Moving queue managers secured by using TLS

You must take additional steps when you move queue managers that are secured by using TLS.

About this task

When you move a secure queue manager to IBM® MQ Appliance, you must re-create the repository on the appliance and regenerate certificates and keys. The repository is created when you create the queue manager on the appliance; you must take steps to regenerate certificates and keys. You then redistribute those certificates and keys to the various queue managers and clients that want to communicate with each other.

The following procedure describes a scenario that requires certificate exchange using a self-signed certificate. If you are using certificates signed by a CA, you require extra steps to request a certificate and to import the signed certificate and any other certificates required to form the chain of trust.

Procedure

  1. Connect to the IBM MQ Appliance as described in Command line access.
  2. Log in as a user in the administrators group.
  3. Type the following command to open the IBM MQ command line interface shell: 
    
mqcli
  4. Type the following command to generate a self-signed certificate, and extract it: 
    mqa(mqcli)# createcert -m qmname -label labelname -dn "CN=Issuer,OU=Certificate Authority,O=organization,C=country" -size size -expire expiry
    For example: 
    mqa(mqcli)# createcert -m REGA -label ibmwebspheremqrega -dn "CN=Issuer,OU=Certificate Authority,O=IBM,C=GB" -size 1024 -expire 30
  5. Type exit to exit the IBM MQ command line interface shell, and type the following command to open the appliance configuration shell: 
    
config
  6. Copy the new certificate that you created in step 4 to any queue manager or client machines that need a TLS connection to the queue manager: 
    mqa(config)# copy mqpubcert:///certificate_source scp://certificate_destination
    For example: 
    mqa(config)# copy mqpubcert:///REGA_ibmwebspheremqrega scp://myuser@9.20.120.129//build/exported_certficates/ibmwebspheremqregb.p12
  7. If the queue manager is part of a distributed configuration, copy certificates from remote queue managers to the appliance. Enter the following command: 
    mqa(config)# copy scp:certificate_source mqpubcert:///certificate_destination
    For example: 
    mqa(config)# copy scp://myuser@9.20.120.129//build/exported_certficates/ibmwebspheremqregb.p12 mqpubcert:///ibmwebspheremqregb.p12
  8. Open the IBM MQ CLI shell again, and type the following command to add certificates that you copied in the previous step to the repository: 
    mqa(mqcli)# addcert -m qmname -label qmlable -file remoteqm_certificate -format ascii
    For example: 
    mqa(mqcli)# addcert -m REGA -label ibmwebspheremqregb -file ibmwebspheremqregb.p12 -format ascii
  9. On each of the systems that need to make a TLS connection with the queue manager on the IBM MQ Appliance, issue the commands to delete the original certificate and add the new one copied from the appliance.