Practical mastering IBM MQ basics

*This series may be revised based on the latest mqpgf/mqpcf. Please always download and use the latest version.

IBM MQ can use SSL/TLS for server-to-server connections and client connections.
Over the next few times, we'll discuss how to set up and use the TLS configurations available in IBM MQ. I will leave the explanation of SSL / TLS itself to others, and here I will explain only the configuration method.

When using SSL/TLS, there are three main methods for signing digital certificates, and IBM MQ can use any of them.

Here, we will introduce how to easily build a private CA using Openssl and verify SSL/TLS communication.
The construction procedure shows three types of platforms as an example: Windows, Linux, and HPE NonStop. You can use different private CAs for each machine / queue manager, or you can use a common CA. If the MQ network operates only within an intranet environment, it is unlikely that there will be multiple CAs, but if external CAs are utilized, they often use separate certificate authorities(CAs). Therefore, the explanation is based on the assumption that different CAs are intentionally used for each machine/queue manager.
From here, it is assumed that you can set up the basic MQ configuration by yourself. The procedure for creating, configuring, and operating the queue manager in the basic part is omitted, so if you are uncertain about that part, please refer to the previous series.

Creating a private CA using Openssl

The procedure for configuring a private CA using Openssl is much simpler than you might think. Once you get used to that method, you will understand that it is easy and very convenient to verify SSL/TLS with MQ.
*The procedure for creating a private CA is the same for Windows / Linux / HPE Nonstop unless otherwise specified.

Preparation before CA construction

Openssl is included with MQ for HPE NonStop so you can use it, but it is not included with the Windows and Linux versions of MQ. The compiled version of the Windows version is available for download, so it is convenient to use it. In the case of Linux, it is often already available, but if not, please set it up. The explanation of the procedure is omitted here, so please refer to other sites as necessary. For MQ for HPE NonStop, the openssl command is installed in <MQ Install Directory>/opt/mqm/bin.

Consideration for high entropy

Openssl requires seed data to be input to the Pseudo-Random Number Generator(PRNG). This requires that a seed value with sufficient entropy be provided. This is also required when using Openssl command line tools. For Windows, get seeds to enter into PRNG from various sources, such as what is displayed on the screen. For Unix/Linux, /dev/urandom, /dev/random, etc. are used (/dev/urandom takes precedence), so make sure they are available. For HPE NonStop, the service (/etc/egd-pool) is used with the OSS file system socket. As the entropy daemon to use this, amqjkdm0 was provided in MQ5.3, but it is not provided in MQ8, so prngd provided by the OS side is used. You can continue to use amqjkdm0 in an environment where MQ5.3 and MQ8 coexist.

Since MQ for HPE NonStop uses the Openssl library even for MQ communication using SSL/TLS, it is necessary to start these daemons even while the queue manager is running.

For reference, I will introduce how to start/stop prngd manually. Please refer to the OS document for details.

Start and stop the entropy daemon by SUPER.SUPER.

When using the command line tool, if sufficient entropy cannot be secured, the '-rand' option, RANDFILE parameter of Opennssl configuration file, RANDFILE environment variable can be used, but the explanation of how to use them is omitted. Please refer to other documents

Creating files/directories used by the CA

Create directories used by the private CA.

$ mkdir openssl $ cd openssl $ mkdir lnxca $ cd nsca $ mkdir certs $ mkdir certs crl newcerts private $ ls -l total 32 drwxr-xr-x 1 mqm mqm 4096 Jun 24 09:59 certs drwxr-xr-x 1 mqm mqm 4096 Jun 24 09:59 crl drwxr-xr-x 1 mqm mqm 4096 Jun 24 09:59 newcerts drwxr-xr-x 1 mqm mqm 4096 Jun 24 09:59 private

*For Windows, you can use Explorer or any text editor to create the following required directories and files.

Create various files used by the private CA.

$ echo 01 > serial $ cat serial 01 $ touch index.txt $ ls -l index.txt -rw-rw-r--. 1 mqm mqm 0 Jun 23 16:05 index.txt $

The serial file uses "01" as the initial value, and the index.txt file is created as an empty file.

Openssl configuration file preparation

Place and edit the Openssl configuration file (openssl.cnf) file. The Openssl installation includes a sample openssl.cnf file, copy it for editing. The location is essentially free, but it can be the root directory of the CA created above for clarity. For windows, the sample openssl.cnf file is usually located at <openssl install dir>bin/cnf/openssl.cnf. For Linux, it is in /etc/pki/tls/openssl.cnf etc., but if it does not exist, please check the document on the OS side.

CA configuration definition

The CA section prepared here will be used later when signing the server certificate (when using the openssl ca command).
The important parameters to be set in the openssl.cnf file for CA configuration are described below.
*The part in blue is the part changed from the default setting.

Sample openssl.cnf: .... #################################################################### [ ca ] #default_ca = CA_default # The default ca section default_ca = winca # The default ca section #################################################################### #[ CA_default ] [ winca ] dir = C:/.../openssl/winca # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several certs with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key x509_extensions = usr_cert # The extensions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL #default_md = default # use public key default MD default_md = sha256 # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) #policy = policy_match policy = policy_anything # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional .... [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE

Set the information to generate the root certificate in the configuration file

Define the req section of the openssl.cnf file.

Sample openssl.cnf: .... #################################################################### [ req ] default_bits = 2048 #default_keyfile = privkey.pem default_keyfile = C:/.../openssl/winca/private/cakey.pem default_md = sha256 # default MD distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extensions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString (PKIX recommendation before 2004) # utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. string_mask = utf8only # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) #countryName_default = AU countryName_default = JP countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) #stateOrProvinceName_default = Some-State stateOrProvinceName_default = Chiba localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) #0.organizationName_default = Internet Widgits Pty Ltd 0.organizationName_default = Pulsar Integration Inc. # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = #commonName = Common Name (e.g. server FQDN or YOUR name) commonName = www.pulsarintegration.com commonName_max = 64 #emailAddress = Email Address emailAddress = support@pulsarintegration.com emailAddress_max = 64 # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name .... [ v3_ca ] .... basicConstraints = critical,CA:true

Creating a self-signed root certificate

If the PATH to the openssl command is not set, set it.
For HPE NonStop, loading the mqprofile script will set the path to the included openssl.

*For Windows >set PATH=%PATH%;C:\Program Files\OpenSSL-Win64\bin >openssl version OpenSSL 1.1.1k 25 Mar 2021 > *For Unix-like OS export PATH=$PATH:/usr/local/ssl/bin $ openssl version OpenSSL 1.1.1j 16 Feb 2021 $ *For HPE NonStop $ . <MQ install directory>/var/mqm/wmqprofile(For MQ5.3.1) $ . <MQ install directory>/var/mqm/mqprofile(For MQ8)

Set the OPENSSL_CONF environment variable.

*For Windows >set OPENSSL_CONF=C:\...\openssl\winca\openssl.cnf *For Unix-like OS $ export OPENSSL_CONF=/.../.../openssl.cnf *If not specified, the following warning may be output each time the openssl command is executed. WARNING: can't open config file: /usr/local/ssl/openssl.cnf

The command to create a self-signed root certificate is below.

openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 3650

*Option descriptions
req: You can use this command to create, verify, operate certificate requests and to create a self-signed certificate (root certificate) suitable for establishing a root CA.
-x509: Create a self-signed certificate (suitable for use with the root CA), not a certificate request.
-newkey rsa: Create a new key pair and use RSA as its public key cryptosystem. For RSA you can also specify the length of the prime number. If omitted, the default_bits value set in the [req] section of the configuration file is used.
-out <filename>: The file name to which the self-signed certificate or certificate request is output. If omitted, standard output is used.
-outform: Specify the format of the self-signed certificate or certificate request (DER or PEM). The default is PEM.
-days <number>: The number of days the self-signed certificate to generate will expire.

After moving to the CA directory, execute the above command. At that time, you will be asked for the pass phrase. Make a note of this as you will need it later. You will be prompted to confirm each parameter of the Distinguished Name for the certificate, but if you want to keep the default value specified in the configuration file, enter only the return. Since the default value is not specified for commonName and emailAddress, enter them.

> cd ..../winca > openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 3650 Generating a RSA private key ..............................................................................+++++ .................................................+++++ writing new private key to '..../winca/private/cakey.pem' Enter PEM pass phrase: winca Verifying - Enter PEM pass phrase: winca ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Chiba]: Locality Name (eg, city) []: Organization Name (eg, company) [Pulsar Integration Inc.]: Organizational Unit Name (eg, section) []: www.pulsarintegration.com []:www.pulsarintegration.com support@pulsarintegration.com []:support@pulsarintegration.com >

Check the created self-signed root certificate by text dumping it with the following command.

openssl x509 -in cacert.pem -text -noout

*Option descriptions
x509: Create, verify, and perform various other operations on X.509 certificates.
-in <filename>: File name to read (in this case an X.509 self-signed root certificate).
-text: Converts the read certificate into a readable format and outputs it.
-noout: Suppresses the output of the certificate in encoded form.

Check if the parts in blue (Signature Algorithm, Issuer, Validity, Subject, Public Key Algorithm, X509v3 Basic Constraints, Signature Algorithm) are as specified (assumed).

>openssl x509 -in cacert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 78:8c:a6:a9:32:69:37:d5:aa:d6:74:40:a1:29:b4:2f:ce:2d:99:36 Signature Algorithm: sha256WithRSAEncryption Issuer: C = JP, ST = Chiba, O = Pulsar Integration Inc., CN =
www.pulsarintegration.com, emailAddress = support@pulsarintegration.com Validity Not Before: Jul 16 04:14:26 2021 GMT Not After : Jul 14 04:14:26 2031 GMT Subject: C = JP, ST = Chiba, O = Pulsar Integration Inc., CN =
www.pulsarintegration.com, emailAddress = support@pulsarintegration.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:9b:4d:5e:b7:54:6b:8f:a1:d3:95:52:d3:69:2e: f7:30:23:46:67:21:9e:30:32:6a:cd:a8:cf:75:52: 89:73:53:1b:f1:e1:00:95:d8:a7:05:df:2d:fd:7b: 19:fe:b7:40:0e:98:ed:6a:af:e5:de:f5:23:78:88: 29:9d:0b:4d:e0:74:8c:0e:9f:88:4d:bd:15:db:43: 56:a9:e0:0d:a2:96:fe:15:66:f4:f3:66:54:84:c4: bb:86:02:c0:0a:69:34:24:d6:f0:a8:1d:db:14:7c: 7a:62:e9:d3:70:0e:42:c3:af:45:6c:cc:17:e8:9e: ef:5e:ed:e4:d1:a8:04:ef:46:66:b7:5d:ed:09:91: ba:e1:19:98:44:d6:2e:29:4a:2a:92:87:38:f3:e4: 87:37:74:b1:29:03:ee:62:ab:fc:c9:63:c3:a8:7f: ce:aa:13:95:bf:1d:2d:46:73:73:4a:a1:68:26:f5: 7c:04:b0:be:6c:0c:bb:63:b5:45:e9:b6:33:d8:e8: 77:21:5c:11:ea:74:41:0c:d7:a5:51:17:0f:d8:93: 26:51:32:24:76:4e:ed:89:88:6d:52:2f:72:b8:35: 69:fc:85:bb:04:ca:8a:a3:0c:69:bc:75:52:8e:79: 66:65:33:43:c9:3c:82:f4:70:ba:fc:99:bf:32:04: 32:1b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 23:0B:5D:88:01:02:F5:6E:2B:F7:67:3D:67:A3:EF:AB:72:8D:43:A2 X509v3 Authority Key Identifier: keyid:23:0B:5D:88:01:02:F5:6E:2B:F7:67:3D:67:A3:EF:AB:72:8D:43:A2 X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 38:80:07:0e:eb:0b:31:fb:f8:22:7d:f0:fa:50:33:00:f8:63: e3:84:83:a9:8f:60:d4:72:d0:98:d8:04:b9:28:82:71:ff:4d: ce:03:86:d8:e2:ab:21:7e:56:8f:98:ec:1c:41:9f:ae:67:1e: 83:ca:52:24:60:3a:59:e4:80:e4:f8:4d:da:64:96:05:45:0e: e2:ef:82:50:b8:53:5e:b3:bd:fa:74:b8:1a:85:e1:fc:29:2d: d7:bc:be:3a:b8:81:a5:ef:bf:1f:ad:49:74:0e:ec:ba:7a:53: 5e:12:3a:f1:39:0f:bd:bd:f8:ba:26:b0:00:85:3c:dc:d6:05: 83:00:53:f3:67:96:9f:cf:36:9a:74:ee:06:6f:eb:5b:af:28: 1f:da:73:96:34:4f:4b:86:61:00:09:9c:30:11:b1:69:aa:62: 77:5b:26:bf:7a:6c:fe:ca:9f:35:50:19:95:dc:79:00:c7:91: 19:e9:2d:6e:01:d7:91:c8:38:7c:07:9f:31:da:44:5b:1d:86: e7:49:0f:89:73:d1:0b:dd:4e:9b:01:08:7f:b2:48:ff:f2:1b: 9e:19:be:7e:7e:4c:22:fa:78:d3:5a:9e:01:4c:76:13:90:94: 3f:4f:67:ba:4d:bb:7b:6c:a6:8c:ce:19:49:f8:74:85:04:2e: 7a:10:62:d8 >

Make sure that the CA's private key has also been created. PEM is a Base64-encoded certificate format.

>cd private >dir ... 2021/07/16 13:14 1,884 cakey.pem ... > type cakey.pem (For Windows) > cat cakey.pem (For Unix-like OS) -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQInBgXOOHH1XkCAggA MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECLR2QB+/LXw1BIIEyAlOn8D3P/Hh .... goFBi9hkAqG7xCmwPGqGziC8ZQnvBRRQ4FkcXiQUqgox+BkzWk4/tzaXua96D1Nx cNQ/COBPLF+AIVG5cNCUbg== -----END ENCRYPTED PRIVATE KEY----- >

SSL/TLS setup on each server (to create CSR) (GSKit)

MQ for Multiplatforms uses GSKit(IBM Global Security Kit) for SSL/TLS libraries. MQ8 for HPE NonStop will continue to use Open SSL, similar to MQ5.3.1. First, I will explain the work procedure with GSKit.(The procedure for working with MQ8 for HPE NonStop(Open SSL) will be described later.)
The procedure after this is verified with the following version.

GSKit commands used in SSL/TLS setup

With GSKit, you can use the strmqikm(iKeyman), runmqckm(iKeycmd), and runmqakm(GSKCapiCmd) commands.

Subsequent steps basically use the runmqckm command and use runmqakm only when creating a certificate request.

Prepare key repository for each queue manager(Windows, Linux)

If the MQ environment is not set up in the login environment of each machine, set up the queue manager environment that configures SSL/TLS.

*For Windows > cd /bin > setmqenv -s > dspmqver Name: IBM MQ Version: 9.2.0.0 ... *For Linux $ cd /opt/mqm/bin $ setmqenv -s $ dspmqver Name: IBM MQ Version: 9.1.0.4 ...

*If -s is specified for setmqenv, the same installation environment as the executed setmqenv will be set among multiple MQ installations.

Create a key repository. The default key repository location is set in queue manager SSLKEYR property.

> mqpcf mqsc -qm PL92W -s "dis qmgr SSLKEYR" 1: AMQ8408I: ... QMNAME(PL92W) SSLKEYR(C:\ProgramData\IBM\MQ\qmgrs\PL92W\ssl\key) *Default for Windows

*Option descriptions
mqsc: Execute any mqsc command.
-s : MQSC command string

The default for Linux is SSLKEYR (/var/mqm/qmgrs/PL91L/ssl/key).
The "key" at the end is the filename of the repository, not the directory.

Move to the location of the repository.

>*For Windows >cd C:\ProgramData\IBM\MQ\qmgrs\PL92W\ssl *For Linux $ cd /var/mqm/qmgrs/PL91L/ssl

Create a key repository using the runmqckm command.
*The following is an example of Windows, but the same applies to Linux.

...\ssl>runmqckm -keydb -create -db key.kdb -pw PL92Wpass -type cms -stash 5724-H72 (C) Copyright IBM Corp. 1994, 2020.

*Option descriptions
-keydb: The target of the command is the key database
-create: Create key database
-db filename: Specify the fully qualified file name of the CMS key database. The file extension must be ".kdb".
-pw password: Specify the password for the CMS key database.
-type cms: Specifies the type of key database. For IBM MQ, always specify cms (Certificate Management System).
-stash: Save the key database password to a file.

The following three files will be created.

>dir ... 2021/07/21 14:43 88 key.kdb 2021/07/21 14:43 80 key.rdb 2021/07/21 14:43 193 key.sth ...

Here's a brief description of these files.

Overview of CERTLABL

Since MQ8.0, you can specify CERTLABL for each channel and select a different personal certificate for each channel. Inbound channels (including RCVR, CLUSRCVR, unqualified SERVER, and SVRCONN channels) rely on detecting channel name using TLS Server Name Indication (SNI), will only send the configured certificate if the IBM MQ version of the remote peer fully supports certificate label configuration and the channel is using a TLS CipherSpec. Be aware that MQ8.0 and earlier releases will only receive certificates configured with her CERTLABL parameter in the queue manager, so there are restrictions when connecting to older queue managers such as MQ5.3 for HPNonStop. (Detailed explanation of this restriction is omitted here.)
The queue manager's default CERTLABL is ibmwebspheremq on his Windows/Linux plus the queue manager's name (lowercase) and is blank on HPE NonStop.

>mqpcf mqsc -qm PL92W -s "dis qmgr CERTLABL" *For Windows/Linux 1: AMQ8408I: QMNAME(PL92W) CERTLABL(ibmwebspheremqpl92w)

Hereafter, the procedure will be described using the case of specifying CERTLABL for each channel as an example.

Create Certificate Signing Request(CSR) (Windows, Linux)

A CSR (Certificate Signing Request) is a request to a CA to sign a server certificate. When creating a CSR, use runmqakm instead of runmqckm if you want to use 2048 for the key size. At that time, -fips is not specified.
*The following is an example of Windows, but the same applies to Linux, and it is specified in one line. For DN, specify the contents for each server.

...\ssl>runmqakm -certreq -create -db key.kdb -pw PL92Wpass -label PL92WA -dn "CN=www.pulsarintegration.PL92W.com,O=Pulsar Integration PL92W Inc.,S=Chiba,C=JP" -size 2048 -file key.csr -sig_alg sha256 5724-H72 (C) Copyright IBM Corp. 1994, 2020.

*Option descriptions
-certreq: The target of the command is a certificate request
-create: Create a certificate request
-db filename: Specifies the fully qualified file name of a CMS key database.
-pw password: Specifies the password for the CMS key database.
-label label: Specifies the key label attached to the certificate. The label is either the value of the CERTLABL attribute, if it is set, or the default ibmwebspheremq with the name of the queue manager all in lowercase.
-dn: distinguished_name: Specifies the X.500 distinguished name enclosed in double quotation marks. At least one attribute is required.
-size: Key size.
-file: File name of a certificate request.
-sig_alg: The hashing algorithm used during the creation of a certificate request.

A certificate request file "key.csr" is created.

>dir ... 2021/07/21 16:00 1,038 key.csr 2021/07/21 14:43 88 key.kdb 2021/07/21 16:00 5,080 key.rdb 2021/07/21 14:43 193 key.sth

Make sure that the certificate request is created as expected.

...\ssl>runmqckm -certreq -details -label PL92WA -db key.kdb ... A password is required to access the source key database. Please enter a password: PL92Wpass Label:PL92WA Key Size:2048 Subject: CN=www.pulsarintegration.PL92W.com, O=Pulsar Integration PL92WA Inc., ST=Chiba, C=JP Fingerprint: 07:47:A3:DE:98:5E:DC:88:6E:35:AC:90:4E:B6:E7:70 Signature Algorithm: SHA256withRSA (1.2.840.113549.1.1.11)

*Option descriptions
-certreq: The target of the command is a certificate request
-detail: Show the details of a specific certificate request
-label label: Specifies the key label attached to the certificate.
-db filename: Specifies the fully qualified file name of a CMS key database.

SSL/TLS setup on each server (to create CSR) (Openssl)

HPE NonStop also uses openssl for all of the following tasks: In the following, we are working on creating a directory with the queue manager name under .../openssl/ nsca. There is no fixed method for work management, so feel free to decide and work according to the convenience of the system.

$ cd ..../openssl/nsca $ mkdir PL81N $ cd PL81N

Create Certificate Signing Request(CSR) (HPE NonStop)

Create openssl.cnf in the working directory to create a certificate signing request(CSR).

Define the [req] section of the openssl.cnf file.

Sample openssl.cnf: .... #################################################################### [ req ] default_bits = 2048 default_keyfile = privkey.pem default_md = sha256 distinguished_name = req_distinguished_name attributes = req_attributes #x509_extensions = v3_ca # The extensions to add to the self signed cert x509_extensions = v3_req # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString (PKIX recommendation before 2004) # utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. string_mask = utf8only # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = AU countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) #stateOrProvinceName_default = Some-State stateOrProvinceName_default = Sydney localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) #0.organizationName_default = Internet Widgits Pty Ltd 0.organizationName_default = Pulsar Integration PL81NA Inc. # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = #commonName = Common Name (e.g. server FQDN or YOUR name) commonName = www.sd.pulsarintegration.PL81N.com commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name .... [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment

Set the created configuration file in the OPENSSL_CONF environment variable.

$ export OPENSSL_CONF=..../openssl/nsca/PL81N/openssl.cnf

Load the MQ preference file.

$ . <MQ install directory>/var/mqm/wmqprofile (For MQ5.3.1)
$ . <MQ install directory>/var/mqm/mqprofile (Fpr MQ8)

Make sure the entropy daemon is running.

$ ps -ef|grep prngd | grep -v grep SUPER.SUPER 1744830575 .... 00:00 /usr/coreutils/sbin/prngd /etc/egd-pool -m 0777

If the entropy daemon is not running, start it.(Already mentioned above) If the entropy daemon is not running, the following error occurred when generating the RSA Private Key in this test.

$ openssl req ... Generating a RSA private key Error Generating Key 0:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:... 0:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:... ...

The command to create a certificate request (CSR) is:

openssl req -newkey rsa:2048 -sha256 -keyout PL81Nkey.pem -passout pass:PL81Npass -out PL81Nreq.pem

*Option descriptions
req: Use this command to create, verify, and manipulate certificate requests.
-newkey rsa: Create a new key pair and use RSA as its public key cryptosystem. For RSA you can also specify the length of the prime number. If omitted, the default_bits value set in the [req] section of the configuration file is used.
-sha256: Specify sha256 as the message digest algorithm used to sign the certificate request.
-keyout <filename>: Specify the file name to which the used private key is output.
-passout pass:&pass phrase>: A passphrase used to encrypt a private key when it is generated with a certificate or certificate request.
-out <filename>: File name of the output destination of the certificate request to be output.

After moving to the working directory of the queue manager name, execute the above command. You will be prompted to confirm each parameter of the Distinguished Name for the certificate, but if you want to keep the default value specified in the configuration file, enter only the return. Here, only the commonName is entered.

$ openssl req -newkey rsa:2048 -sha256 -keyout PL81Nkey.pem -passout pass:PL81Npass -out PL81Nreq.pem Generating a RSA private key .....................................+++++ ...........................................................+++++ writing new private key to 'PL81Nkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Sydney]: Locality Name (eg, city) []: Organization Name (eg, company) [Pulsar Integration PL81NA Inc.]: Organizational Unit Name (eg, section) []: www.sd.pulsarintegration.PL81N.com []:www.sd.pulsarintegration.PL81N.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

A PEM-formatted private key file and a certificate request file are generated.

.../openssl/nsca/PL81N: ls -l total 28 -rw------- 1 MQM.MANAGER MQM 1854 Jul 21 20:22 PL81Nkey.pem -rw-r--r-- 1 MQM.MANAGER MQM 1021 Jul 21 20:22 PL81Nreq.pem -rw-rw-rw- 1 MQM.MANAGER MQM 11147 Jul 21 19:09 openssl.cnf

Make sure that the certificate request is created as expected.

.../openssl/nsca/PL81N: openssl req -in PL81Nreq.pem -text Certificate Request: Data: Version: 1 (0x0) Subject: C = AU, ST = Sydney, O = Pulsar Integration PL81NA Inc., CN = www.sd.pulsarintegration.PL81N.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: ... Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption ... -----BEGIN CERTIFICATE REQUEST----- ... -----END CERTIFICATE REQUEST-----

*Option descriptions
req: Use this command to create, verify, and manipulate certificate requests.
-in: Specify the file name of the certificate request.
-text: Converts the read certificate request into a readable format and outputs it.

to the top