How to Configure SSL/TLS for IBM MQ Queue Manager

IBM QM has provided utility to deal with the certificates and keystore that enables SSL for the QMGR’s . The utility name is runmqckm available in the MQ installation location .We will se all the possible commands that may be required during the ongoing activities .

–> Create a key database to use for QMGR
runmqckm -keydb -create -db key.kdb -pw passw0rd -type cms -expire 365 -stash
This command will result in the following 3 files being created:

key.kdb – the key database file. key.sth – the encrypted password stash file key.rdb – certificate requests reside in this file.

–> To Add a CA certificate to Keystore . We may need to add the signer certificated who signed and other queue manager signers to SSL Handshare during SENDER channel connectivity

runmqckm -cert -add -db key.kdb -label MYCA -file ca.cer -pw passw0rd

–> To Add a personal certificate to keystore .

runmqckm -cert -import -file SignedServerCert.p12 -type pkcs12 -pw certificate_passw0rd -target key.kdb -target_pw passw0rd -new_label newlabelname

–> To list the CA Certificates from the keystore . It will list all the CA certificate /Signer certificates from the keystore

runmqckm -cert -list CA -db key.kdb -pw passw0rd

–> To List the Personal certificates from the keystore .It will list the available personal certifictes from the keystore . We may have many personal valid certificates in the keystore but the one which is refered on qmgr label will be used .

runmqckm -cert -list personal -db key.kdb -pw passw0rd

–>To List all the certs from the keystore

runmqckm -cert -list -db key.kdb -pw passw0rd

–> To export a CA Certificate from a keystore . To Extract the certificate from keystore

runmqckm -cert -extract -db key.kdb -pw passw0rd -label friendlyName -target ca.cer

–>To Export a personal certificate from a keystore .

runmqkcm -cert -export -db key.kdb -pw passw0rd -label friendlyName -type cms -target personal.p12 -target_pw target_password -target_type pkcs12

–> To Create a Certificate Signing request .Once file is generated we can get it signed from the respective vendor ( DigiCert,Symantic,Entrust ..etc)

runmqckm -certreq -create -db key.kdb -pw passw0rd -label label -dn “CN=QueueManagerName,O=IBM,C=US,OU=MQ Support,ST=Florida” -size 1024 -file certreq.crs

–>To Delete a certificate from a keystore . Some time we may need to delete expired or unnecessary certificate from keystore .

runmqckm -cert -delete -db key.kdb -pw passw0rd -label MYCA

–> To Generate a Self Signed certificate . We can temperarly configure self signed certificate but not reomeneded in Production environments .

runmqckm -cert -create -db key.kdb -pw passw0rd -label MYLABELNAME -dn “CN=MQL2,O=IBM,C=US,OU=MQ Support,ST=NorthCarolina” -size 2048

–> To change the passoword of a keystore and store in a stash file . When the stash password expired then we may need to change password with new expiry .

runmqckm -keydb -changepw -db key.kdb -pw passw0rd -new_pw newpassw0rd -expire 365 -stash

On Our QMGR QM1 right now there are no SSL configured .Default values are there as shown below

dis qmgr SSLKEYR CERTLABL
2 : dis qmgr SSLKEYR CERTLABL
AMQ8408I: Display Queue Manager details.
QMNAME(QM1) CERTLABL(ibmwebspheremqqm1)
SSLKEYR(/var/mqm/qmgrs/QM1/ssl/key)

Note : in SSLKEYR we dont need to provide extension of the file .kdb it will take automatically .

[mqm@ip-172-31-14-154 ~]$ ls -lrt /var/mqm/qmgrs/QM1/ssl/key*
ls: cannot access ‘/var/mqm/qmgrs/QM1/ssl/key*’: No such file or directory
[mqm@ip-172-31-14-154 ~]$

Let us create a self signed certificate and configure to the QMGR

runmqckm -keydb -create -db key.kdb -pw passw0rd -type cms -expire 365 -stash
runmqckm -cert -create -db key.kdb -pw passw0rd -label ibmwebspheremqqm1 -dn "CN=QM1,O=IBM,C=US,OU=MQ Support,ST=Singapore" -size 2048

