Sometimes you got more then one queue manager on a machine. If these queue managers need to be TLS/SSL enabled (and they should always be that) they all need a server certificate, but because they are on the same machine they might all need to have the same certificate. Copying from one setup to another is actually really simple. I’m here going to show how
Premisses
* Two queue managers: MYQM01 and MYQM02
* MYQM01 has a configured and working keystore and stash file
* Keystore file and stash is called key.kdb and key.sth
* We are using the default label name pattern for server certificates: ibmwebspheremq<qmanager name>
* We are using the default keystore location in Linux: /var/mqm/qmgrs/<qmanager name>/ssl/
First we need to copy all the files
cp /var/mqm/qmgrs/MYQM01/ssl/key* /var/mqm/qmgrs/MYQM02/ssl/
Now we need to rename the label of the server certificate in the new location (for this we use the ikeycmd program shipped with installations from MQ 8 and up)
ikeycmd -cert -rename -label ibmwebspheremqmyqm01 -new_label ibmwebspheremqmyqm02 -db key.kdb -stashed
As a rule I always do this whenever I change anything in a keystore. Here using runmqsc but can also be done via MQExplorer if you prefer a GUI. The queue manager that needs the refresh here is MYQM02
REFRESH SECURITY TYPE(SSL)
Done!
Tested on MQ v9.0.5.0 and Red Hat Linux 7.5