Category Archives: IBM MQ - Page 3

IBM MQ: How to copy a TLS/SSL configured keystore from one queue manager to another

Sometimes you got more then one queue manager on a machine. If these queue managers need to be TLS/SSL enabled (and they should always be that) they all need a server certificate, but because they are on the same machine they might all need to have the same certificate. Copying from one setup to another is actually really simple. I’m here going to show how

Premisses
* Two queue managers: MYQM01 and MYQM02
* MYQM01 has a configured and working keystore and stash file
* Keystore file and stash is called key.kdb and key.sth
* We are using the default label name pattern for server certificates: ibmwebspheremq<qmanager name>
* We are using the default keystore location in Linux: /var/mqm/qmgrs/<qmanager name>/ssl/

First we need to copy all the files

cp /var/mqm/qmgrs/MYQM01/ssl/key* /var/mqm/qmgrs/MYQM02/ssl/

Now we need to rename the label of the server certificate in the new location (for this we use the ikeycmd program shipped with installations from MQ 8 and up)

ikeycmd -cert -rename -label ibmwebspheremqmyqm01 -new_label ibmwebspheremqmyqm02 -db key.kdb -stashed

As a rule I always do this whenever I change anything in a keystore. Here using runmqsc but can also be done via MQExplorer if you prefer a GUI. The queue manager that needs the refresh here is MYQM02

REFRESH SECURITY TYPE(SSL)

Done!

Tested on MQ v9.0.5.0 and Red Hat Linux 7.5

IBM MQ: Why is my cluster sender channel trying to connect to 1414 when I have clearly specified 1415 (or any other port)?

Cluster sender channels seems to get “stuck” sometimes and fall back to port 1414 when trying to find the cluster repository.

The solution:
Delete the channel and create it again

DEFINE CHANNEL(TO.REPO) CHLTYPE(CLUSSDR) TRPTYPE(TCP) CONNAME('127.0.0.1(1415)') CLUSTER(EXTERNAL.CLIENTS) DESCR('Cluster-sender channel from MYQM01 to repo at MYREPO01')

Tested on MQ 9.0.5.0 and Red Hat Linux 7.5

IBM MQ: Add a server certificate to queue manager without an CSR

At my workplace we request SSL certificates based on the server and not on queue manager. Often are these servers populated with more services than MQ so a CSR from MQ might not be possible. In this case we need to get the certificate and key into the queue manager keystore without an CSR. Here is how we usually do it

Through of of this example I am going to use the ikeycmd program, normally found here: /opt/mqm/java/jre64/jre/bin/ikeycmd in the MQ installation on Linux, and openssl which can be found in most Linux systems. We will call the queue manager MYQM01 in this example.

First we need to create a kdb file to hold our certificates

ikeycmd -keydb -create -db "/var/mqm/qmgrs/MYQM01/ssl/key.kbd" -pw changeit -type cms -stash

Where:
db is the path to the queue managers key.kdb file
stash tells ikeycmd to stash the password in a file in the same location as the key.kdb file. This is needed so that MQ later can open the key.kdb file and read its contents

It is now time to add the root cert and all its intermediate certificates (if any). It is important that this is done in the correct order: From root and down to your certificate
Add root cert:

ikeycmd -cert -add -db "/var/mqm/qmgrs/MYQM01/ssl/key.kbd" -pw changeit -label rootca -file DigicertRoot.crt -format ascii

Add ca cert/s:

ikeycmd -cert -add -db "/var/mqm/qmgrs/MYQM01/ssl/key.kbd" -pw changeit -label intermediateca -file DigiCertCA.crt -format ascii

And now to the magic. There are probably many ways to do this but I found creating a p12 file with the certificate and the key to be the simplest
Create the p12 file

openssl pkcs12 -export -in my.host.com.crt -inkey my.host.com.key -out my.host.com.p12 -name "ibmwebspheremqmyqm01"

Import the p12 into the queue manager keystore

ikeycmd -cert -import -db my.host.com.p12 -pw changeit -target "/var/mqm/qmgrs/MYQM01/ssl/key.kbd"

Now set the the new certificate as default

ikeycmd -cert -setdefault -db "/var/mqm/qmgrs/MYQM01/ssl/key.kbd" -stashed -label "ibmwebspheremqmyqm01"

Make sure the key* files has the correct permissions

chmod 640 key.*

Troubleshooting tips

# List personal and ca certificate in the kbd file 
/opt/mqm/java/jre64/jre/bin/ikeycmd -cert -list personal -db "/var/mqm/qmgrs/MYQM01/ssl/key.kbd" -pw changeit
/opt/mqm/java/jre64/jre/bin/ikeycmd -cert -list ca -db "/var/mqm/qmgrs/MYQM01/ssl/key.kbd" -pw changeit

# List default all signers for this installation
/opt/mqm/java/jre64/jre/bin/ikeycmd -cert -listsigners

# Check that a certificate is presented on connect
openssl s_client -connect my.host.com:1414

Tested on MQ 9.0.5.0, Red Hat Linux 7.5 and OpenSSL 1.0.2k-fips