How to check WebSphere MQ certificate stores contain complete certificate chains

 

This section details how we can check if the SSL certificate chains that exist in your SSL certificate store are complete.

In WebSphere MQ V6.0, a new command is supplied that will check to see if the certificate chains are complete. This command is AMQCCERT (Check Certificate Chains) and can either be run from a command line or batch file, or as part of a wizard. This section will only deal with the use of the wizard. For information on using AMQCCERT from a command line or batch file, see the WebSphere MQ System Administration Guide.

The wizard is used to select the queue managers and clients that have certificate stores to migrate. It will run the AMQCCERT command against the certificate stores that have been specified and allows you to check the results of the command. If the wizard has been run previously, any queue managers and clients that were previously selected, will display again.

The wizard also allows you to specify that a queue manager does not use SSL connections and the certificate store (if it exists) will not be checked or migrated.

Identify the queue managers or clients that are using SSL channels. See "Determining whether SSL connections have been set up" for guidance on how this is done.

  1. Insert the WebSphere MQ V6.0 installation CD into the machine where the certificate store to be checked resides.

  2. Run the WebSphere MQ Pre-install Launchpad.

  3. Select the SSL tab in the WebSphere MQ Pre-install Launchpad.

  4. From the WebSphere MQ Pre-install Launchpad, run the Check WebSphere MQ Certificate Store Wizard.

  5. Use the Check WebSphere MQ Certificate Store Wizard to check all the certificate chains in your certificate stores. There is help information in the wizard to assist in each of the steps.

When the Check WebSphere MQ Certificate Store Wizard shows which certificate stores have passed and which have failed, the wizard allows you to look at the details of why a certificate store might have failed. The following is an example of the type of information shown when you display the details of why a certificate store might have failed: 

C:\ssl\client 
5724-B41 (C) Copyright IBM Corp. 1994, 2005. ALL RIGHTS RESERVED. 
The number of certificates in the Microsoft Certificate Store 
                                         ’c:\ssl\client’ is ’13’. 

The signer certificate ’GlobalSign Primary Class 1 CA’ is missing for 
                                           the following certificate. 

Microsoft Certificate Store: ’c:\ssl\client’. 
Certificate Subject:         ’GlobalSign PersonalSign Class 1 CA’. 
Certificate Issuer:          ’GlobalSign Primary Class 1 CA’. 
Certificate Serial Number:   ’0400 0000 0000 FA3D EEE9 D9’. 
Certificate Valid From:      ’22/01/2004’ to ’28/01/2009’. 

The signer certificate ’GlobalSign PersonalSign Class 1 CA’ is missing 
                                        for the following certificate. 

Microsoft Certificate Store: ’c:\ssl\client’. 
Certificate Subject:         ’wm.shakespeare@hamlet.com’. 
Certificate Issuer:          ’GlobalSign PersonalSign Class 1 CA’. 
Certificate Serial Number:   ’0100 0000 0001 0170 978B 1E’. 
Certificate Valid From:      ’14/01/2005’ to ’14/02/2005’. 

Certificate chain checking has completed with some failures. 
The Check Certificate Chains (amqccert) command has completed.

As well as being visible through the wizard, this information, along with other progress information, is also written into a log file. This log file is located in the WebSphere MQ data directory and is named amqmsccw.txt.

At this point you have the ability to replace out of date certificates or add missing ones and then go back to the wizard and recheck the stores to ensure they now pass. The wizard will only complete when all the selected certificate stores have been checked and have passed.

If the state UNTESTED is displayed for the certificate stores, it indicates that the wizard was unable to launch AMQCCERT to test the given stores. The most likely cause of this is that AMQCCERT or one of its dependent libraries is not available. Check that the WebSphere MQ bin directory is available in the path.

AMQMCERT and the Services GUI provided with WebSphere MQ V5.3 can be used to work with the certificate stores to correct any errors prior to migrating them.

 

Parent topic:

Step 1: Ensuring WebSphere MQ certificate stores contain complete certificate chains


mi10310_