Set up certificates and the keystore configuration file on IBM i

Your first task when setting up Advanced Message Security protection is to create a certificate, and associate that with the environment. The association is configured through a file held in the integrated filesystem (IFS).


Procedure

  1. To create a self-signed certificate using the OpenSSL tooling shipped with IBM i, issue the following command from QShell:
    /QOpenSys/usr/bin/openssl req -x509 -newkey rsa:2048 -keyout
    $HOME/private.pem -out $HOME/mycert.pem -nodes -days 365
    
    The command prompts for various distinguished name attributes for a new self-signed certificate, including:

    • Common Name (CN=)
    • Organization (O=)
    • Country (C=)

    This creates an unencrypted private key and a matching certificate, both in PEM (Privacy Enhanced Mail) format.

    For simplicity, just enter values for common name, organization, and country. These attributes and values are important when creating a policy.

    Additional prompts and attributes can be customized by specifying a custom openssl configuration file on the command line with the -config parameter. Refer to OpenSSL documentation for more details on the configuration file syntax.

    For example, the following command adds additional X.509 v3 certificate extensions:

    /QOpenSys/usr/bin/openssl req -x509 -newkey rsa:2048 
    -keyout $HOME/private.pem -out $HOME/mycert.pem -nodes -days 365 -config myconfig.cnf
    

    where myconfig.cnf is an ASCII stream file that contains the following:

    [req]
    distinguished_name = req_distinguished_name
    x509_extensions = myextensions
    
    [req_distinguished_name]
    countryName = Country Name (2 letter code)
    countryName_default = GB
    stateOrProvinceName = State or Province Name (full name)
    stateOrProvinceName_default = Hants
    localityName = Locality Name (eg, city)
    localityName_default = Hursley
    organizationName = Organization Name (eg, company)
    organizationName_default = IBM United Kingdom
    organizationalUnitName = Organizational Unit Name (eg, department)
    organizationalUnitName_default = IBM MQ Development
    commonName = Common Name (eg, Your Name)
    
    [myextensions]
    keyUsage = digitalSignature,nonRepudiation,dataEncipherment,keyEncipherment
    extendedKeyUsage = emailProtection
    
  2. AMS requires that both the certificate and private key are held in the same file. Issue the following command to achieve this:
    cat $HOME/mycert.pem >> $HOME/private.pem
    

    The private.pem file in $HOME now contains a matching private key and certificate, while the mycert.pem file contains all of the public certificates for which we can encrypt messages and validate signatures.

    The two files need to be associated with the environment by creating a keystore configuration file, keystore.conf, in your default location.

    By default, AMS looks for the keystore configuration in a .mqs subdirectory of our home directory.

  3. In QShell create the keystore.conf file:
    mkdir -p $HOME/.mqs
    echo "pem.private = $HOME/private.pem" > $HOME/.mqs/keystore.conf
    echo "pem.public = $HOME/mycert.pem" >> $HOME/.mqs/keystore.conf
    echo "pem.password = unused" >> $HOME/.mqs/keystore.conf
    

Parent topic: Administer Advanced Message Security security polices