Below are the steps to enable SSL on two Queue
managers QM1 and QM2 using point 2 point connection (1 pair of sender receiver
channel).
Create QM1 key repository :
gsk7cmd -keydb -create -db "/opt/IBM/Qmgrs/QM1/ssl/qm1.kdb" -pw MyPassword -type cms -expire 30 -stash
Create QM2 key repository :
gsk7cmd -keydb -create -db "/opt/IBM/Qmgrs/QM2/ssl/qm2.kdb" -pw MyPassword -type cms -expire 30 -stash
Create CA repository :
gsk7cmd -keydb -create -db "/opt/mq/ssl/wmqca.kdb" -pw MyPassword -type cms -expire 30 -stash
Create CA certificate:
gsk7cmd -cert -create -db "/opt/mq/ssl/wmqca.kdb" -pw MyPassword -labelwmqca -dn " CN=WMQ CA, OU=WMQ, O=Abhijeet, L=Chelmsford, ST=Essex, C=UK," -expire 30
Extract the public CA certificate
gsk7cmd -cert -extract -db "/opt/mq/ssl/wmqca.kdb"-pw MyPassword -label wmqca -target wmqca.crt -format ascii
Add the public CA certificate to QM1's key repository :
gsk7cmd -cert -add -db "/opt/IBM/Qmgrs/QM1/ssl/qm1.kdb" -pw MyPassword -label wmqca -file wmqca.crt -format ascii
Add the public CA certificate to QM2's key repository :
gsk7cmd -cert -add -db "/opt/IBM/Qmgrs/QM2/ssl/qm2.kdb" -pw MyPassword -label wmqca -file wmqca.crt -format ascii
Create QM1's certificate request :
gsk7cmd -certreq -create -db "/opt/IBM/Qmgrs/QM1/ssl/qm1.kdb" -pw MyPassword -label ibmwebspheremqqm1 -dn " CN=QM1, OU=WMQ, O=Abhijeet, L=Chelmsford, ST=Essex, C=UK" -file qm1req.arm
Create QM2's certificate request :
gsk7cmd -certreq -create -db "/opt/IBM/Qmgrs/QM2/ssl/qm2.kdb" -pw MyPassword -label ibmwebspheremqqm2 -dn " CN=QM2, OU=WMQ, O=Abhijeet, L=Chelmsford, ST=Essex, C=UK" -file qm1req.arm
Sign QM1's certificate:
gsk7cmd -cert -sign -file qm1req.arm -db "/opt/mq/ssl/wmqca.kdb" -pw password -label wmqca -target qm1cert.arm -format ascii -expire 29
Sign QM2's certificate:
gsk7cmd -cert -sign -file qm2req.arm -db "/opt/mq/ssl/wmqca.kdb" -pw password -label wmqca -target qm2cert.arm -format ascii -expire 29
Add QM1's certificate to QM1's key repository:
gsk7cmd -cert -receive -db "/opt/IBM/Qmgrs/QM1/ssl/qm1.kdb" -pw password -file qm1cert.arm -format ascii
Add QM2's certificate to QM2's key repository:
gsk7cmd -cert -receive -db "/opt/IBM/Qmgrs/QM2/ssl/qm2.kdb" -pw password -file qm2cert.arm -format ascii
Set QM1's queue manager key repository :
ALTER QMGR SSLKEYR('/opt/IBM/Qmgrs/QM1/ssl/qm1')
Set QM2's queue manager key repository:
ALTER QMGR SSLKEYR('/opt/IBM/Qmgrs/QM2/ssl/qm2')
Create QM1 key repository :
gsk7cmd -keydb -create -db "/opt/IBM/Qmgrs/QM1/ssl/qm1.kdb" -pw MyPassword -type cms -expire 30 -stash
Create QM2 key repository :
gsk7cmd -keydb -create -db "/opt/IBM/Qmgrs/QM2/ssl/qm2.kdb" -pw MyPassword -type cms -expire 30 -stash
Create CA repository :
gsk7cmd -keydb -create -db "/opt/mq/ssl/wmqca.kdb" -pw MyPassword -type cms -expire 30 -stash
Create CA certificate:
gsk7cmd -cert -create -db "/opt/mq/ssl/wmqca.kdb" -pw MyPassword -labelwmqca -dn " CN=WMQ CA, OU=WMQ, O=Abhijeet, L=Chelmsford, ST=Essex, C=UK," -expire 30
Extract the public CA certificate
gsk7cmd -cert -extract -db "/opt/mq/ssl/wmqca.kdb"-pw MyPassword -label wmqca -target wmqca.crt -format ascii
Add the public CA certificate to QM1's key repository :
gsk7cmd -cert -add -db "/opt/IBM/Qmgrs/QM1/ssl/qm1.kdb" -pw MyPassword -label wmqca -file wmqca.crt -format ascii
Add the public CA certificate to QM2's key repository :
gsk7cmd -cert -add -db "/opt/IBM/Qmgrs/QM2/ssl/qm2.kdb" -pw MyPassword -label wmqca -file wmqca.crt -format ascii
Create QM1's certificate request :
gsk7cmd -certreq -create -db "/opt/IBM/Qmgrs/QM1/ssl/qm1.kdb" -pw MyPassword -label ibmwebspheremqqm1 -dn " CN=QM1, OU=WMQ, O=Abhijeet, L=Chelmsford, ST=Essex, C=UK" -file qm1req.arm
Create QM2's certificate request :
gsk7cmd -certreq -create -db "/opt/IBM/Qmgrs/QM2/ssl/qm2.kdb" -pw MyPassword -label ibmwebspheremqqm2 -dn " CN=QM2, OU=WMQ, O=Abhijeet, L=Chelmsford, ST=Essex, C=UK" -file qm1req.arm
Sign QM1's certificate:
gsk7cmd -cert -sign -file qm1req.arm -db "/opt/mq/ssl/wmqca.kdb" -pw password -label wmqca -target qm1cert.arm -format ascii -expire 29
Sign QM2's certificate:
gsk7cmd -cert -sign -file qm2req.arm -db "/opt/mq/ssl/wmqca.kdb" -pw password -label wmqca -target qm2cert.arm -format ascii -expire 29
Add QM1's certificate to QM1's key repository:
gsk7cmd -cert -receive -db "/opt/IBM/Qmgrs/QM1/ssl/qm1.kdb" -pw password -file qm1cert.arm -format ascii
Add QM2's certificate to QM2's key repository:
gsk7cmd -cert -receive -db "/opt/IBM/Qmgrs/QM2/ssl/qm2.kdb" -pw password -file qm2cert.arm -format ascii
Set QM1's queue manager key repository :
ALTER QMGR SSLKEYR('/opt/IBM/Qmgrs/QM1/ssl/qm1')
Set QM2's queue manager key repository:
ALTER QMGR SSLKEYR('/opt/IBM/Qmgrs/QM2/ssl/qm2')
Define Sender channel on QM1:
DEFINE CHANNEL(QM1.TO.QM2) CHLTYPE(SDR) TRPTYPE(TCP) DESCR('Sender channel to QM2') XMITQ(QM2) CONNAME('Myhost(1415)') SSLCIPH(TRIPLE_DES_SHA_US)
Define Receiver Channel on Qm2:
DEFINE CHANNEL(QM2.TO.QM1) CHLTYPE(RCVR) TRPTYPE(TCP) DESCR('Receiver channel from QM2') SSLCIPH(TRIPLE_DES_SHA_US)
End of story you now have SSL P2P connection. Well in real world your CA will be an external provider and you may have to liaise with external team to get it signed.
No comments:
Post a Comment