When using mqweb with certificates you can use
- a self signed certificate to identify the server
- a CA signed certificate to identify the server
You can use certificates to authenticate…
- a self signed certificate at the client end
- a CA signed certificate at the client end
This post explains how I set up mqweb to use a self signed certificate at the server, and to import the certificate into my Chrome browser.
The tasks are
- create the self signed certificate
- create the keystore and import the certificate
- update the mqwebuser.xml file
- import the certificate into the browser keystore
Create the openssl config file
You configure parameters in sections in a config file, and use a command parameter to identify which sections to use.
For the self signed certificiate I set up ss_extensions
[ ss_extensions ] subjectKeyIdentifier = hash #Note: there is a bug in Chrome where it does # not accept certificates if basicConstraints # is specified # basicConstraints = CA:false subjectAltName = DNS:localhost, IP:127.0.0.1 nsComment = "OpenSSL ColinClientSS28" keyUsage = critical, keyEncipherment extendedKeyUsage = critical, serverAuth
Create the self signed certificate
I set up a shell script to automate the tasks
Create the self signed certificate
openssl req -x509 -config openssl-client2.cnf -newkey rsa:2048 -out ss.pem -keyout ss.key.pem -subj “/C=GB/O=aaaa/CN=colinpaice” -extensions ss_extensions -passin file:password.file -passout file:password.file
- -config openssl-client2.cnf – the location of the openssl configutation file ( see -extensions)
- -newkey rsa:2048 – define a self signed certiticate
- -out ss.pem – where the certificate is stored
- -keyout ss.key.pem– where the private key is stored
- -subj “/C=GB/O=aaaa/CN=colinpaice” – this is the DN of the certificate. I Used O=aaaa so it was at the top of any list of certificates
- -extensions ss_extensions see above
- -passin file:password.file -passout file:password.file – openssl uses passwords. The file has two lines each with a password in it.
delete the old keystore
rm ssks.p12
- delete the old keystore
create the keystore and import the certificate
openssl pkcs12 -export -in ss.pem -inkey ss.key.pem -out ssks.p12 -name “server” -passin file:password.file -passout file:password.file
- pkcs12 -export – create the pkcs12 keystore
- -in ss.pem -inkey ss.key.pem – the two files which are imported into the keystore
- -out ssks.p12 – this is the keystore used by mqweb
- -name “server”– this is the label given to the certificate in the keystore, used in serverKeyAlias in the mqweb xml configuration
- -passin file:password.file -passout file:password.file – this gives the passwords to use
Other commands I used, to display information about the certificate
- openssl x509 -purpose -in ss.pem -inform PEM -nocert
- openssl x509 -in ss.pem -noout -ext subjectAltName
- openssl x509 -in ss.pem -noout -ext keyUsage
- openssl x509 -in ss.pem -noout -ext extendedKeyUsage
Update the mqweb configutation file
<keyStore id="defaultKeyStore" location="/home/colinpaice/ssl/ssks.p12" type="pkcs12" password="password"/> <!-- this is used for authentication with user certificates <keyStore id="defaultTrustStore" location="/home/colinpaice/ssl/key.jks" type="JKS" password="zpassword"/> --> <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" serverKeyAlias="server" clientAuthentication="false" clientAuthenticationSupported="false" /> <!--trustStoreRef="defaultTrustStore" sslProtocol="TLSv1.2" -->
Stop mqweb
/opt/mqm/bin/endmqweb
Start mqweb
/opt/mqm/bin/strmqweb
Check /var/mqm/web/installations/Installation1/servers/mqweb/logs/messages.log for messages like
[14/01/20 09:12:15:730 GMT] 00000024 com.ibm.ws.ssl.config.WSKeyStore E CWPKI0033E: The keystore located at /home/colinpaice/ssl/ssks.p12 did not load because of the following error: keystore password was incorrect.
Import it into Chrome
If you do not import it into the web browser, the web browser will complain and give you the option to accept it as untrusted. If this is just a test system this may be acceptable. If you want to be able to trust the web server, you need to import the certificate into the browser’s keystore, as trusted.
I have several profiles for Chrome. At one point it hickuped and created a new profile.
Find the keystore
In Chrome use the url chrome://version/ this gives the profile path, for example /home/colinpaice/snap/chromium/986/.config/chromium/Default
Remove the old certificate
certutil -D -d sql:/home/colinpaice/snap/chromium/986/.pki/nssdb -n server
- certutil -D – delete the certificate
- -d sql:/home/colinpaice/snap/chromium/986/.pki/nssdb – from this keystore directory
- -n server with this name
Add the new certificate
certutil -A -d sql:/home/colinpaice/snap/chromium/986/.pki/nssdb -t “P,,” -n server -i $name.pem
- certutil -A – add a certificate
- -d sql:/home/colinpaice/snap/chromium/986/.pki/nssdb – into this keystore directory
- -t “P,,” – give it these permissions.
- P says Trusted Peer certificate. The certificate appears in Chrome under “servers”
- -n server – with this name
- -i ss.pem – and this certificate
Tell Chrome to pickup the changes
Use the url chrome://restart to restart chrome
Try using it
use the url like https://127.0.0.1:9443/ibmmq/console/
You should get the IBM MQ Console – login
Certificates in Chrome
You can import certificates without using the certutil command.
You can display the certificates in Chrome using the url chrome://settings/certificates .
If you click on “Your certificates” or “Servers”, and then click on import, you can import a certificate.
I selected the directory, and then the ss.pem file. The certificate ended up in “Others” under
org-aaaa
- UNTRUSTED colinpaice
Use the url chrome://restart to restart chrome
Use the url like https://127.0.0.1:9443/ibmmq/console/
This gave me the “Your connection is not private”, NET::ERR_CERT_AUTHORITY_INVALID.
The only way I found of making it trusted was to use the certutil command
certutil -L -d sql:/home/colinpaice/snap/chromium/986/.pki/nssdb
This listed the certificates in the store. The one I had just added was colinpaice #2
certutil -M -d sql:/home/colinpaice/snap/chromium/986/.pki/nssdb -n “colinpaice #2” -t P,,
This modifies the certificate to be a Trusted Peer. Restart Chrome, and the certificate appeared in the “Servers” section.
Using the mqweb url now worked successfully
It´s really good stuff, thanks a lot Colin! keep up sharing with the crowd 🙂
LikeLike