Setting up TLS for MQ – with your own Certificate authority using iKeyman

When doing some TLS testing, I struggled to set up my keystores and certificates using the IBM tool iKeyman.   Here is a short list of the commands I used.

Background

  1. The IBM certificate management tool stores certificates and keys in a keystore.
  2. This has a password – but the password can be stashed in a file, so programs such as MQ can read the keystore.   They password is weak, so you need to protect the file to stop unauthorized users from getting access to it.   You might want to use cryptographic hardware to store the information
  3. To get a certificate for your channel (client in my case) you create a certificate request, send it to a Certificate Authority(CA) which signs it.   The completed request is sent back to you.
  4. You typically have another certificate for your queue manager(s).
  5. To create your own CA for testing you can create a certificate and use that, if you want to use it externally, you need to get it signed by a proper CA.

See the documentation here for a description of the command and options.

  • Your CA needs a keystore – this could be on a remote machine.  I’ll use  CA.kdb
    • /opt/mqm/bin/runmqckm -keydb -create -db CA.kdb -pw zpassword -type cms
  • Your MQ channels need a keystore accessible from the queue manager. I’ll use  key.kdb .
    • /opt/mqm/bin/runmqckm -keydb -create -db key.kdb -pw zpassword -type cms
  • Create your CA certificate in the CA database
    • /opt/mqm/bin/runmqckm -cert -create -db CA.kdb -pw zpassword -label CACERT -dn “CN=CACert,O=SSS”
  • You need to extract this from the CA.key keystore  to add it to the key.db keystore
    • /opt/mqm/bin/runmqckm -cert -extract -db CA.kdb -pw zpassword -label CACERT -target CA.arm
  • Send the CA.arm file to the system where MQ is running.
  • Add this file to the  key.kdb keystore.
    • /opt/mqm/bin/runmqckm -cert -add -db key.kdb -pw zpassword -label CACERT -file CA.arm -format ascii
  • Create a client certificate request on the MQ machine.
    • /opt/mqm/bin/runmqckm -certreq -create -db key.kdb -pw zpassword -label mycert -dn “CN=MQChannel,o=SSS” -file mycertA.arm
  • Send file mycertA.arm to the CA machine.
  • On the CA machine, use the CA to sign the certificate request mycertA.arm from the MQ machine and create mySignedCert.arm
    • /opt/mqm/bin/runmqckm -cert -sign -db CA.kdb -pw zpassword -label CACERT -file mycertA.arm -target mySignedCert.arm
  • Send mySignedCert.arm back to the MQ machine.
  • Receive the signed client certificate back into the MQ keystore
    • /opt/mqm/bin/runmqckm -cert -receive -db key.kdb -pw zpassword -file mySignedCert.arm
  • Optional – make this the default.
    • /opt/mqm/bin/runmqckm -cert -setdefault -db key.kdb -pw zpassword -label mycert
  • Optional – list what is in the keystore
    • /opt/mqm/bin/runmqckm -cert -list -db key.kdb -pw zpassword
  •  Optional – show details about the certificate
    • /opt/mqm/bin/runmqckm -cert -details -db key.kdb -pw password -label mycert
  • ___________________________________
  • Create a certificate for the queue manager, and get it signed ( as above)
    • /opt/mqm/bin/runmqckm -certreq -create -db key.kdb -pw zpassword -label QMBQMGR -dn “CN=QMBQMGR,o=SSS” -file qmbqmgr.arm
  • Send it to the CA machine
  • Sign it
    • /opt/mqm/bin/runmqckm -cert -sign -db CA.kdb -pw zpassword -label CACERT -file qmbqmgr.arm -target qmbqmgrsigned.arm
  • Send the completed certificate back to the originator
  • Receive the signed queue manager  certificate back into the MQ keystore
    • /opt/mqm/bin/runmqckm -cert -receive -db key.kdb -pw zpassword -file qmbqmgrsigned.arm
  • _______________________________
  •  Optional – if you forgot to specify stash when you created the keystore… you can do it later.
    • /opt/mqm/bin/runmqckm -keydb -stashpw -db key.kdb -pw zpassword
  • _______________________________
  • Configure the queue manager to use these defintions
    •  alter qmgr SSLKEYR(‘…key’) dont forget the quotes, and put the fully qualified path in
    • alter qmgr CERTLABL(QMBQMGR)  see above
    • alter chl(..) chltype(SVRCONN) CERTLABL(‘mycert’)
    • alter chl(..) chltype(CLNTCONN) CERTLABL(‘mycert’)
  • Configure your client, mqclient.ini to specify
    • SSL:
      • SSLKeyRepository=…/key
      • CertificateLabel=mycert