Hi Dears .. First of all I would like to thank my colleagues in SV who actually prompted me to write this blog. Because, one of their query made me to think of writing it here so that it might be useful for others as well .. As the name of the blog says 'For Posterity'
So lets look at the steps to configure SSL between Websphere MQ Channels. I have used MQ 7.5 here which is the latest. Any one with MQ version 7.1 can use the below commands as it is. For previous versions there would be slight changes ..
I have 2 queue managers QM1 and QM2 trying to establish communication over SSL. I assume that the queue managers are already created.
1. Create Queue Manager Key Repository
First step is the creation of queue manager key repository using the below commands
runmqckm -keydb -create -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1.kdb" -pw <QM1 password> -type cms -expire 365 -stash
runmqckm -keydb -create -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2.kdb" -pw <QM2 password> -type cms -expire 365 -stash
2. Create CA key repository
As we are acting as CA in this example, we have to create CA key repository as well. In real time scenario, this step would be handled by a different team
runmqckm -keydb -create -db "C:\TestZone\CA_KeyDB\wmqca.kdb" -pw <CA password> -type cms -expire 365 -stash
3. Create and distribute the CA certificate
runmqckm -cert -create -db "C:\TestZone\CA_KeyDB\wmqca.kdb" -pw <CA password> -label wmqca -dn "CN=WMQ CA, OU=WMQ, O=HP, L=Dubai, ST=DXB, C=UAE" -expire 365
4. Check that the CA certificate is listed in the CA key repository
use the below command to make sure that CA certificate is listed in the CA key repository. If the previous step was successful, you will find the label name of the CA certificate as output of the below command
runmqckm -cert -list -db "C:\TestZone\CA_KeyDB\wmqca.kdb" -pw <CA password>
5. Extract the public CA certificate
Extract the CA certificate to pass it to QM1 and QM2
runmqckm -cert -extract -db "C:\TestZone\CA_KeyDB\wmqca.kdb" -pw <CA password> -label wmqca -target "C:\TestZone\CA_KeyDB\wmqca.crt" -format ascii
6. Add the public CA certificate to QM1 and QM2 key repository
runmqckm -cert -add -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1.kdb" -pw <QM1 password> -label wmqca -file "C:\TestZone\CA_KeyDB\wmqca.crt" -format ascii
runmqckm -cert -add -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2.kdb" -pw <QM2 password> -label wmqca -file "C:\TestZone\CA_KeyDB\wmqca.crt" -format ascii
7. Check whether public CA certificate is listed in QM1 and QM2 key repository
runmqckm -cert -list -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1.kdb" -pw <QM1 password>
runmqckm -cert -list -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2.kdb" -pw <QM2 password>
8. Create QM1 and QM2's certificate request
Now that we have imported CA public certificate in to QM1 and QM2's repositories, next step is to generate the certificate of QM1 and QM2 and get it signed from CA.
runmqckm -certreq -create -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1.kdb" -pw <QM1 password> -label ibmwebspheremqqm1 -dn "CN=QM1, OU=WMQ, O=HP, L=Dubai, ST=DXB, C=UAE" -file "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1req.arm"
runmqckm -certreq -create -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2.kdb" -pw <QM2 password> -label ibmwebspheremqqm2 -dn "CN=QM2, OU=WMQ, O=HP, L=Dubai, ST=DXB, C=UAE" -file "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2req.arm"
9. Sign QM1 and QM2's certificate using CA certificate
runmqckm -cert -sign -file "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1req.arm" -db "C:\TestZone\CA_KeyDB\wmqca.kdb" -pw <CA password> -label wmqca -target "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1cert.arm" -format ascii -expire 365
runmqckm -cert -sign -file "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2req.arm" -db "C:\TestZone\CA_KeyDB\wmqca.kdb" -pw <CA password> -label wmqca -target "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2cert.arm" -format ascii -expire 365
10. Add the signed certificates to QM1 and QM2's key repository
runmqckm -cert -receive -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1.kdb" -pw <QM1 password> -file "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1cert.arm" -format ascii
runmqckm -cert -receive -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2.kdb" -pw <QM2 password> -file "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2cert.arm" -format ascii
11. Check whether the certificate is listed in QM1 and QM2's key repository
runmqckm -cert -list -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1.kdb" -pw <QM1 password>
runmqckm -cert -list -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2.kdb" -pw <QM1 password>
12. Set SSLKEYR property of QM1 and QM2
ALTER QMGR SSLKEYR('C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1')
ALTER QMGR SSLKEYR('C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2')
13. Define Channel pair on QM1 and QM2
So lets look at the steps to configure SSL between Websphere MQ Channels. I have used MQ 7.5 here which is the latest. Any one with MQ version 7.1 can use the below commands as it is. For previous versions there would be slight changes ..
I have 2 queue managers QM1 and QM2 trying to establish communication over SSL. I assume that the queue managers are already created.
