Link
Stellirin's Notes

This site uses Just the Docs, a documentation theme for Jekyll.

Search

Manually configure IBM MQ

Docker is the prefered way of running IBM MQ, but if you need to do it manually, here’s how. This was valid at the end of 2019. If you are reading this in the future, it ma no longer be valid.

Table of contents

  1. Prerequisites
  2. Generate a Server Certificate for IBM MQ
  3. Initialize a Key DataBase for the MQ Server
  4. Import the public root CA certificate to mq.kdb
  5. Generate a server certificate request
  6. Generate the certificate
  7. Install the certificate

IBM uses its own implementation of SSL, and therefore some slightly different concepts to handling certificates are required. This guide is based on Managing certificates with IBM GSKit and uses the terminal exclusively for greater cross-platform compatibility.

Prerequisites

IBM software is distributed with a Global Security Kit (GSKit). This is a standalone product that comes with many different IBM products.

Supported versions of MQ are distributed with GSKit 8. If your MQ has GSKit 7 you really need to upgrade! The instructions below will fail when using GSKit 7.

You need the GSKit bin and lib64 directories in your PATH environment variable.

Generate a Server Certificate for IBM MQ

IBM MQ requires its server certificates in a specific format. By default it searches for a certificate with a label in the format: ibmwebspheremq with the name of the queue manager appended, all in lowercase. For example, for a queue manager named STL , the default certificate label is ibmwebspheremqstl.

Initialize a Key DataBase for the MQ Server 

gsk8capicmd_64 -keydb -create -db mq.kdb -pw 'stellirin'

Import the public root CA certificate to mq.kdb 

gsk8capicmd_64 -cert -add -db mq.kdb -pw 'stellirin' -label "Stellirin Certificate Authority" -file ca.cert.pem -format ascii -trust enable

Generate a server certificate request

Add one of the following algorithms to the command below:

-sigalg SHA384WithRSA
-sigalg SHA384WithECDSA

gsk8capicmd_64 -certreq -create -db mq.kdb -pw 'stellirin' -label "ibmwebspheremqstl" -dn "CN=Stellirin MQ Server,O=Stellirin" -file mq.csr.pem

Generate the certificate

Transport mq.csr.pem to the CA and sign it according to Generate a Certificate.

Install the certificate

Transport the signed certificate to the MQ Server and import it into mq.kdb:

gsk8capicmd_64 -cert -receive -db server.kdb -pw 'stellirin' -file mq.cert.pem -default_cert yes