MQ WebSphere SSL Setup - Signed

Document ID : KB000027739
Last Modified Date : 14/02/2018
Show Technical Document Details

Questions:

How do you setup MQ Websphere with a signed digital certificate?

 

Answer:

 

The following example shows how to setup eTrust CA-TOP SECRET generated DIGITAL CERTIFICATES signed by a third party Certificate Authority (CA) with MQ WebSphere.

NOTE: The following are example commands and may vary depending on your naming conventions and environment. Please adjust them accordingly to your site standards and environment.

  1. Generate a certificate for the MQ Channel Initiator with the TSS GENCERT command:

    Example:
          TSS GENCERT(MQCHIN1) DIGICERT(MCI1CERU)-
    SUBJECTN('O="COMPANYA" CN="MQCHIN1 cert"-
    OU="SYSTEMSDEPT" C="US"')-
    LABLCERT('MCI1CERU')
    • In this example MQCHIN1 is the MQ Channel Initiator region acid.

    • MCI1CERU is the digital certificate name in eTrust CA-TOP SECRET.

    • The LABELCERT is 'MCAI1CERU'.

  2. Use the TSS GENREQ command to copy the certificate to a dataset in PKCS#10 format which will be signed by the Certificate Authority.

    Example:
          TSS GENREQ(MQCHIN1) DIGICERT(MCI1CERU)-
    DCDSN('MQCHIN1.UNSIGNED.CERT')
    • Dataset 'MQCHIN1.UNSIGNED.CERT' will contain the certificate.

  3. Send the certificate to be signed by the Certificate Authority.

  4. Once signed, send the signed certificate to a dataset.

  5. Add the certificate back to the acid with a different DIGICERT name via TSS ADD command.

    Example:
          TSS ADD(MQCHIN1) DIGICERT(MCI1CERS)-
    DCDSN('MQCHIN1.SIGNED.CERT')-
    LABLCERT('ibmWebSphereMQCSQ1') TRUST
    • In this example dataset 'MQCHIN1.SIGNED.CERT' contains the signed certificate.

    • MCI1CERS is the new DIGICERT certificate name.

    • The LABLCERT must be 'ibmWebSphereMQxxxx' where 'xxxx' in the MQ channel initiator.

  6. Create the MQ Channel Initiator's KEYRING with the TSS ADD command.

    Example:
         TSS ADD(MQCHIN1) KEYRING(MCI1RING)-
    LABLRING('WEBRING')
  7. Add the certificate to the KEYRING with the TSS ADD command.

    Example:
         TSS ADD(MQCHIN1) KEYRING(MCI1RING)-
    RINGDATA(MQCHIN1,MCI1CERS) USAGE(PERSONAL) DEFAULT
  8. If the client will be using the Certificate Authority's public key skip step 9 through 11.

  9. Export the certificate to a dataset with the TSS EXPORT command.

    Example:
          TSS EXPORT(MQCHIN1) DIGICERT(MCI1CERT)-
    DCDSN('MQCHIN1.SIGNED.CERT') LABLCERT(MCI1CERS)
  10. Send the certificate dataset to the client.

  11. Specify the queue manager's KEYRING to MQ via 'SLKEYR' MQ parameter. Use MQ command 'ALTER QMGR' to make a temporary and dynamic change.

    Example:
          ALTER QMGR SLKEYR(MCI1RING) 
  12. Send the Certificate Authority to the mainframe.

  13. Add the Certificate Authority to CERTAUTH with the TSS ADD command.

    Example:
          TSS ADD(CERTAUTH) DIGICERT(MCI1CA)-
    DCDSN('MQCHIN1.CERT.AUTH')
    • In this example 'MQCHIN1.CERT.AUTH' is the dataset with the Certificate Authority.
    • MCI1CA is the digital certificate name in TOP SECRET.
  14. Add the Certificate Authority to MQ Channel Initiator's KEYRING with the TSS ADD command.

    Example:
          TSS ADD(MQCHIN1) KEYRING(MCI1RING)- 
    RINGDATA(CERTAUTH,MCI1CA) USAGE(CERTAUTH)
    • USAGE(CERTAUTH) must be specified.