1. Create Queue Manager Key Repository
First step is the creation of queue manager key repository using the below commands
runmqckm -keydb -create -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1.kdb" -pw <QM1 password> -type cms -expire 365 -stash
runmqckm -keydb -create -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2.kdb" -pw <QM2 password> -type cms -expire 365 -stash
2. Create CA key repository
As we are acting as CA in this example, we have to create CA key repository as well. In real time scenario, this step would be handled by a different team
runmqckm -keydb -create -db "C:\TestZone\CA_KeyDB\wmqca.kdb" -pw <CA password> -type cms -expire 365 -stash
3. Create and distribute the CA certificate
runmqckm -cert -create -db "C:\TestZone\CA_KeyDB\wmqca.kdb" -pw <CA password> -label wmqca -dn "CN=WMQ CA, OU=WMQ, O=HP, L=Dubai, ST=DXB, C=UAE" -expire 365
4. Check that the CA certificate is listed in the CA key repository
use the below command to make sure that CA certificate is listed in the CA key repository. If the previous step was successful, you will find the label name of the CA certificate as output of the below command
runmqckm -cert -list -db "C:\TestZone\CA_KeyDB\wmqca.kdb" -pw <CA password>
5. Extract the public CA certificate
Extract the CA certificate to pass it to QM1 and QM2
runmqckm -cert -extract -db "C:\TestZone\CA_KeyDB\wmqca.kdb" -pw <CA password> -label wmqca -target "C:\TestZone\CA_KeyDB\wmqca.crt" -format ascii
6. Add the public CA certificate to QM1 and QM2 key repository
runmqckm -cert -add -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1.kdb" -pw <QM1 password> -label wmqca -file "C:\TestZone\CA_KeyDB\wmqca.crt" -format ascii
runmqckm -cert -add -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2.kdb" -pw <QM2 password> -label wmqca -file "C:\TestZone\CA_KeyDB\wmqca.crt" -format ascii
7. Check whether public CA certificate is listed in QM1 and QM2 key repository
runmqckm -cert -list -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2.kdb" -pw <QM2 password>
8. Create QM1 and QM2's certificate request
Now that we have imported CA public certificate in to QM1 and QM2's repositories, next step is to generate the certificate of QM1 and QM2 and get it signed from CA.
runmqckm -certreq -create -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1.kdb" -pw <QM1 password> -label ibmwebspheremqqm1 -dn "CN=QM1, OU=WMQ, O=HP, L=Dubai, ST=DXB, C=UAE" -file "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1req.arm"
runmqckm -certreq -create -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2.kdb" -pw <QM2 password> -label ibmwebspheremqqm2 -dn "CN=QM2, OU=WMQ, O=HP, L=Dubai, ST=DXB, C=UAE" -file "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2req.arm"
9. Sign QM1 and QM2's certificate using CA certificate
runmqckm -cert -sign -file "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1req.arm" -db "C:\TestZone\CA_KeyDB\wmqca.kdb" -pw <CA password> -label wmqca -target "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1cert.arm" -format ascii -expire 365
runmqckm -cert -sign -file "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2req.arm" -db "C:\TestZone\CA_KeyDB\wmqca.kdb" -pw <CA password> -label wmqca -target "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2cert.arm" -format ascii -expire 365
10. Add the signed certificates to QM1 and QM2's key repository
runmqckm -cert -receive -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1.kdb" -pw <QM1 password> -file "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1cert.arm" -format ascii
runmqckm -cert -receive -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2.kdb" -pw <QM2 password> -file "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2cert.arm" -format ascii
11. Check whether the certificate is listed in QM1 and QM2's key repository
runmqckm -cert -list -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1.kdb" -pw <QM1 password>
runmqckm -cert -list -db "C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2.kdb" -pw <QM1 password>
12. Set SSLKEYR property of QM1 and QM2
ALTER QMGR SSLKEYR('C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1')
ALTER QMGR SSLKEYR('C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2')
13. Define Channel pair on QM1 and QM2
ON QM1 :
DEFINE CHANNEL(QM1.TO.QM2) CHLTYPE(SDR) CONNAME('localhost(1415)') XMITQ(QM2) SSLCIPH(TRIPLE_DES_SHA_US)
DEFINE CHANNEL(QM2.TO.QM1) CHLTYPE(RCVR) SSLCIPH(TRIPLE_DES_SHA_US)
ON QM2 :
DEFINE CHANNEL(QM2.TO.QM1) CHLTYPE(SDR) CONNAME('localhost(1414)') XMITQ(QM1) SSLCIPH(TRIPLE_DES_SHA_US)
DEFINE CHANNEL(QM1.TO.QM2) CHLTYPE(RCVR) SSLCIPH(TRIPLE_DES_SHA_US)
14. Start Channels and be secured !!
Now start your message channels and start sending messages securely .. To verify your channel configurations use
DIS CHL(<Channel name>) SSLCIPH.
If SSLCIPH is set to a non-blank value, SSL is enabled.
DIS CHS(<Channel name>) SSLPEER.
Both ends of the channel should show their peer's DNs
Hoe this helps .. Please let me know if you have any queries on the above steps .. I will try my best to help you ..
No comments:
Post a Comment