Step 1: Ensuring WebSphere MQ certificate stores contain complete certificate chains
This section deals with ensuring that complete certificate chains exist in the WebSphere MQ certificate store. This should be completed before installing WebSphere MQ V6.0.
WebSphere MQ V6.0 uses the Global Security Toolkit (GSKit) to manage SSL certificates. Before installing WebSphere MQ V6.0 ensure that all WebSphere MQ certificate stores contain complete certificate chains.
In Step 2: Migrating SSL certificates to Global Security Toolkit key database files, it gives guidance on migrating certificates used by WebSphere MQ V5.3 queue managers and WebSphere MQ clients into key database files for use with Global Security Toolkit.
As an alternative to Step 1: Ensuring WebSphere MQ certificate stores contain complete certificate chains and Step 2: Migrating SSL certificates to Global Security Toolkit key database files, we can manually configure a key database for each queue manager and WebSphere MQ client and import SSL certificates directly into it without migrating them. See 'Working with the Secure Sockets Layer (SSL) on UNIX and Windows systems' in the WebSphere MQ V6.0 Security book for details of how to do this. You will still need to complete Step 3: Ensuring Certificate Revocation Lists are in the correct format and Step 4: Ensuring SSLPEER values have correctly ordered OU entries.
The following sections give the background and necessary steps for "Ensuring WebSphere MQ certificate stores contain complete certificate chains":
- SSL certificates and certificate chains
- Why ensure complete SSL certificate chains exist prior to installation
- How to check WebSphere MQ certificate stores contain complete certificate chains
- Where to locate WebSphere MQ certificate stores
- How to add missing certification authority certificates into WebSphere MQ certificate stores
- What to do if WebSphere MQ version 6.0 has already been installed
- SSL certificates and certificate chains
This section explains what SSL certificates are, what a complete certificate chain is and why WebSphere MQ certificate stores need them.- Why ensure complete SSL certificate chains exist prior to installation
This section details why ensure SSL certificate chains are complete prior to the installation of WebSphere MQ V6.0.- Where WebSphere MQ certificate stores are located
This section gives details on where we can find the WebSphere MQ certificate stores installed on your systems.- How to check WebSphere MQ certificate stores contain complete certificate chains
This section details how we can check if the SSL certificate chains that exist in your SSL certificate store are complete.- Adding missing certification authority certificates into WebSphere MQ certificate stores
This section gives the commands necessary to add SSL certificates into WebSphere MQ certificate stores to complete the certificate chains prior to migrating to WebSphere MQ V6.0.- If WebSphere MQ version 6.0 has already been installed
This section deals with the issue of having upgraded to WebSphere MQ V6.0 without having complete certificate chains.
Parent topic:
SSL migration steps
mi10270_