Your first task when setting up IBM® MQ Advanced Message Security protection is to create a certificate, and associate that with your environment. The association is configured through a file held in the integrated filesystem (IFS).
Procedure
-
To create a self-signed certificate using the OpenSSL tooling shipped with IBM i, issue the following command from QShell:
/QOpenSys/usr/bin/openssl req -x509 -newkey rsa:2048 -keyout
$HOME/private.pem -out $HOME/mycert.pem -nodes -days 365
The command prompts for various distinguished name attributes for a new self-signed certificate, including:
- Common Name (CN=)
- Organization (O=)
- Country (C=)
This creates an unencrypted private key and a matching certificate, both in PEM (Privacy Enhanced Mail) format.
For simplicity, just enter values for common name, organization, and country. These attributes and values are important when creating a policy.
-
IBM MQ AMS requires that both the certificate and private key are held in the same file. Issue the following command to achieve this:
cat $HOME/mycert.pem >> $HOME/private.pem
The private.pem file in $HOME now contains a matching private key and certificate, while the mycert.pem file contains all of the public certificates for which you can encrypt messages and validate signatures.
The two files need to be associated with your environment by creating a keystore configuration file ( keystore.conf) in your default location.
By default, IBM MQ AMS looks for the keystore configuration in a .mqs subdirectory of your home directory.
-
In QShell create the
keystore.conf file;
mkdir -p $HOME/.mqs
echo "pem.private = $HOME/private.pem" > $HOME/.mqs/keystore.conf
echo "pem.public = $HOME/mycert.pem" >> $HOME/.mqs/keystore.conf
echo "pem.password = unused" >> $HOME/.mqs/keystore.conf