Testing SSL communications
When you are testing SSL communications on the system, you might want to use certificates that you create on the own system.
On UNIX systems, Windows systems, and z/OS, you can create self-signed certificates for testing.
On OS/400, you cannot create self-signed certificates. Use personal certificates signed by a local CA to test SSL on OS/400. When testing on OS/400, ensure that the other end of the test connection has a copy of the local CA's certificate.
Refer to the WebSphere MQ Intercommunication book to obtain the procedure for checking that channel communication works.
Testing with self-signed certificates
This section tells you how to use self-signed certificates to test SSL authentication between two queue managers. For illustration purposes, the names PARIS and LONDON are used. For a certificate to be authenticated when it is received on another system, the receiving system must have a copy of the CA certificate for the CA that issued the certificate. That certificate can be a self-signed certificate. Note that you can adapt the procedure described in this section for testing SSL communication between a WebSphere MQ client and a queue manager.
When you test with self-signed certificates, you authenticate with a copy of the certificate itself that you add to the key repository:
- On OS/400, import the certificate, as described in Importing a certificate into a key repository.
- On UNIX systems, add the certificate as a signer certificate, as described in Adding a CA certificate into a key repository.
- On Windows systems, add the certificate to the queue manager store, as described in Ensuring CA certificates are available to a queue manager.
- On z/OS, connect the certificate to the key ring. For more information, refer to the z/OS Security Server RACF Command Language Reference, SA22-7687.
This section describes:
These procedures might require you to transfer a certificate from one system to the other, for example by ftp.
Transferring certificates by ftp
When you transfer certificates by ftp, ensure that you do so in the correct format.
Transfer the following certificate types in binary format:
and transfer the following certificate types in ASCII format:
Copying the certificate for PARIS to LONDON
Perform the following steps on the system on which PARIS is running:
- Create a self-signed certificate for PARIS.
- Extract a copy of the PARIS certificate.
- If queue manager LONDON is running on a different system, transfer the PARIS certificate to the LONDON system, for example by ftp.
Add the PARIS certificate to the key repository for LONDON:
- On OS/400, import the certificate to the certificate store.
- On UNIX systems, add the certificate as a signer certificate.
- On Windows systems, add the certificate to the queue manager store.
- On z/OS, connect the certificate to the key ring.
Copying the certificate for LONDON to PARIS
Perform the following steps on the system on which LONDON is running:
- Create a self-signed certificate for LONDON.
- Extract a copy of the LONDON certificate.
- If queue manager PARIS is running on a different system, transfer the LONDON certificate to the PARIS system, for example by ftp.
Add the LONDON certificate to the key repository for PARIS:
- On OS/400, import the certificate to the certificate store.
- On UNIX systems, add the certificate as a signer certificate.
- On Windows systems, add the certificate to the queue manager store.
- On z/OS, connect the certificate to the key ring.
Testing on OS/400
On OS/400, you can use personal certificates signed by a local CA to test SSL communications. The procedures for creating a local CA certificate and using the local CA to sign the personal certificate are described in Obtaining personal certificates.
Copying a local CA certificate from OS/400 to LONDON
Perform the following steps on the OS/400 on which the local CA is running:
- Create a local CA certificate, as described in Creating CA certificates for testing.
- Export a copy of the local CA certificate, as described in Exporting a certificate from a key repository.
- Transfer the local CA certificate to the LONDON system, for example by ftp.
Add the OS/400 local CA certificate to the key repository for LONDON:
- On OS/400, import the certificate to the certificate store.
- On UNIX systems, add the certificate as a signer certificate.
- On Windows systems, add the certificate to the queue manager store.
- On z/OS, connect the certificate to the key ring.
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.