Refer below commands for both self signed and CA signed certs provision and configure in IBM MQ
how to generate CSR in mq
generate a key database using the command
runmqakm -keydb -create -db keystore.kdb -pw 1234 -type cms -stash -expire 700
runmqakm -cert -create -label ibmwebspheremqqm1 -db keystore.kdb -pw 1234 -dn “CN=QM1,O=MQ,OU=IBM,C=SG” -expire 365 -size 1024 -format ascii
runmqakm -cert -create -label ibmwebspheremqqm2 -db keystore.kdb -pw 1234 -dn “CN=QM2,O=MQ,OU=IBM,C=SG” -expire 365 -size 1024 -format ascii
generate certificate request
runmqakm -certreq -create -db keystore.kdb -pw 1234 -label ibmwebspheremqqm1 -dn “CN=QM1,O=MQ,OU=IBM,C=SG”- size 2048 -sigalg SHA256WithRSA -file QM1.csr
list and view cert request details
runmqakm -certreq -list -db keystore.kdb -pw 1234
runmqakm -certreq -details -db keystore.kdb -pw 1234 -label ibmwebspheremqqm1
add CA root and intermediate certificate to the database
runmqakm -cert -add -db keystore.kdb -pw 1234 -label ca_root -file root.cer -format ascii
runmqakm -cert -add -db keystore.kdb -pw 1234 -label ca_inter -file intermediate.cer -format ascii
receive the CA signed certificate to the key database
runmqakm -cert -receive -db keystore.kdb -pw 1234 -file QM1.cer – format ascii -default_cert enable
list the cert details
runmqakm -cert -list -db keystore.kdb -pw 1234
runmqakm -cert -details -db keystore.kdb -pw 1234 -label ibmwebspheremqqm1
/var/mqm/qmgrs/QM1/ssl/keystore
alter qmgr SSLKEYR(‘/var/mqm/qmgrs/QM1/ssl/keystore’)
How to refresh ssl security in MQ
refresh security type(ssl)
3 : refresh security type(ssl)
AMQ8560I: IBM MQ security cache refreshed.
What are the ciphers supported in IBM MQ
https://www.ibm.com/docs/en/ibm-mq/7.5?topic=support-ssl-cipherspecs-ciphersuites
How to add cipher in the channel
alter chl(TO.QM2) CHLTYPE(SDR) SSLCIPH(‘TLS_RSA_WITH_AES_128_CBC_SHA256’)
6 : alter chl(TO.QM2) CHLTYPE(SDR) SSLCIPH(‘TLS_RSA_WITH_AES_128_CBC_SHA256’)
AMQ8016I: IBM MQ channel changed.
add cipher in the similar way on the receiver channel as well
check certificate reflected to the port
openssl s_client -connect localhost:1415
Extracting QM2 CA
runmqakm -cert -extract -label ibmwebspheremqqm2 -db keystore.kdb -pw 1234 -target qm2.cer
Adding QM2 CA in QM1 keystore
runmqakm -cert -add -label qm2ca -file /var/mqm/qmgrs/QM2/ssl/qm2.cer -db /var/mqm/qmgrs/QM1/ssl/keystore.kdb -pw 1234
Extracting QM1 CA
runmqakm -cert -extract -label ibmwebspheremqqm1 -db /var/mqm/qmgrs/QM1/ssl/keystore.kdb -pw 1234 -target qm1.cer
Adding QM2 CA in QM2 keystore
runmqakm -cert -add -label qm1ca -file qm1.cer -db /var/mqm/qmgrs/QM2/ssl/keystore.kdb -pw 1234