Manually configure IBM MQ
Docker is the prefered way of running IBM MQ, but if you need to do it manually, here’s how. This was valid at the end of 2019. If you are reading this in the future, it ma no longer be valid.
Table of contents
- Generate a Server Certificate for IBM MQ
- Initialize a Key DataBase for the MQ Server
- Import the public root CA certificate to
- Generate a server certificate request
- Generate the certificate
- Install the certificate
IBM uses its own implementation of SSL, and therefore some slightly different concepts to handling certificates are required. This guide is based on Managing certificates with IBM GSKit and uses the terminal exclusively for greater cross-platform compatibility.
IBM software is distributed with a Global Security Kit (GSKit). This is a standalone product that comes with many different IBM products.
Supported versions of MQ are distributed with GSKit 8. If your MQ has GSKit 7 you really need to upgrade! The instructions below will fail when using GSKit 7.
You need the GSKit
lib64 directories in your
PATH environment variable.
Generate a Server Certificate for IBM MQ
IBM MQ requires its server certificates in a specific format. By default it searches for a certificate with a label in the format:
ibmwebspheremq with the name of the queue manager appended, all in lowercase. For example, for a queue manager named
STL , the default certificate label is
Initialize a Key DataBase for the MQ Server
gsk8capicmd_64 -keydb -create -db mq.kdb -pw 'stellirin'
Import the public root CA certificate to
gsk8capicmd_64 -cert -add -db mq.kdb -pw 'stellirin' -label "Stellirin Certificate Authority" -file ca.cert.pem -format ascii -trust enable
Generate a server certificate request
Add one of the following algorithms to the command below:
gsk8capicmd_64 -certreq -create -db mq.kdb -pw 'stellirin' -label "ibmwebspheremqstl" -dn "CN=Stellirin MQ Server,O=Stellirin" -file mq.csr.pem
Generate the certificate
mq.csr.pem to the CA and sign it according to Generate a Certificate.
Install the certificate
Transport the signed certificate to the MQ Server and import it into
gsk8capicmd_64 -cert -receive -db server.kdb -pw 'stellirin' -file mq.cert.pem -default_cert yes