Given below are the
steps to enable SSL between QM and MQ Explorer.
MQ Qmgr:
Create a QM Key database file:
gsk7cmd -keydb -create -db "/var/mqm/qmgrs/key.kdb" -pw password -type cms -expire 365 -stash
Create a CA database file:
gsk7cmd -keydb -create -db "/var/mqm/qmgrs/mqcm.kdb" -pw password -type cms -expire 365 -stash
Create CA cert:
gsk7cmd -cert -create -db "/var/mqm/qmgrs/mqcm.kdb" -pw password -label webspheremqseries -dn "CN=WMQ CA,OU=WMQ,O=MQ,L=BLR,ST=KA,C=IN" -expire 365
Extract CA cert:
gsk7cmd -cert -extract -db "/var/mqm/qmgrs/mqcm.kdb" -pw password -label webspheremqseries -target /var/mqm/cert.crt -format ascii
Add CA cert to QM repository:
gsk7cmd -cert -add -db "/var/mqm/qmgrs/key.kdb" -pw password -label wmqca -file /var/mqm/ca.crt -format ascii
Create Certificate Request:
gsk7cmd -certreq -create -db "/var/mqm/qmgrs/key.kdb" -pw password -label ibmwebspheremqCLOUD2 -dn "CN=mqseries,OU=WMQ,O=MQ,L=BLR,ST=KA,C=IN" -file "/var/mqm/CLOUD2.arm"
Sign Certificate:
gsk7cmd -cert -sign -file "/var/mqm/CLOUD2.arm" -db "/var/mqm/qmgrs/mqcm.kdb" -pw password -label webspheremqseries -target "/var/mqm/cloud2cert1.arm" -format ascii -expire 340
Receive Signed cert:
gsk7cmd -cert -receive -db "/var/mqm/qmgrs/key.kdb" -pw password -file "/var/mqm/cloud2cert1.arm" -format ascii
ALTER QMGR SSLKEYR('/var/mqm/key')
Alter channel you use for MQ explorer.
ALTER CHANNEL(SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(TRIPLE_DES_SHA_US)
On MQ EXPLORER:
Need to copy key.kdb and mqcm.crt file to Windows box in C:\Program Files\IBM
Create a key Database file:
gsk7cmd -keydb -create -db "C:\Program Files\IBM\exp.jks" -pw password -type jks
Add CA cert to database:
gsk7cmd -cert -add -db "C:\Program Files\IBM\exp.jks" -pw password -label webspheremqseries -file "C:\Program Files\IBM\mqcm.crt" -format ascii
Create a certificate request:
gsk7cmd -certreq -create -db "C:\Program Files\IBM\exp.jks" -pw password -label explorer -dn "CN=MQ,OU=WMQ,O=MQ,L=BLR,ST=KA,C=IN" -file "C:\Program Files\IBM\expreq1.arm"
Sign the cert:
gsk7cmd -cert -sign -file "C:\Program Files\IBM\expreq1.arm" -db "C:\Program Files\IBM\mqcm.kdb" -pw password -label webspheremqseries -target "C:\Program Files\IBM\expcert1.arm" -format ascii -expire 340
Receive the cert:
gsk7cmd -cert -receive -db "C:\Program Files\IBM\exp.jks" -pw password -file "C:\Program Files\IBM\expcert1.arm" -format ascii
When you are connecting a remote queue manager using MQ explorer select SSLCIPH TRIPLE_DES_SHA_US and the key data base file you have created in above step .
MQ Qmgr:
Create a QM Key database file:
gsk7cmd -keydb -create -db "/var/mqm/qmgrs/key.kdb" -pw password -type cms -expire 365 -stash
Create a CA database file:
gsk7cmd -keydb -create -db "/var/mqm/qmgrs/mqcm.kdb" -pw password -type cms -expire 365 -stash
Create CA cert:
gsk7cmd -cert -create -db "/var/mqm/qmgrs/mqcm.kdb" -pw password -label webspheremqseries -dn "CN=WMQ CA,OU=WMQ,O=MQ,L=BLR,ST=KA,C=IN" -expire 365
Extract CA cert:
gsk7cmd -cert -extract -db "/var/mqm/qmgrs/mqcm.kdb" -pw password -label webspheremqseries -target /var/mqm/cert.crt -format ascii
Add CA cert to QM repository:
gsk7cmd -cert -add -db "/var/mqm/qmgrs/key.kdb" -pw password -label wmqca -file /var/mqm/ca.crt -format ascii
Create Certificate Request:
gsk7cmd -certreq -create -db "/var/mqm/qmgrs/key.kdb" -pw password -label ibmwebspheremqCLOUD2 -dn "CN=mqseries,OU=WMQ,O=MQ,L=BLR,ST=KA,C=IN" -file "/var/mqm/CLOUD2.arm"
Sign Certificate:
gsk7cmd -cert -sign -file "/var/mqm/CLOUD2.arm" -db "/var/mqm/qmgrs/mqcm.kdb" -pw password -label webspheremqseries -target "/var/mqm/cloud2cert1.arm" -format ascii -expire 340
Receive Signed cert:
gsk7cmd -cert -receive -db "/var/mqm/qmgrs/key.kdb" -pw password -file "/var/mqm/cloud2cert1.arm" -format ascii
ALTER QMGR SSLKEYR('/var/mqm/key')
Alter channel you use for MQ explorer.
ALTER CHANNEL(SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(TRIPLE_DES_SHA_US)
On MQ EXPLORER:
Need to copy key.kdb and mqcm.crt file to Windows box in C:\Program Files\IBM
Create a key Database file:
gsk7cmd -keydb -create -db "C:\Program Files\IBM\exp.jks" -pw password -type jks
Add CA cert to database:
gsk7cmd -cert -add -db "C:\Program Files\IBM\exp.jks" -pw password -label webspheremqseries -file "C:\Program Files\IBM\mqcm.crt" -format ascii
Create a certificate request:
gsk7cmd -certreq -create -db "C:\Program Files\IBM\exp.jks" -pw password -label explorer -dn "CN=MQ,OU=WMQ,O=MQ,L=BLR,ST=KA,C=IN" -file "C:\Program Files\IBM\expreq1.arm"
Sign the cert:
gsk7cmd -cert -sign -file "C:\Program Files\IBM\expreq1.arm" -db "C:\Program Files\IBM\mqcm.kdb" -pw password -label webspheremqseries -target "C:\Program Files\IBM\expcert1.arm" -format ascii -expire 340
Receive the cert:
gsk7cmd -cert -receive -db "C:\Program Files\IBM\exp.jks" -pw password -file "C:\Program Files\IBM\expcert1.arm" -format ascii
When you are connecting a remote queue manager using MQ explorer select SSLCIPH TRIPLE_DES_SHA_US and the key data base file you have created in above step .
No comments:
Post a Comment