Set up certificates and the keystore configuration file on IBM i

Your first task when setting up Advanced Message Security protection is to create a certificate, and associate that with the environment. The association is configured through a file held in the integrated filesystem (IFS).

Procedure

1. To create a self-signed certificate using the OpenSSL tooling shipped with IBM i, issue the following command from QShell:

   /QOpenSys/usr/bin/openssl req -x509 -newkey rsa:2048 -keyout
   $HOME/private.pem -out $HOME/mycert.pem -nodes -days 365
   

   The command prompts for various distinguished name attributes for a new self-signed certificate, including:
   • Common Name (CN=)
   • Organization (O=)
   • Country (C=)

   This creates an unencrypted private key and a matching certificate, both in PEM (Privacy Enhanced Mail) format.

   For simplicity, just enter values for common name, organization, and country. These attributes and values are important when creating a policy.

   Additional prompts and attributes can be customized by specifying a custom openssl configuration file on the command line with the -config parameter. Refer to OpenSSL documentation for more details on the configuration file syntax.

   For example, the following command adds additional X.509 v3 certificate extensions:

   /QOpenSys/usr/bin/openssl req -x509 -newkey rsa:2048 
   -keyout $HOME/private.pem -out $HOME/mycert.pem -nodes -days 365 -config myconfig.cnf
   

   where myconfig.cnf is an ASCII stream file that contains the following:

   [req]
   distinguished_name = req_distinguished_name
   x509_extensions = myextensions
   
   [req_distinguished_name]
   countryName = Country Name (2 letter code)
   countryName_default = GB
   stateOrProvinceName = State or Province Name (full name)
   stateOrProvinceName_default = Hants
   localityName = Locality Name (eg, city)
   localityName_default = Hursley
   organizationName = Organization Name (eg, company)
   organizationName_default = IBM United Kingdom
   organizationalUnitName = Organizational Unit Name (eg, department)
   organizationalUnitName_default = IBM MQ Development
   commonName = Common Name (eg, Your Name)
   
   [myextensions]
   keyUsage = digitalSignature,nonRepudiation,dataEncipherment,keyEncipherment
   extendedKeyUsage = emailProtection
   

2. AMS requires that both the certificate and private key are held in the same file. Issue the following command to achieve this:

   cat $HOME/mycert.pem >> $HOME/private.pem
   

   The private.pem file in $HOME now contains a matching private key and certificate, while the mycert.pem file contains all of the public certificates for which we can encrypt messages and validate signatures.

   The two files need to be associated with the environment by creating a keystore configuration file, keystore.conf, in your default location.

   By default, AMS looks for the keystore configuration in a .mqs subdirectory of our home directory.

3. In QShell create the keystore.conf file:

   mkdir -p $HOME/.mqs
   echo "pem.private = $HOME/private.pem" > $HOME/.mqs/keystore.conf
   echo "pem.public = $HOME/mycert.pem" >> $HOME/.mqs/keystore.conf
   echo "pem.password = unused" >> $HOME/.mqs/keystore.conf
   

• Create a policy on IBM i
  Before creating a policy, we need to create a queue to hold protected messages.
• Testing the policy on IBM i
  Use the sample applications provided with the product to test your security policies.

Parent topic: Administer Advanced Message Security security polices