IBM MQ: How to copy a TLS/SSL configured keystore from one queue manager to another

Sometimes you got more then one queue manager on a machine. If these queue managers need to be TLS/SSL enabled (and they should always be that) they all need a server certificate, but because they are on the same machine they might all need to have the same certificate. Copying from one setup to another is actually really simple. I’m here going to show how

* Two queue managers: MYQM01 and MYQM02
* MYQM01 has a configured and working keystore and stash file
* Keystore file and stash is called key.kdb and key.sth
* We are using the default label name pattern for server certificates: ibmwebspheremq<qmanager name>
* We are using the default keystore location in Linux: /var/mqm/qmgrs/<qmanager name>/ssl/

First we need to copy all the files

cp /var/mqm/qmgrs/MYQM01/ssl/key* /var/mqm/qmgrs/MYQM02/ssl/

Now we need to rename the label of the server certificate in the new location (for this we use the ikeycmd program shipped with installations from MQ 8 and up)

ikeycmd -cert -rename -label ibmwebspheremqmyqm01 -new_label ibmwebspheremqmyqm02 -db key.kdb -stashed

As a rule I always do this whenever I change anything in a keystore. Here using runmqsc but can also be done via MQExplorer if you prefer a GUI. The queue manager that needs the refresh here is MYQM02



Tested on MQ v9.0.5.0 and Red Hat Linux 7.5

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre lang="" line="" escaped="" cssfile="">

This site uses Akismet to reduce spam. Learn how your comment data is processed.