Your keystore on your MQ server must have a certificate with the proper label. Your keystore can have any name, but the certificate label is what is important. It won't accept any other format. Format is:
<queue_manager_lower_case>is the name of your queue manager. So if your queue manager is
QM_ORANGE, then the certificate label must be
You can create a new keystore on your MQ server with the following command:
/opt/mqm/bin/runmqakm -keydb -create -db /var/mqm/qmgrs/QM_ORANGE/ssl/qm_orange.kdb -pw changeit -type cms -stash
Then you can create the certificate into the keystore with the following command:
/opt/mqm/bin/runmqakm -cert -create -db /var/mqm/qmgrs/QM_ORANGE/ssl/qm_orange.kdb -pw changeit -label ibmwebspheremqqm_orange -size 2048 -sigalg SHA512withRSA -san_dnsname qm_orange.dynatrace.com -dn "CN=qm_orange.dynatrace.com,OU=Extensions,O='Dynatrace',L='Detroit',ST=Michigan,C=US" -expire 1825
Note: The filename can be anything, and the location of the keystore is your preference.
Your keystore on the client side (where ActiveGate is, where your MQ client is installed) must have a certificate with the proper label. Your client keystore can have any name but the certificate label is what is important. It won't accept any other format. Format is:
<user_running_plugin_process>is the operating system user that is running the Dynatrace remote plugin process/service (not the ActiveGate). If it’s Windows, then it is likely that it’s using “Local Service” as the account that runs it and you want to change it to a real user (service account for example). So if the user is
svcdynthen the certificate label on the client must be
ibmwebspheremqsvcdyn. Create the client certificate in the client keystore: Username running the process must match username in the client certificate:
Both keystores on the MQ server and the MQ client (where ActiveGate is) have to be in CMS format (not JKS or PK12) and must contain
.sthfiles at least. STH is the stashed password so make sure to stash the password when you create the keystore.
IBM MQ server: ActiveGate:
The client keystore must have the public key of the IBM MQ server certificate imported. So export the certificate
ibmwebspheremq<queue_manager>from the IBM MQ server keystore and import it into the client keystore.
You can export the certificate from the IBM MQ server keystore by using the following command:
/opt/mqm/bin/runmqakm -cert -extract -db /var/mqm/qmgrs/QM_ORANGE/ssl/qm_orange.kdb -pw changeit -label ibmwebspheremqqm_orange -target /var/mqm/qmgrs/QM_ORANGE/ssl/ibmwebspheremqqm_orange.arm -format ascii
Copy the extracted certificate file to the ActiveGate, then import the extracted certificate into the
ibmmqkeystore.kdbkeystore on the ActiveGate:
IBM MQ server keystore must have the public key of the client certificate imported. So export the certificate
ibmwebspheremq<username>from the client keystore and import it into the IBM MQ server keystore.
Export the certificate from the ActiveGate keystore:
Copy the extracted client certificate to the IBM MQ server then import it using the following command:
/opt/mqm/bin/runmqakm -cert -add -db /var/mqm/qmgrs/QM_ORANGE/ssl/qm_orange.kdb -pw changeit -label ibmwebspheremq**diego** -file /var/mqm/qmgrs/QM_ORANGE/ssl/client_cert.arm -format ascii
Now your IBM MQ server should have a keystore with it's own certificate and the client certificate, and your ActiveGate should have its own keystore with its own certificate and the IBM MQ server certificate. You can list the certificates in IBM MQ server keystore with the following command:
/opt/mqm/bin/runmqakm -cert -list -db /var/mqm/qmgrs/QM_ORANGE/ssl/qm_orange.kdb -pw changeit
ActiveGate keystore showing imported certificate from MQ server:
Make sure that your server-connection channel has the proper cipher spec selected and you select the exact same one on the plugin config UI.
If you're using a Peer Name (PNRP) on the server-connection channel (Distinguished Name), then make sure that the Distinguished Name exists in the
CLIENTcertificate (the one labeled
The path to repository field on the plugin UI is the path to the client keystore, including the keystore name without the extension. So if the keystore is
D:\ssl\clientkeystore.kdbthen the path to repository field must say:
Your IBM MQ server and MQ client (ActiveGate) need to have separate CMS keystores. They must be
PK12or other. It does not matter the name of your keystores.
Your IBM MQ server keystore must have your CA Root certificate imported as a “Signer Certificate”.
You must create a Certificate Signer Request (CSR) from your IBM MQ server keystore because it writes a record in the
.rdbfile of your keystore. You cannot create a CSR from elsewhere.
Create a Signed certificate using your Certificate Authority and your Signer Request. For Openssl, you could execute the following command:
openssl x509 -req -in certcsr.arm -CA myCARoot.crt -CAkey myCARoot.key -CAcreateserial -out mysignedcert.crt -days 500 -sha256
Import/Receive your signed certificate into your keystore in
Personal Certificates. Make sure your certificate has the label (alias)
<queue_manager>is your queue manager name all in lower case.
Repeat steps 2-4 for your MQ client (ActiveGate) keystore.
Import/Receive your signed certificate into your keystore in “Personal Certificates”. Make sure your certificate has the label (alias)
<username>is the user that runs your remote plugin module process (not your ActiveGate process).
When all done, place all files for MQ server in the proper location and configure the queue manager to look for the keystore in that location.
Configure your SSL server-connection channel to use the right cipher spec, they must match on both sides of the communication pipeline.
For the MQ client, place the files in your location of choice and in the Config UI of the plugin, enter the path to the keystore WITHOUT the
.kdbextension. So just type
/path/to/SSL/keystore/filenamein the SSL Repository field. Also, make sure that the proper cipher spec is selected.
Remember to refresh your SSL config on your queue manager to pick up the new SSL changes to your queue manager.