Twister is a game where you have you put your left foot here, your left hand there, your right foot here, and in trying to put your right hand over there you fall over. This is how I felt when I was trying to understand the SSL definitions in MQWEB. In the end I printed off the definitions and used coloured pens to mark the relevant data.
Let’s start with the easy bit.
- When mqweb starts, it reads configuration information from a file server.xml
- This includes two files the “IBM” stuff in /usr/lpp/mqm/V9R1M1/web/mq/etc/mqweb.xml and the user stuff in /u/mqweb/servers/mqweb/mqwebusr.xml .
- SSL parameters are defined with and <ssl… id=”thisSSLConfig” keyStoreRef=”defaultKeyStore” .. /> tag. This points to the keystore to use.
- The keystore has <keyStore id=”defaultKeyStore” ….>. There is a simple link from SSL to the keystore. You could have multiple keystores, if so you just change the keyStoreRef= to point to a different one.
- You can have more than one <ssl…/> definition. You might have one, and there is one in the “IBM stuff”, so you need <sslDefault sslRef=”thisSSLConfig”/> to point to the ssl statement to use.
That should all be clear, and make sense. A bit like saying you have a right foot, a left foot and two hands.
The zos_saf_registry.xml used when you want to use the SAF interface on z/OS has some SSL definitions. I was trying to understand them. This one here(put a finger on it) points to that one, (put a finger on it), which points to this other one (put a finger on it), which has an end-comment. Whoops that didn’t work. As I said a bit like playing Twister.
<sslDefault sslRef=”mqDefaultSSLConfig”/> in the user mqwebuser.xml points to content in the “IBM stuff”. By the various levels of indirection this points to <keyStore id=”defaultKeyStore” location=”key.jks” type=”JKS” password=”password”/> . This keystore has a self signed certificate provided by IBM. If you find your browser complains about using a self signed certificate, this may well be the cause.
In the zos_saf_registry.xml are commented statements
- <keyStore id=”defaultKeyStore” location=”safkeyring://userId/keyring” …/>
- <ssl id=”thisSSLConfig” keyStoreRef=”defaultKeyStore” …/>
- <sslDefault sslRef=”thisSSLConfig”/>
To me these have been defined upside down, sslDefault should come first.
As these are after the sslDefault sslRef=”mqDefaultSSLConfig statment, if you uncomment them, they will be picked up and the “IBM stuff” will not be processed.
You can uncomment these statements and use them to add your definitions.
My definitions are
<sslDefault sslRef="defaultSSLConfig"/> <ssl id="defaultSSLConfig" keyStoreRef="racfKeyStore" sslProtocol="TLSv1.2" clientAuthenticationSupported="true" clientAuthentication="true" serverKeyAlias="LABELMQWEBHSCEKE"/> <keyStore filebased="false" id="racfKeyStore" location="safkeyring://START1/MQRING" password="password" readOnly="true" type="JCERACFKS"/> <webAppSecurity allowFailOverToBasicAuth="false"/>