+

Search Tips | Advanced Search

Preparing the queue managers to use TLS

The IBM MQ queue manager's key repository is used to store the queue manager's personal certificate and the public Certificate Authority (CA) certificate. The personal certificate request from the IBM MQ queue manager must be signed by a CA, the public certificate is used by the other entities to authenticate the IBM MQ queue manager.


Before starting

We must have the public Certificate Authority certificate in a file.


About this task

Create the IBM MQ queue manager's key repository, import the certificate authority's signer certificate and create the queue manager's personal certificate request.


Procedure

  1. Create a CMS key repository file for the queue manager called key.kdb. Navigate to the Qmgrs\QM1\ssl directory, and on the command line, type: 
    runmqckm -keydb -create -db key.kdb -pw passw0rd -type cms -stash
    Note: For this simple example we have used a password of passw0rd. You may wish to choose a different password and change each of the following commands to use your own password instead.
  2. Add the CA certificate, which you have in a file, to the key repository, on the command line, type: 
    runmqckm -cert -add -file CA-certificate-file -db key.kdb -pw passw0rd -label TrustedCA
  3. Request a personal certificate that will be written to a request file called QM1req.req. On the command line, enter: 
    runmqckm -certreq -create -db key.kdb -pw passw0rd -label ibmwebspheremqqm1
-dn CN="QM1" -size 1024 -file QM1req.req
-sig_alg SHA1WithRSA
    The default certificate label name is shown in this example. We can set your own name if you prefer. For details, see Digital certificate labels.
  4. Send the certificate request file to your CA, they will issue a digitally signed certificate. Put the received, signed certificate file in a suitable location to be received into the queue manager's key repository.
  5. Receive the signed personal certificate into the queue manager's key repository. 
    runmqckm -cert -receive -file Signed-certificate-file -db key.kdb -pw passw0rd -format ascii
  6. Complete these steps for each queue manager, changing the queue manager name accordingly.


What to do next

To enable secure communication over the sender and receiver channels, follow the instructions in Create the channels to use TLS. Parent topic: Securing the network

Last updated: 2020-10-04