Configure SSL/TLS on IBM MQ Queue Managers

Adil Abdullah
4 min readSep 13, 2022

Grant authority to one or more groups or users to authorize them to utilize the queue either read or write.

  1. Creation of group from Computer management.

For our demo purpose we have inserted the Guest user into MQCLIENT group.

2. Queue Authorization:

a) Authorize MQCLIENT group to get connect with MQ:

setmqaut -m IIB9NodeQMngr -t qmgr -g mqclient +connect +inq +dsp

b) Authorize MQCLIENT group to put request in MQ:

setmqaut -m IIB9NodeQMngr -g mqclient -n BULK.IBMX.REQUEST -t queue -all +put +inq +setall

c) Authorize MQCLIENT group to Inquire with MQ

setmqaut -m IIB9NodeQMngr -g mqclient -n BULK.IBMX.RESPONSE -t queue -all +get +inq +setall

Queue connectivity configuration with SSL:

Windows systems, digital certificates are stored in a key database file. These digital certificates have labels. A specific label associates a personal certificate with a queue manager or IBM MQ MQI client.

  1. MQ Server Key Database (KDB) file creation:

2. Add Signer Certificate in MQ Server Keys

ibmwebspheremq<QueueManagerName> [all characters in lower case]

e.g. MQ Server Name = iib9qm01 then key label = “ibmwebspheremqiib9qm01”

3. Add MQ Server Certificate in Trust store(JKBS) with same label.

Note: MQ related executable files exists at “C:\Program Files (x86)\IBM\WebSphere MQ\bin” , these can be run from IIB console

Console Commands:
runmqsc IIB9QM01

DISPlAY QMGR

Below properties are important for SSL authentication:

· QMNAME(IIB9QM01)

· CHLAUTH(ENABLED)

· SSLFIPS(NO)

4. Set SSL Key repository in MQ properties:

SSLKEYR(C:\mqssl\mqkey)

Note:Whenever change the authentication against MQ then required to refresh or restart websphere.

Console Commands:

REFRESH SECURITY(*)

SSL Configuration on WebSphere MQ 7.5

SSL configuration scenario is based on MQ Server & MQ Explorer.

- MQ Server is configured with 01 SSL Keystore type .kdb

- MQ Explorer is configured with 01 SSL Keystore type .jks

Note:Make Sure all the files should be owned by the correct OS user and have permission to Read, Write and Execute

Self Signed Key Generation for SSL:

1. Create two paths (mq SSL keys and mqclient keys):

For MQ: C:\mqssl

For MQ Client: C:\mqexpssl

2. Open IBM key Management

3. Create New Key Database File “mqkey.kdb

Set password=passw0rd with stash password to a file to be checked.

4.Create “New Self signed Certificate”

Certificate Label and Key Label should be same as per MQ Server standard

ibmwebspheremq<QueueManagerName> [all characters in lower case]

e.g. MQ Server Name = iib9qm01 then key label = “ibmwebspheremqiib9qm01”

MQ Server Name = qm8 then key label = “ibmwebspheremqqm8”

Extract certificate with name mqexportcert.arm and add this certificate in trust store.

For TSLv1.1

If restrict user/group then Pass User id in MCAUSER but it will overwrite user id that received from client application. So don’t set MCAUSER

DEFINE CHANNEL(SSL.SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(‘TLS_RSA_WITH_AES_128_CBC_SHA’)

For one way SSL authentication, should be optional.

Note: SSL connectivity can be tested with custom API by giving host name, channel, Queue Manager, input queue name, output queue name, SSL cipher suite, user id, trust store path, trust store password, key store (if it is two authentication).

EG Execution:

keystore and trust store Configration commands:

mqsichangeproperties IB9NODE -e BulkServiceApp -o ComIbmJVMManager -n keystoreFile -v C:\app_logs\BulkService\keystore\keyStore.jks

mqsichangeproperties IB9NODE -e BulkServiceApp -o ComIbmJVMManager -n keystorePass -v BulkServiceAppKeystore::password

mqsichangeproperties IB9NODE -e BulkServiceApp -o ComIbmJVMManager -n truststoreFile -v C:\app_logs\BulkService\keystore\trustStore.jks

mqsichangeproperties IB9NODE -e BulkServiceApp -o ComIbmJVMManager -n truststorePass -v BulkServiceAppTruststore::password

mqsisetdbparms IB9NODE -n BulkServiceAppKeystore::password -u ignore -p passw0rd

mqsisetdbparms IB9NODE -n BulkServiceAppTruststore::password -u ignore -p passw0rd

--

--

Adil Abdullah

Currently working as Full stack Java developer at Contour Software at their Easit AB division part of Jonas group. Working on Java and IBM stack.