How do you setup MQ SSL with ACF2?

Document ID : KB000029741
Last Modified Date : 14/02/2018
Show Technical Document Details

The MQ SSL setup varies based on a site's setup for their MQ
environment. The following example setup of for two MQ Q
managers ABCD and WXYZ working in SSL.

 

1) GENCERT for a self signed Site cert, label MQ Root CA.  

2) GENCERT for each Q manager ABCD and WXZY creating Personal
    certificates ABCDCHIN.CERT and WXZYCHIN.CERT, using the Root
    as the signing auth, Usage = Hangshake. 

3) Built two KEYRINGS ABCDCHIN.ring and WXYZCHIN.ring with the
    MQ Root CA and the the Personal certificate for that Q manager as the
    default.

The required matchups are the RINGNAME of the ring (ABCDCHIN.ring) matching

the ACF2 logonid that runs the channel initiator, and the LABEL field
in the xxxxCHIN.CERT entry looking like ibmWebSphereMQxxxx. 

The MQ parm SSLKEYR identifies the desired RINGNAME value. Theq ueue manager
should be setup to run SSL calls, using the WebSphere MQ ALTER QMGR command
(ie. ALTER QMGR SSLTASKS(n) where 'n' is the number of subtasks and must be
at least 2).

For example:

KEYRING / ABCDCHIN.RING LAST CHANGED BY USER002 ON 12/30/14-10:25

                    DEFAULT(ABCDCHIN.CERT) RINGNAME(ABDCCHIN)                   

The following certificates are connected to this key ring:          

CERTDATA record              Label                              Usage         
CERTAUTH.ROOTCMQ        Root CA                          CERTAUTH      
ABCDCHIN.CERT               ibmWebSphereMQABCD   PERSONAL       

 

KEYRING / WXYZCHIN.RING LAST CHANGED BY USER002 ON 12/30/14-10:25
                     DEFAULT(WXYZCHIN.CERT) RINGNAME(WXYZCHIN)                   

The following certificates are connected to this key ring:          

CERTDATA record              Label                              Usage        
CERTAUTH.ROOTC             MQ Root CA                    CERTAUTH      
WXYZCHIN.CERT               ibmWebSphereMQWXYZ  PERSONAL