Configure SSL/TLS on IBM MQ Queue Managers
Grant authority to one or more groups or users to authorize them to utilize the queue either read or write.
- Creation of group from Computer management.
For our demo purpose we have inserted the Guest user into MQCLIENT group.
2. Queue Authorization:
a) Authorize MQCLIENT group to get connect with MQ:
setmqaut -m IIB9NodeQMngr -t qmgr -g mqclient +connect +inq +dsp
b) Authorize MQCLIENT group to put request in MQ:
setmqaut -m IIB9NodeQMngr -g mqclient -n BULK.IBMX.REQUEST -t queue -all +put +inq +setall
c) Authorize MQCLIENT group to Inquire with MQ
setmqaut -m IIB9NodeQMngr -g mqclient -n BULK.IBMX.RESPONSE -t queue -all +get +inq +setall
Queue connectivity configuration with SSL:
Windows systems, digital certificates are stored in a key database file. These digital certificates have labels. A specific label associates a personal certificate with a queue manager or IBM MQ MQI client.
- MQ Server Key Database (KDB) file creation:
2. Add Signer Certificate in MQ Server Keys
ibmwebspheremq<QueueManagerName> [all characters in lower case]
e.g. MQ Server Name = iib9qm01 then key label = “ibmwebspheremqiib9qm01”
3. Add MQ Server Certificate in Trust store(JKBS) with same label.
Note: MQ related executable files exists at “C:\Program Files (x86)\IBM\WebSphere MQ\bin” , these can be run from IIB console
Console Commands:
runmqsc IIB9QM01
DISPlAY QMGR
Below properties are important for SSL authentication:
· QMNAME(IIB9QM01)
· CHLAUTH(ENABLED)
· SSLFIPS(NO)
4. Set SSL Key repository in MQ properties:
SSLKEYR(C:\mqssl\mqkey)
Note:Whenever change the authentication against MQ then required to refresh or restart websphere.
Console Commands:
REFRESH SECURITY(*)
SSL Configuration on WebSphere MQ 7.5
SSL configuration scenario is based on MQ Server & MQ Explorer.
- MQ Server is configured with 01 SSL Keystore type .kdb
- MQ Explorer is configured with 01 SSL Keystore type .jks
Note:Make Sure all the files should be owned by the correct OS user and have permission to Read, Write and Execute
Self Signed Key Generation for SSL:
1. Create two paths (mq SSL keys and mqclient keys):
For MQ: C:\mqssl
For MQ Client: C:\mqexpssl
2. Open IBM key Management
3. Create New Key Database File “mqkey.kdb”
Set password=passw0rd with stash password to a file to be checked.
4.Create “New Self signed Certificate”
Certificate Label and Key Label should be same as per MQ Server standard
ibmwebspheremq<QueueManagerName> [all characters in lower case]
e.g. MQ Server Name = iib9qm01 then key label = “ibmwebspheremqiib9qm01”
MQ Server Name = qm8 then key label = “ibmwebspheremqqm8”
Extract certificate with name mqexportcert.arm and add this certificate in trust store.
For TSLv1.1
If restrict user/group then Pass User id in MCAUSER but it will overwrite user id that received from client application. So don’t set MCAUSER
DEFINE CHANNEL(SSL.SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(‘TLS_RSA_WITH_AES_128_CBC_SHA’)
For one way SSL authentication, should be optional.
Note: SSL connectivity can be tested with custom API by giving host name, channel, Queue Manager, input queue name, output queue name, SSL cipher suite, user id, trust store path, trust store password, key store (if it is two authentication).
EG Execution:
keystore and trust store Configration commands:
mqsichangeproperties IB9NODE -e BulkServiceApp -o ComIbmJVMManager -n keystoreFile -v C:\app_logs\BulkService\keystore\keyStore.jks
mqsichangeproperties IB9NODE -e BulkServiceApp -o ComIbmJVMManager -n keystorePass -v BulkServiceAppKeystore::password
mqsichangeproperties IB9NODE -e BulkServiceApp -o ComIbmJVMManager -n truststoreFile -v C:\app_logs\BulkService\keystore\trustStore.jks
mqsichangeproperties IB9NODE -e BulkServiceApp -o ComIbmJVMManager -n truststorePass -v BulkServiceAppTruststore::password
mqsisetdbparms IB9NODE -n BulkServiceAppKeystore::password -u ignore -p passw0rd
mqsisetdbparms IB9NODE -n BulkServiceAppTruststore::password -u ignore -p passw0rd
