When using mqweb with certificates you can use
- a self signed certificate to identify the server
- a CA signed certificate to identify the server
You can use certificates to authenticate…
- a self signed certificate at the client end
- a CA signed certificate at the client end
This post explains how I set up mqweb to use a CA signed certificate at the server, and to import the CA into my Chrome browser.
The steps are
- Create your certificate authority certificate
- Create the certificate request for mqweb server
- Sign the request
- Create the mqweb keystore and import the mqweb certificate
- Import the CA into the web browser keystore if required
Create your certificate authority certificate
If you do not already have a certificate authority and a process for signing certificates you need to set these up. To do it properly, you should create a certificate request and have an external CA sign it.
The following command creates a self signed certificate. This is your CA authority certificate and private key.
openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -subj “/C=GB/O=SSS/OU=CA/CN=SSCA” -nodes -out cacert.pem -keyout cacert.key.pem -outform PEM
- openssl req -x509 – create a self signed certificate request. -x509 says self signed.
- -config openssl-ca.cnf – use this file for the definitions
- -newkey rsa:4096 – generate a new key
- -nodes – do not encrypt the private keys. I do not know if this should be specified or not.
- -subj “/C=GB/O=SSS/OU=CA/CN=SSCA” – with this DN
- -out cacert.pem – output the certificate. This is used when signing. This file is sent to all users.
- -keyout cacert.key.pem – output the private key. This is used when signing. This files stays on the machine.
- -outform PEM – in this format
In the config file, the important options I had were
[ req_extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical,CA:TRUE, pathlen:0 keyUsage = keyCertSign, digitalSignature
You need to distribute the cacert.pem certificate to all your users, so they import it into their keystores.
Create the certificate request for mqweb server
The following command creates a certificate request which will be sent to the CA to sign.
openssl req -config mqwebserver.config -newkey rsa:2048 -out mqweb.csr -outform PEM -keyout mqweb.key.pem -subj “/C=GB/O=cpwebuser/CN=mqweb” -passin file:password.file -passout file:password.file
- openssl req – as this request does not have -x509 specified it is for a certificate request
- -config mqwebserver.config – use definitions in the specified file
- -newkey rsa:2048 – create a new certificate request and private key with a 2048 bit RSA key
- -out mqweb.csr – use this output file for the request to be sent to the CA
- -outform PEM – use pem format
- -keyout mqweb.key.pem – put the private key in this file
- -subj “/C=GB/O=cpwebuser/CN=mqweb” – with this distinguished name. It can have any values which meet your enterprise standards.
- -passin file:password.file -passout file:password.file – use the passwords in the file(s). The file:… says use this file. You can specify a password instead. As the same file is used twice, two lines in the file are used.
In the config file, the important options were
[ req_extensions ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE subjectAltName = DNS:localhost, IP:127.0.0.1 nsComment = "OpenSSL mqweb server" keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = critical, serverAuth
Sign the request
Send the *.csr file to your CA.
Initial setup of ca signing process
If this is the first time you are using your CA you need to set up some files. The files are referred to in the config file used by openssl ca command
touch index.txt echo '01' > serial.txt
- index.txt is the certificate database index file. This name is used in the config file option database =… . For the format of this file see here.
- serial.txt contains the current serial number of the certificate. This name is used in the config file option serial =… .
Sign the certificate request
This takes the .csr file and signs it.
openssl ca -config casign.config -md sha384 -out mqweb.pem -cert cacert.pem -keyfile cacert.key.pem -infiles mqweb.csr
- openssl ca – do the ca signing
- -config casign.config – using the specified config file
- -md sha384 – what message digest strength to use
- -out mqweb.pem – put the signed certificate in this file
- -cert cacert.pem – sign it with this ca file
- -keyfile cacert.key.pem – sign it with this ca private file
- -infiles mqweb.csr – this is the input certificate request file
This displays the certificate, so check it is correct. You get prompted
- Sign the certificate? [y/n]:y
- 1 out of 1 certificate requests certified, commit? [y/n]y
In the config file the important section is
[ ca_extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = CA:FALSE keyUsage = keyEncipherment extendedKeyUsage = serverAuth
Send the signed certificate back to the requestor.
Create the keystore to be used by mqweb and import the certificate
You can delete the certificate in the keystore using runmqckm -cert -delete -db mqweb.p12 -pw password -label mqweb . This is not required.
openssl pkcs12 -export -inkey mqweb.key.pem -in mqweb.pem -out mqweb.p12 -CAfile cacert.pem -chain -name mqweb -passout file:password.file -passin file:password.file
This command creates the keystore (if requried) and imports the signed certificate and private key into the store with the specified name. If a certificate exists with the same name, it is replaced.
- openssl pkcs12 -export – this says a pkcs12 file will be created
- -inkey mqweb.key.pem – using this private key file
- -in mqweb.pem – and this signed certificate
- -out mqweb.p12 – output put it to this pkcs12 keystore, used by mqweb
- -CAfile cacert.pem – using this CA certificate
- -chain – include all of the certificates needed when adding the certificate to the key store
- -name mqweb – create this name in the keystore. It is used to identify the key in the key store.
- -passout file:password.file -passin file:password.file – use these password files
There is no config file for this operation.
Use chmod and chown to protect this keystore file from unauthorised access.
Change the mqweb configuration file.
<keyStore id="defaultKeyStore" location="/home/colinpaice/ssl/mqweb.p12" type="pkcs12" password="password"/> <!-- the trust store is used when authenticating <keyStore id="defaultTrustStore" location="/home/colinpaice/ssl/key.jks" type="JKS" password="zpassword"/> --> <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" serverKeyAlias="mqweb" clientAuthentication="false" clientAuthenticationSupported="false" /> <!--trustStoreRef="defaultTrustStore" sslProtocol="TLSv1.2" -->
The keystore name and server key alias which identifies which certificate to use, are highlighted.
Check /var/mqm/web/installations/Installation1/servers/mqweb/logs/messages.log for
Successfully loaded default keystore: /home/colinpaice/ssl/ssl2/mqweb.p12 of type: pkcs12. This means it has successfully opened the keystore.
If you do not get this message use a command like grep ” E ” messages.log and check for messages like
E CWPKI0033E: The keystore located at …. did not load because of the following error: keystore password was incorrect.
Import the CA certificate into Chrome
You need to do this once for every CA certificate
I have several profiles for Chrome. At one point it hickup-ed and created a new profile, my scripts carried on updating the old profile until I realized a different profile was now being used.
Find the keystore
In Chrome use the url chrome://version/ this gives the profile path, for example /home/colinpaice/snap/chromium/986/.config/chromium/Default
You can remove the old certificate CA
certutil -D -d sql:/home/colinpaice/snap/chromium/986/.pki/nssdb -n myCACert
- certutil -D – delete the certificate
- -d sql:/home/colinpaice/snap/chromium/986/.pki/nssdb – from this keystore directory
- -n myCACertr with this name
Add the new CA certificate
certutil -A -d sql:/home/colinpaice/snap/chromium/986/.pki/nssdb -t “C,,” -i cacert.pem -n myCACert
- certutil -A – add a certificate
- -d sql:/home/colinpaice/snap/chromium/986/.pki/nssdb – into this keystore directory
- -t “C,,” – give it these permissions.
- C says Trusted CA. The certificate appears in Chrome under “certificate authorities”
- -i cacert.pem – import this certificate
- -n myCACert – with this name
Tell Chrome to pickup the changes
Use the url chrome://restart to restart chrome
Try using it. Use the url like https://127.0.0.1:9443/ibmmq/console/
You should get the IBM MQ Console – login