Troubleshooting
Problem
In IBM MQ, how to identify a queue manager's personal certificate or Certificate Authority (CA) certificate, and what is the difference between them?
Diagnosing The Problem
What is a Digital Certificate?
A Digital certificate is an electronic document that binds a public key to its owner, and provides protection against impersonation, because a digital certificate acts as proof of the owner's identity, whether that is an individual, a MQ queue manager or other entity.
A digital certificate is like a driver's license or a passport that recognizes and proves a person's identity.
What is a Personal Certificate?
A Personal Certificate contains the Private Key of a queue manager or an individual entity.
It also contains the following:
- Issuer
- Subject
- Version
- Serial Number
- Dates indicating the time for which the certificate is valid.
- Private Key
- Public Key
- Signature Algorithm
- Other properties such as AIA (AuthorityInfoAccess), usage information etc.
What is a Certificate Authority (CA) Public Certificate?
It is a certificate for a Certificate Authority, also known as CA Certificate or Signer certificate, and it does NOT contain a private key.
A CA certificate can contain the following:
- Issuer
- Subject
- Version
- Serial Number
- Dates indicating the time for which the certificate is valid.
- Signature Algorithm, etc.
Note: There could be more than one CA certificate used to "signed" a personal certificate, this is know as CA chain. The complete chain must be present in the queue manager's Keystore to validate its personal certificate, if one is missing, the connection will fail.
For additional reference see the following technotes:
IBM MQ Certificate Authority Chain Information
How to Perform Common IBM MQ Management Certificate Tasks
Resolving The Problem
How do I know if a Queue Manager's Keystore contains a personal certificate?
This can be done in two ways, through the command line with runmqakm or runmqckm, and through the iKeyman GUI interface.
Using runmqakm and runmqckm commands
From the command line, you can:
A) List all personal's certificates that exists in the queue manager's Keystore.
runmqakm -cert -list personal -db /var/mqm/qmgrs/<QmgrName>/ssl/key.kdb -pw
runmqckm -cert -list personal -db /var/mqm/qmgrs/<QmgrName>/ssl/key.kdb -pw
Example: the runmqakm command was run to display the personal certificates in the queue manager SSL1.
Noticed the personal certificate is marked with a dash (-)
[mqm@CAPRI1 ssl]$ runmqakm -cert -list personal -db /var/mqm/qmgrs/SSL1/ssl/key.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
- ibmwebspheremqssl1
B) List all the certificates in the queue manger's keystore:
runmqakm -cert -list -db /var/mqm/qmgrs/<QmgrName>/ssl/key.kdb -pw
runmqckm -cert -list -db /var/mqm/qmgrs/<QmgrName>/ssl/key.kdb -pw
Example: using the same queue manager SSL1 and the runmqakm command, noticed that this time we also see the CA or trusted certificates marked with an exclamation sign (!)
[mqm@CAPRI1 ssl]$ runmqakm -cert -list -db /var/mqm/qmgrs/SSL1/ssl/key.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! ibmwebspheremqperez
! puebla
! SSL2-cert
- ibmwebspheremqssl1
Note about runmqckm:
- runmqckm supports "JKS" type keystores, runmqakm does not.
- runmqckm will NOT display the signs (- or ! ) to identify a personal certificate vs CA certificate.
Therefore, we suggest to use runmqakm whenever possible.
See the following example:
[mqm@CAPRI1 ssl]$ runmqckm -cert -list -db /var/mqm/qmgrs/SSL1/ssl/key.kdb -stashed
Certificates in database /var/mqm/qmgrs/SSL1/ssl/key.kdb:
ibmwebspheremqssl1
ibmwebspheremqperez
puebla
SSL2-cert
C) To see the complete certificate details, use one of the following:
runmqakm -cert -details -label certLabel -db /var/mqm/qmgrs/<QmgrName>/ssl/key.kdb -pw
runmqckm -cert -details -label certLabel -db /var/mqm/qmgrs/<QmgrName>/ssl/key.kdb -pw
For demonstration purposes, the following example only shows a partial output of the command:
[mqm@CAPRI1 ssl]$ runmqakm -cert -details -label ibmwebspheremqssl1 -db key.kdb -stashed
Label : ibmwebspheremqssl1
Key Size : 2048
Version : X509 V3
Serial : 5e42a65c
Issuer : CN=ssl1,O=IBM,C=US
Subject : CN=ssl1,O=IBM,C=US
Not Before : February 11, 2021 5:04:28 AM PST
Not After : February 10, 2022 5:04:28 AM PST
Public Key
30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01
01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01
.........
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 :
71 35 A6 28 E9 7E 46 88 D1 8A E0 CB 34 EA AD B9
18 BF 4C A5
Fingerprint : MD5 :
B1 9C E7 07 72 11 6B FC 95 2A EC 4D 88 8B 9F 43
Fingerprint : SHA256 :
4A 66 29 5A 57 6D EC 12 D9 A4 CC 0F DF 7C F9 DF
9D 60 B2 DE D8 05 96 48 20 DA F3 35 9C F2 89 63
Fingerprint : HPKP :
SyaQhLGrQeNNwsNeRarnDW7A15tjlaJC436g5LdExGk=
Extensions
AuthorityKeyIdentifier
keyIdentifier: 08 F5 63 99 6B BF D1 49
authorityIdentifier:
authorityCertSerialNumber:
SubjectKeyIdentifier
keyIdentifier: 08 F5 63 99 6B BF D1 49
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
97 D9 3D 20 DE A7 7E 24 93 98 B2 0B DE 3B 9F 11
DD B3 FE E3 39 DA 8F E4 CF 7E B2 80 85 EC B4 F9
.........
Trust Status : Enabled
Using the IBM Key Management GUI (iKeyman)
A) Open iKeyman GUI interface
B) Select the queue manager's Keystore to open
C) From the drop down menu select 'Personal Certificates'
D) A list of personal certificates will be displayed.
To see the certificate details:
A) Click on the certificate you would like to see. In the example bellow, a personal certificate was selected.
B) Click on View/Edit
A new window will pop up with the certificate details:
++ Additional Information:
tags: "MQ SSL"; "MQ TLS"; MQSSL; MQTLS
tags: "MQ SSL"; "MQ TLS"; MQSSL; MQTLS
+++ end +++
Document Location
Worldwide
[{"Type":"none","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":[{"code":"a8m0z00000008JwAAI","label":"Security-\u003ETLS (SSL)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
26 October 2023
UID
ibm16445805