runmqckm -cert -list -db key.kdb -pw passw0rd

mqm@ip-172-31-14-154 ssl]$ runmqckm -keydb -create -db key.kdb -pw passw0rd -type cms -expire 365 -stash
[mqm@ip-172-31-14-154 ssl]$ ls -lrt
total 12
-rw——-. 1 mqm mqm 88 Feb 6 03:04 key.kdb
-rw——-. 1 mqm mqm 193 Feb 6 03:04 key.sth
-rw——-. 1 mqm mqm 80 Feb 6 03:04 key.rdb
[mqm@ip-172-31-14-154 ssl]$ runmqckm -cert -create -db key.kdb -pw passw0rd -label ibmwebspheremqqm1 -dn “CN=QM1,O=IBM,C=US,OU=MQ Support,ST=Singapore” -size 2048
[mqm@ip-172-31-14-154 ssl]$
[mqm@ip-172-31-14-154 ssl]$ ls -lrt
total 16
-rw——-. 1 mqm mqm 193 Feb 6 03:04 key.sth
-rw——-. 1 mqm mqm 5088 Feb 6 03:04 key.kdb
-rw——-. 1 mqm mqm 80 Feb 6 03:04 key.rdb
[mqm@ip-172-31-14-154 ssl]$ runmqckm -cert -list -db key.kdb -pw passw0rd
Certificates in database /var/mqm/qmgrs/QM1/ssl/key.kdb:
ibmwebspheremqqm1
[mqm@ip-172-31-14-154 ssl]$ runmqckm -cert -list personal -db key.kdb -pw passw0rd
Certificates in database /var/mqm/qmgrs/QM1/ssl/key.kdb:
ibmwebspheremqqm1
[mqm@ip-172-31-14-154 ssl]$ runmqckm -cert -list CA -db key.kdb -pw passw0rd
No key was found in the key database.
[mqm@ip-172-31-14-154 ssl]$

Now we have already created key.kdb with a self signed certificate labled with ibmwebspheremqqm1 . If we have differnt name then we need to update QMGR with alter QMGR ….

Since QMGR is already up and running we need to refresh the SECURITY TYPE SSL before that we just try to connect to port and see

[mqm@ip-172-31-14-154 ssl]$ ps -fe |grep lsr
mqm 2598 2549 0 Feb03 ? 00:00:02 /opt/mqm/bin/runmqlsr -r -m QM1 -t TCP -p 1414
mqm 12390 12170 0 03:09 pts/0 00:00:00 grep –color=auto lsr
[mqm@ip-172-31-14-154 ssl]$
[mqm@ip-172-31-14-154 ssl]$

Let refresh QMGR SSL Security and see

mqm@ip-172-31-14-154 ssl]$ runmqsc QM1
5724-H72 (C) Copyright IBM Corp. 1994, 2020.
Starting MQSC for queue manager QM1.

refresh security type(ssl)
1 : refresh security type(ssl)
AMQ8560I: IBM MQ security cache refreshed.

:
end
2 : end
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
[mqm@ip-172-31-14-154 ssl]$

Once SSL Security is refreshed successfully then we can be able to see the cerificate in the browser if we get https://ec2-3-15-25-84.us-east-2.compute.amazonaws.com:1414/

Just configuring the Certificate will not enable security . We need to configure SSLCIPHER on the channel then only the certificate will be used and trafic is encrypted during transit .

For Application to connect to QMGR Cipher should be configured in the SVRCONN channel .

alter chl(CL.TEST) CHLTYPE(SVRCONN) SSLCIPH('ECDHE_ECDSA_3DES_EDE_CBC_SHA256')
    11 : alter chl(CL.TEST) CHLTYPE(SVRCONN) SSLCIPH('ECDHE_ECDSA_3DES_EDE_CBC_SHA256')
AMQ8242E: SSLCIPH definition wrong.

Note: To use some CipherSuites, the ‘unrestricted’ policy files need to be configured in the JRE. For more details of how policy files are set up in an SDK or JRE, see the IBM SDK Policy files topic in the Security Reference for IBM SDK, Java Technology Edition, Version 7.

alter chl(CL.TEST) CHLTYPE(SVRCONN) SSLCIPH('')
    12 : alter chl(CL.TEST) CHLTYPE(SVRCONN) SSLCIPH('')
AMQ8016I: IBM MQ channel changed.
alter chl(CL.TEST) CHLTYPE(SVRCONN) SSLCIPH('TLS_RSA_WITH_AES_256_CBC_SHA256')
    13 : alter chl(CL.TEST) CHLTYPE(SVRCONN) SSLCIPH('TLS_RSA_WITH_AES_256_CBC_SHA256')
AMQ8016I: IBM MQ channel changed.

Refer https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm for Cipher Sute mapping for IBM and Oracle JAVA . If we use some ABC cipher in channel corresponding cipher suite should be enabled at the client side other wise SSL Handshake will fail.

Note: During the certificate renewal make sure the SSL security is refreshed to reload the certificates from the keystore .

Configuring your application to use IBM Java or Oracle Java CipherSuite mappings

From IBM MQ Version 8.0.0, Fix Pack 2, you can configure whether your application uses the default IBM Java CipherSuite to IBM MQ CipherSpec mappings, or the Oracle CipherSuite to IBM MQ CipherSpec mappings. Therefore, you can use TLS CipherSuites whether your application uses an IBM JRE or an Oracle JRE. The Java System Property com.ibm.mq.cfg.useIBMCipherMappings controls which mappings are used. The property can be one of the following values:

true: Use the IBM Java CipherSuite to IBM MQ CipherSpec mappings.This value is the default value.

false: Use the Oracle CipherSuite to IBM MQ CipherSpec mappings.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *