MQ SSL Configuration handy commands

Refer below commands for both self signed and CA signed certs provision and configure in IBM MQ

how to generate CSR in mq

generate a key database using the command
runmqakm -keydb -create -db keystore.kdb -pw 1234 -type cms -stash -expire 700

runmqakm -cert -create -label ibmwebspheremqqm1 -db keystore.kdb -pw 1234 -dn “CN=QM1,O=MQ,OU=IBM,C=SG” -expire 365 -size 1024 -format ascii
runmqakm -cert -create -label ibmwebspheremqqm2 -db keystore.kdb -pw 1234 -dn “CN=QM2,O=MQ,OU=IBM,C=SG” -expire 365 -size 1024 -format ascii

generate certificate request
runmqakm -certreq -create -db keystore.kdb -pw 1234 -label ibmwebspheremqqm1 -dn “CN=QM1,O=MQ,OU=IBM,C=SG”- size 2048 -sigalg SHA256WithRSA -file QM1.csr

list and view cert request details
runmqakm -certreq -list -db keystore.kdb -pw 1234

runmqakm -certreq -details -db keystore.kdb -pw 1234 -label ibmwebspheremqqm1

add CA root and intermediate certificate to the database
runmqakm -cert -add -db keystore.kdb -pw 1234 -label ca_root -file root.cer -format ascii
runmqakm -cert -add -db keystore.kdb -pw 1234 -label ca_inter -file intermediate.cer -format ascii

receive the CA signed certificate to the key database
runmqakm -cert -receive -db keystore.kdb -pw 1234 -file QM1.cer – format ascii -default_cert enable

list the cert details
runmqakm -cert -list -db keystore.kdb -pw 1234
runmqakm -cert -details -db keystore.kdb -pw 1234 -label ibmwebspheremqqm1

/var/mqm/qmgrs/QM1/ssl/keystore

alter qmgr SSLKEYR(‘/var/mqm/qmgrs/QM1/ssl/keystore’)

How to refresh ssl security in MQ

refresh security type(ssl)
3 : refresh security type(ssl)

AMQ8560I: IBM MQ security cache refreshed.

What are the ciphers supported in IBM MQ
https://www.ibm.com/docs/en/ibm-mq/7.5?topic=support-ssl-cipherspecs-ciphersuites

How to add cipher in the channel

alter chl(TO.QM2) CHLTYPE(SDR) SSLCIPH(‘TLS_RSA_WITH_AES_128_CBC_SHA256’)
6 : alter chl(TO.QM2) CHLTYPE(SDR) SSLCIPH(‘TLS_RSA_WITH_AES_128_CBC_SHA256’)
AMQ8016I: IBM MQ channel changed.

add cipher in the similar way on the receiver channel as well

check certificate reflected to the port

openssl s_client -connect localhost:1415

Extracting QM2 CA
runmqakm -cert -extract -label ibmwebspheremqqm2 -db keystore.kdb -pw 1234 -target qm2.cer
Adding QM2 CA in QM1 keystore
runmqakm -cert -add -label qm2ca -file /var/mqm/qmgrs/QM2/ssl/qm2.cer -db /var/mqm/qmgrs/QM1/ssl/keystore.kdb -pw 1234

Extracting QM1 CA
runmqakm -cert -extract -label ibmwebspheremqqm1 -db /var/mqm/qmgrs/QM1/ssl/keystore.kdb -pw 1234 -target qm1.cer

Adding QM2 CA in QM2 keystore
runmqakm -cert -add -label qm1ca -file qm1.cer -db /var/mqm/qmgrs/QM2/ssl/keystore.kdb -pw 1234

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *