ICE MQ Open Internet Connectivity –

Technical Guide to Encrypt Data

Version 1.0
Setup MQ SSL communication: Technical Instructions
Introduction

All digital certificates are stored in a key database file that is managed with iKeyman or
IKEYCMD. These digital certificates have labels. A specific label associates a personal
certificate with a queue manager or WebSphere MQ client. SSL uses that certificate for
authentication purposes. On UNIX, WebSphere MQ uses the ibmwebspheremq prefix on a
label to avoid confusion with certificates for other products.

** The prefix is followed by the name of the queue manager. Ensure that you specify the entire
certificate label in lower case.

Example: ibmwebspheremqyour_queue_manager_name

Before you execute following command, please make sure your environment variable
(JAVA_HOME) has been setup. Otherwise, you might see this error below.

“The Java Cryptographic Extension(JCE) files were not found. Please check that the JCE files
have been installed in the correct directory”

Step 1: JAVA_HOME Setup

(AIX) export JAVA_HOME=/opt/mqm/java/jre

(Solaris) export JAVA_HOME=/opt/mqm/ssl/jre

Step 2: Determine the default queue manager key database location

dis qmgr SSLKEYR - Run this MQ Command

AMQ8408: Display Queue Manager Details.
QMNAME(ACSQMGR)
SSLKEYR(/var/mqm/qmgrs/ACSQMGR/ssl/key)
Above result shows that queue manager is looking for 'key' in
/var/mqm/qmgrs/$your_qm_name/ssl directory.

However, if your key data file was named 'myKey', then you need to change qmgr SSLKEYR
property:

change this:
SSLKEYR(/var/mqm/qmgrs/ACSQMGR/ssl/key)

To this:
SSLKEYR(/var/mqm/qmgrs/ACSQMGR/ssl/myKey)

Step 1. Prepare SSL key repository (key store/key database)

Use the following command to create key database file on UNIX:

gsk7cmd -keydb -create -db key.kdb -pw password -type cms -stash

Where:

-keydb Create a key database file

-db filename is the fully qualified file name of a CMS key database, and must have a file extension
of .kdb.
* You must keep the key database file in /var/mqm/qmgrs/$QMGR/ssl directory.
* use MQ default file name: key.kdb
-pw Password for the key database
-type They type of database (for MQ, must be CMS)
-stash Create a password file for MQ to access key database

Step 2. Create a self-signed certificate for the queue manager

Use the following command to create self-signed certificate on UNIX:

gsk7cmd –cert –create –db filename –pw password –label ibmwebspheremq$qmgr_name –

dn distinguished_name –size key_size –x509version version –expire days

Where:

-cert –create create a certificate

-db filename the key database file name
-pw password for the key database
-label the key label attached to the certificate (*must be in lower case!); see example above.
-dn is the X.500 distinguished name enclosed in double quotes. Note that only the CN
attribute is required. You can also supply multiple OU attributes.
-size 512, or 1024
-x509version the version of X.509 certificate to create, the value can be 1, 2, or 3. The default is 3.
-expire is the expiration time in days of the certificate. The default is 365 days. Please set it
for longer period time, i.e. 3650 days.

Step 3. Extract a copy of the self-signed certificate

Use the following command to create self-signed certificate on UNIX:

gsk7cmd –cert –extract –db filename –pw password –label ibmwebspheremq$qmgr_name –

target file_name –format ascii

Where:

-cert –extract extract a certificate

-db filename the key database file name
-pw password for the key database
-label the key label attached to the certificate
-target the file name with .arm file extension
-format the data type of the certificate

Step 4. Send extracted certificate to clients

Please send extracted certificate to ICE. Please copy your request to all email lists below for
all “key exchange” project requests.

1. syseng@theice.com: Systems Engineering – First level ICE MQ Support

2. sean.shih@theice.com: Second level ICE MQ Support

3. ICEClearUS@theice.com: ICE Clear US Support – For Tracking and managing your

requests until it’s completion

Step 5. Add client’s certificate to key repository

ICE will respond to step 4 with a public key. Once you received ICE's public key, please add it
to your key database.

Use the following command to add self-signed certificate on UNIX:

gsk7cmd –cert –add –db filename –pw password –label ibmwebspheremq$qmgr_name –file
file_name –format ascii

Where:

-cert –extract extract a certificate

-db filename the key database file name
-pw password for the key database
-label the key label attached to the certificate
-target the file name with .arm file extension
-format the data type of the certificate

Step 6. Modify channel configuration

STOP CHANNEL($your_channel_name)
ALT CHANNEL($your_channel_name) CHLTYPE(SDR) SSLCIPH(RC4_MD5_US)
REFRESH SECURITY TYPE(SSL)
START CHANNEL($your_channel_name)

Reference:
IBM InfoCenter (MQ Security):
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp

Verisign:
https://knowledge.verisign.com/support/ssl-certificates-
support/index?page=content&id=AR230