Home

 

Use the WebSphere MQ Explorer to connect to a remote queue manager using SSL enabled MQI channels

 

On the system hosting the remote queue manager:

  1. Define a server connection and client connection pair of channels, and specify the appropriate value for the SSLCIPH variable on the server connection channel. For more information on the SSLCIPH variable, see Protecting channels with SSL

  2. Send the channel definition table AMQCLCHL.TAB, which is found in the queue manager's @ipcc directory, to the system hosting the WebSphere MQ Explorer. To do this we can use the File Transfer Application in binary mode.

  3. Start a TCP/IP listener on a designated port.

  4. Place both the CA and personal SSL certificates into the queue manager's SSL directory:

    • /var/mqm/qmgrs/+QMNAME+/SSL for UNIX systems

    • C:\\WebSphere MQ\qmgrs\+QMNAME+\SSL for Windows systems

      Where +QMNAME+ is a token representing the name of the queue manager.

  5. Create a key database file of type CMS named key.kdb, and stash the password in a file either by checking the option in the iKeyman GUI, or by using the -stash option with the gsk7cmd, runmqckm ,or gsk7capicmd commands.

  6. Add the CA certificates to the key database created in the previous step.

  7. Import the personal certificate for the queue manager into the key database.

For more detailed information on working with the Secure Sockets Layer on Windows systems, see the WebSphere MQ Security book.

On the system hosting the WebSphere MQ Explorer:

  1. Create a key database file of type JKS named key.jks. Set a password for this key database file.

    The WebSphere MQ Explorer uses Java™ key store files (JKS) for SSL security, and so the key store file being created for configuring SSL for the WebSphere MQ Explorer must match this.

  2. Add the CA certificates to the key database created in the previous step.

  3. Import the personal certificate for the queue manager into the key database.

  4. Start the WebSphere MQ Explorer either by using the start menu in Windows, or by running the strmqcfg command.

  5. From the WebSphere MQ Explorer toolbar, click Window -> Preferences, then expand WebSphere MQ Explorer and click SSL Client Certificate Stores. Enter the name of, and password for, the JKS file created in step 1 in both the Trusted Certificate Store and the Personal Certificate Store, then click OK.

  6. Close the Preferences window, and right-click Queue Managers. Click Show/Hide Queue Managers, and then click Add on the Show/Hide Queue Managers screen.

  7. Type the name of the queue manager, and select the Connect directly option. Click next.

  8. Select Use client channel definition table and specify the location of the channel table file that you transferred from the remote queue manager in step 2 on the system hosting the remote queue manager.

  9. Click Finish. We can now access the remote queue manager from the WebSphere MQ Explorer.

 

Parent topic:

Security


fa12120_


 

Home