Configure for cryptographic hardware

 

---

You can configure cryptographic hardware for a queue manager on UNIX using either of the following methods:

• Use the ALTER QMGR MQSC command with the SSLCRYP parameter, as described in the WebSphere MQ Script (MQSC) Command Reference.

• Use WebSphere MQ Explorer to configure the cryptographic hardware on the UNIX system. For more information, refer to the online help.

You can configure cryptographic hardware for a WebSphere MQ client on UNIX using either of the following methods:

• Set the MQSSLCRYP environment variable. The permitted values for MQSSLCRYP are the same as for the SSLCRYP parameter.
• Set the CryptoHardware field of the SSL configuration options structure, MQSCO, on an MQCONNX call.

 

Managing certificates on PKCS #11 hardware

This section tells you about managing digital certificates on cryptographic hardware that supports the PKCS #11 interface. Note that you still need a key database file, even when you store all the certificates on the cryptographic hardware.

Perform the following steps to work with the cryptographic hardware:

1. Login as the root user.

2. Execute the gsk6ikm command to start the iKeyman GUI.

3. From the Key Database File menu, click Open. The Open window displays.

4. Click Key database type and select Cryptographic token.

5. In the File Name field, type the name of the module for managing the cryptographic hardware, for example PKCS11_API.so

6. In the Location field, type the path, for example /usr/lib/pksc11

7. Click OK. The Open Cryptographic Token window displays.

8. In the Cryptographic Token Password field, type the password that you set when you configured the cryptographic hardware.

9. If the cryptographic hardware has the capacity to hold the signer certificates required to receive or import a personal certificate, clear both secondary key database check boxes and continue from step 17.

   If you require a secondary CMS key database to hold the signer certificates, select either the Open existing secondary key database file check box or the Create new secondary key database file check box.

10. In the File Name field, type a file name. This field already contains the text key.kdb. If the stem name is key, leave this field unchanged. If you have specified a different stem name, replace key with the stem name but not change the .kdb

11. In the Location field, type the path, for example:
    • For a queue manager: /var/mqm/qmgrs/PARIS/ssl
    • For a WebSphere MQ client: /var/mqm/ssl

12. Click OK. The Password Prompt window displays.

13. If you selected the Open existing secondary key database file check box in step 9, type a password in the Password field, and continue from step 17.

14. If you selected the Create new secondary key database file check box in step 9, type a password in the Password field, and type it again in the Confirm Password field.

15. Select the Stash the password to a file check box.

    Note:

    If you do not stash the password, attempts to start SSL channels fail because they cannot obtain the password required to access the key database file.

16. Click OK. A window displays, confirming that the password is in file key.sth (unless you specified a different stem name).

17. Click OK. The Key database content frame displays.

 

Requesting a personal certificate for the PKCS #11 hardware

Use the following procedure for either a queue manager or a WebSphere MQ client to request a personal certificate for the cryptographic hardware:

1. Perform the steps to work with the cryptographic hardware.

2. From the Create menu, click New Certificate Request. The Create New Key and Certificate Request window displays.

3. In the Key Label field, type:

   • For a queue manager, ibmwebspheremq followed by the name of the queue manager folded to lower case. For example, for PARIS, ibmwebspheremqPARIS, or

   • For a WebSphere MQ client, ibmwebspheremq followed by the logon user ID folded to lower case, for example ibmwebspheremqmyuserid.

4. Type a Common Name and Organization, and select a Country. For the remaining optional fields, either accept the default values, or type or select new values. Note that you can supply only one name in the Organizational Unit field. For more information about these fields, refer to Distinguished Names.

5. In the Enter the name of a file in which to store the certificate request field, either accept the default certreq.arm, or type a new value with a full path.

6. Click OK. A confirmation window displays.

7. Click OK. The Personal Certificate Requests field shows the label of the new personal certificate request you created. The certificate request is stored in the file you chose in step 5.

8. Request the new personal certificate either by sending the file to a Certification Authority (CA), or by copying the file into the request form on the Web site for the CA.

 

Importing a personal certificate to the PKCS #11 hardware

Use the following procedure for either a queue manager or a WebSphere MQ client to import a personal certificate to the cryptographic hardware:

1. Perform the steps to work with the cryptographic hardware.

2. Click Receive. The Receive Certificate from a File window displays.

3. Select the Data type of the new personal certificate, for example Base64-encoded ASCII data for a file with the .arm extension.

4. Type the certificate file name and location for the new personal certificate, or click Browse to select the name and location.

5. Click OK. If you already have a personal certificate in the key database, a window appears, asking if you want to set the key you are adding as the default key in the database.

6. Click Yes or No. The Enter a Label window displays.

7. Type a label, for example the label you used when you requested the personal certificate. Note that the label must be in the correct WebSphere MQ format:

   • For a queue manager, ibmwebspheremq followed by the name of the queue manager folded to lower case. For example, for PARIS, ibmwebspheremqPARIS, or,

   • For a WebSphere MQ client, ibmwebspheremq followed by the logon user ID folded to lower case, for example ibmwebspheremqmyuserid.

8. Click OK. The Personal Certificates field shows the label of the new personal certificate you added.

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.