Docker is the prefered way of running IBM MQ, but if you need to do it manually, here’s how.
- Generate a Server Certificate for IBM MQ
- Initialize a Key DataBase for the MQ Server
- Import the public root CA certificate to
- Generate a server certificate request
- Generate the certificate
- Install the certificate
IBM uses its own implementation of SSL, and therefore some slightly different concepts to handling certificates are required. This guide is based on Managing certificates with IBM GSKit and uses the terminal exclusively for greater cross-platform compatibility.
IBM software is distributed with a Global Security Kit (GSKit). This is a standalone product that comes with many different IBM products.
Supported versions of MQ are distributed with GSKit 8. If your MQ has GSKit 7 you really need to upgrade! The instructions below will fail when using GSKit 7.
You need the GSKit
lib64 directories in your
PATH environment variable.
IBM MQ requires its server certificates in a specific format. By default it searches for a certificate with a label in the format:
ibmwebspheremq with the name of the queue manager appended, all in lowercase. For example, for a queue manager named
STL , the default certificate label is
gsk8capicmd_64 -keydb -create -db mq.kdb -pw 'stellirin'
gsk8capicmd_64 -cert -add -db mq.kdb -pw 'stellirin' -label "Stellirin Certificate Authority" -file ca.cert.pem -format ascii -trust enable
Add one of the following algorithms to the command below:
gsk8capicmd_64 -certreq -create -db mq.kdb -pw 'stellirin' -label "ibmwebspheremqstl" -dn "CN=Stellirin MQ Server,O=Stellirin" -file mq.csr.pem
mq.csr.pem to the CA and sign it according to Generate a Certificate.
Transport the signed certificate to the MQ Server and import it into
gsk8capicmd_64 -cert -receive -db server.kdb -pw 'stellirin' -file mq.cert.pem -default_cert yes