. If the task was successful, the resulting output is like that shown in the following examples.

From queue manager QM1, enter the following command:


DISPLAY CHS(TO.QM2) SSLPEER SSLCERTI

The resulting output is like the following example:


DISPLAY CHSTATUS(TO.QM2) SSLPEER SSLCERTI
     4 : DISPLAY CHSTATUS(TO.QM2) SSLPEER SSLCERTI
AMQ8417: Display Channel Status details.
   CHANNEL(TO.QM2)                         CHLTYPE(SDR)
   CONNAME(192.0.0.2)                      CURRENT
   RQMNAME(QM2)
   SSLCERTI("CN=<Division> CA,OU=<Department>,O=<Organization>,ST=<State>,C=<Country>")
   SSLPEER("SERIALNUMBER=4C:D0:49:D5:02:5F:38,CN=QM2,OU=<Department>,O=<Organization>,ST=<State>,C=<Country>")
   STATUS(RUNNING)                         SUBSTATE(MQGET)
   XMITQ(QM2)

From the queue manager QM2, enter the following command:


DISPLAY CHS(TO.QM2) SSLPEER SSLCERTI

The resulting output is like the following example:


DISPLAY CHSTATUS(TO.QM2) SSLPEER SSLCERTI
     5 : DISPLAY CHSTATUS(TO.QM2) SSLPEER SSLCERTI
AMQ8417: Display Channel Status details.
   CHANNEL(TO.QM2)                         CHLTYPE(RCVR)
   CONNAME(192.0.0.1)                      CURRENT
   RQMNAME(QM1)
   SSLCERTI("CN=<Division> CA,OU=<Department>,O=<Organization>,ST=<State>,C=<Country>")
   SSLPEER("SERIALNUMBER=4C:D0:49:D5:02:5F:38,CN=QM1,OU=<Department>,O=<Organization>,ST=<State>,C=<Country>")
   STATUS(RUNNING)                         SUBSTATE(RECEIVE)
   XMITQ( )

In each case, the value of SSLPEER must match that of the Distinguished Name (DN) in the partner certificate that was created in Step 2. The issuer name matches the subject DN of the CA certificate that signed the personal certificate added in Step 4.