Bootstrap FreeKB - IBM MQ - Getting Started with SSL
IBM MQ - Getting Started with SSL

Updated:   |  IBM MQ articles

To configure IBM MQ to use SSL, you will need a key database file that contains one or more certificates. This can be done using the GSKit (Global Security Kit) command line tool or the iKeyman GUI. Let's say you have a key database file named key.kdb.

The GSKit command line tool can be used to list the certificates in the kdb file. Let's say key.kdb contains a certificate named "example.com".

~]# ${install_root}/gsk8/bin/gsk8capicmd_64 -cert -list -db /path/to/key.kdb -stashed or -pw your_password
Certificates found
* default, - personal, ! trusted, # secret key
*- example.com

 

The display qmgr command can be used to display the queue manager's SSLKEYR configuration. SSLKEYR will need to contain the absolute path to the key database file without the .kdb file extension.

echo "display qmgr SSLKEYR" | runmqsc MANAGER01

SSLKEYR(/shared/qmgrs/MANAGER01/ssl/key)

 

In this example, your key.kdb file would need to reside at.

/shared/qmgrs/MANAGER01/ssl/key.kdb

 

The display qmgr command can also be used to identify the alias of the certificate in the key database file being used for SSL.

~]# echo "display qmgr CERTLABL" | runmqsc MANAGER01
CERTLABL(example.com)

 

If the CERTLABL does not match the alias of the certificate in key.kdb, the alter qmgr command can be used to change the CERTLABL.

~]# echo "alter qmgr CERTLABL ('the_new_cert_label')" | runmqsc MANAGER01
AMQ8005I: IBM MQ queue manager changed.

 

If using the alert qmgr command to change the CERTLABL or SSLKEYR value, you will need to refresh security for SSL for this change to take effect. There is no need to restart the queue manager.

~]# echo "refresh security type (SSL)" | runmqsc MANAGER01
AMQ8560I: IBM MQ security cache refreshed.

 

With just these basic configurations, the queue manager can now use the example.com certificate in the key database file for SSL.




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter bd6b35 in the box below so that we can be sure you are a human.