You must take additional steps when you move queue managers that are secured by using
TLS.
About this task
When you move a secure queue manager to IBM® MQ
Appliance, you must re-create the repository on the
appliance and regenerate certificates and keys. The repository is created when you create the queue
manager on the appliance; you must take steps to regenerate certificates and keys. You then
redistribute those certificates and keys to the various queue managers and clients that want to
communicate with each other.
The following procedure describes a scenario that requires certificate exchange using a
self-signed certificate. If you are using certificates signed by a CA, you require extra steps to
request a certificate and to import the signed certificate and any other certificates required to
form the chain of trust.
Procedure
-
Connect to the IBM MQ
Appliance as described in
Command line access.
-
Log in as a user in the administrators group.
-
Type the following command to open the IBM MQ
command line interface shell:
-
Type the following command to generate a self-signed certificate, and extract it:
mqa(mqcli)# createcert -m qmname -label labelname -dn "CN=Issuer,OU=Certificate Authority,O=organization,C=country" -size size -expire expiry
For example:
mqa(mqcli)# createcert -m REGA -label ibmwebspheremqrega -dn "CN=Issuer,OU=Certificate Authority,O=IBM,C=GB" -size 1024 -expire 30
-
Type exit to exit the IBM MQ
command line interface shell, and type the following command to open the appliance configuration
shell:
-
Copy the new certificate that you created in step 4 to any queue manager or client machines
that need a TLS connection to the queue manager:
mqa(config)# copy mqpubcert:///certificate_source scp://certificate_destination
For example:
mqa(config)# copy mqpubcert:///REGA_ibmwebspheremqrega scp://myuser@9.20.120.129//build/exported_certficates/ibmwebspheremqregb.p12
-
If the queue manager is part of a distributed configuration, copy certificates from remote
queue managers to the appliance. Enter the following command:
mqa(config)# copy scp:certificate_source mqpubcert:///certificate_destination
For example:
mqa(config)# copy scp://myuser@9.20.120.129//build/exported_certficates/ibmwebspheremqregb.p12 mqpubcert:///ibmwebspheremqregb.p12
-
Open the IBM MQ CLI shell again, and type the
following command to add certificates that you copied in the previous step to the repository:
mqa(mqcli)# addcert -m qmname -label qmlable -file remoteqm_certificate -format ascii
For example:
mqa(mqcli)# addcert -m REGA -label ibmwebspheremqregb -file ibmwebspheremqregb.p12 -format ascii
-
On each of the systems that need to make a TLS connection with the queue manager on the IBM MQ
Appliance, issue the commands to delete the original
certificate and add the new one copied from the appliance.