MQSeriesGSKit is required to enable SSL on IBM MQ
QM1: (Path : C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl)
1.Creating key store
runmqakm -keydb -create –db qm1key.kdb -pw 123456 -type cms -stash
2. Creating selfsigned certificate
runmqakm -cert -create -label ibmwebspheremqqm1 -db qm1key.kdb -pw 123456 -dn “CN=QM1,OU=FMR” -expire 365 -size 1024 -format ascii
3. Extracting a public certificate
runmqakm -cert -extract -label ibmwebspheremqqm1 -db qm1key.kdb -pw 123456 -target qm1pub.arm
4. Adding qm2.arm in qm1 key repos
runmqakm -cert -add -label qm2pub –file C:\qm2\ssl\qm2pub.arm -db qm1key.kdb -pw 123456
QM2: (C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl)
Creating key store in cms
runmqakm -keydb -create -db qm2key.kdb -pw 123456 -type cms -stash
2. Creating self signed certficate
runmqakm -cert -create -label ibmwebspheremqqm2 -db qm2key.kdb -pw 123456 -dn “CN=QM2,OU=FMR” -expire 365 -size 1024 -format ascii
3. Extracting a public certifcate
runmqakm -cert -extract -label ibmwebspheremqqm2 -db qm2key.kdb -pw 123456 -target qm2pub.arm
4. Adding qm1.arm in qm2 key repos
runmqakm -cert -add -label qm1pub –file C:\qm1\ssl\qm1pub.arm -db qm2key.kdb -pw 123456
=======================================================
After doing the above steps, do the below
In QM1
- ALTER QMGR SSLKEYR(‘C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM1\ssl\qm1key’)
- ALTER CHL(CHL1) CHLTYPE(SDR) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
In QM2
- ALTER QMGR SSLKEYR (‘C:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM2\ssl\qm2key’)
- ALTER CHL(CHL1) CHLTYPE(RCVR) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
After this restart the sender channel in QM1 or REFRESH the security type SSL
STOP CHL(CHL1)
START CHL(CHL1)
or
REFRESH SECURITY TYPE(SSL)
Now, if the channel is in running status then ssl is succeess. you can see the difference using below command
DIS CHS(CHL1) ALL