IBM MQ extension – SSL configuration (self-signed and CA-signed)

Self-signed certificates:

  1. Your keystore on your MQ server must have a certificate with the proper label. Your keystore can have any name, but the certificate label is what is important. It won't accept any other format. Format is: ibmwebspheremq<queue_manager_lower_case> where <queue_manager_lower_case> is the name of your queue manager. So if your queue manager is QM_ORANGE, then the certificate label must be ibmwebspheremqqm_orange

    • You can create a new keystore on your MQ server with the following command: /opt/mqm/bin/runmqakm -keydb -create -db /var/mqm/qmgrs/QM_ORANGE/ssl/qm_orange.kdb -pw changeit -type cms -stash

    • Then you can create the certificate into the keystore with the following command: /opt/mqm/bin/runmqakm -cert -create -db /var/mqm/qmgrs/QM_ORANGE/ssl/qm_orange.kdb -pw changeit -label ibmwebspheremqqm_orange -size 2048 -sigalg SHA512withRSA -san_dnsname qm_orange.dynatrace.com -dn "CN=qm_orange.dynatrace.com,OU=Extensions,O='Dynatrace',L='Detroit',ST=Michigan,C=US" -expire 1825

    • Note: The filename can be anything, and the location of the keystore is your preference.

  2. Your keystore on the client side (where ActiveGate is, where your MQ client is installed) must have a certificate with the proper label. Your client keystore can have any name but the certificate label is what is important. It won't accept any other format. Format is: ibmwebspheremq<user_running_plugin_process> where <user_running_plugin_process> is the operating system user that is running the Dynatrace remote plugin process/service (not the ActiveGate). If it’s Windows, then it is likely that it’s using “Local Service” as the account that runs it and you want to change it to a real user (service account for example). So if the user is svcdyn then the certificate label on the client must be ibmwebspheremqsvcdyn. SSL Create the client certificate in the client keystore: SSL Username running the process must match username in the client certificate: SSL SSL

  3. Both keystores on the MQ server and the MQ client (where ActiveGate is) have to be in CMS format (not JKS or PK12) and must contain .kdb, .rdb, .sth files at least. STH is the stashed password so make sure to stash the password when you create the keystore.

    IBM MQ server: SSL ActiveGate: SSL

  4. The client keystore must have the public key of the IBM MQ server certificate imported. So export the certificate ibmwebspheremq<queue_manager> from the IBM MQ server keystore and import it into the client keystore.

    You can export the certificate from the IBM MQ server keystore by using the following command: /opt/mqm/bin/runmqakm -cert -extract -db /var/mqm/qmgrs/QM_ORANGE/ssl/qm_orange.kdb -pw changeit -label ibmwebspheremqqm_orange -target /var/mqm/qmgrs/QM_ORANGE/ssl/ibmwebspheremqqm_orange.arm -format ascii

    Copy the extracted certificate file to the ActiveGate, then import the extracted certificate into the ibmmqkeystore.kdb keystore on the ActiveGate: SSL

  5. IBM MQ server keystore must have the public key of the client certificate imported. So export the certificate ibmwebspheremq<username> from the client keystore and import it into the IBM MQ server keystore.

    Export the certificate from the ActiveGate keystore: SSL

    Copy the extracted client certificate to the IBM MQ server then import it using the following command: /opt/mqm/bin/runmqakm -cert -add -db /var/mqm/qmgrs/QM_ORANGE/ssl/qm_orange.kdb -pw changeit -label ibmwebspheremq**diego** -file /var/mqm/qmgrs/QM_ORANGE/ssl/client_cert.arm -format ascii

  6. Now your IBM MQ server should have a keystore with it's own certificate and the client certificate, and your ActiveGate should have its own keystore with its own certificate and the IBM MQ server certificate. You can list the certificates in IBM MQ server keystore with the following command: /opt/mqm/bin/runmqakm -cert -list -db /var/mqm/qmgrs/QM_ORANGE/ssl/qm_orange.kdb -pw changeit

    SSL

    ActiveGate keystore showing imported certificate from MQ server: SSL

  7. Make sure that your server-connection channel has the proper cipher spec selected and you select the exact same one on the plugin config UI. SSL

  8. If you're using a Peer Name (PNRP) on the server-connection channel (Distinguished Name), then make sure that the Distinguished Name exists in the CLIENT certificate (the one labeled ibmwebspheremq<user>)

  9. The path to repository field on the plugin UI is the path to the client keystore, including the keystore name without the extension. So if the keystore is D:\ssl\clientkeystore.kdb then the path to repository field must say: D:\ssl\clientkeystore

CA-signed certificates

  1. Your IBM MQ server and MQ client (ActiveGate) need to have separate CMS keystores. They must be CMS, not JKS or PK12 or other. It does not matter the name of your keystores.

  2. Your IBM MQ server keystore must have your CA Root certificate imported as a “Signer Certificate”. SSL

  3. You must create a Certificate Signer Request (CSR) from your IBM MQ server keystore because it writes a record in the .rdb file of your keystore. You cannot create a CSR from elsewhere. SSL

  4. Create a Signed certificate using your Certificate Authority and your Signer Request. For Openssl, you could execute the following command: openssl x509 -req -in certcsr.arm -CA myCARoot.crt -CAkey myCARoot.key -CAcreateserial -out mysignedcert.crt -days 500 -sha256

  5. Import/Receive your signed certificate into your keystore in Personal Certificates. Make sure your certificate has the label (alias) ibmwebspheremq<queue_manager> where <queue_manager> is your queue manager name all in lower case. SSL

  6. Repeat steps 2-4 for your MQ client (ActiveGate) keystore.

  7. Import/Receive your signed certificate into your keystore in “Personal Certificates”. Make sure your certificate has the label (alias) ibmwebspheremq<username> where <username> is the user that runs your remote plugin module process (not your ActiveGate process). SSL

  8. When all done, place all files for MQ server in the proper location and configure the queue manager to look for the keystore in that location. SSL

  9. Configure your SSL server-connection channel to use the right cipher spec, they must match on both sides of the communication pipeline.

  10. For the MQ client, place the files in your location of choice and in the Config UI of the plugin, enter the path to the keystore WITHOUT the .kdb extension. So just type /path/to/SSL/keystore/filename in the SSL Repository field. Also, make sure that the proper cipher spec is selected. SSL

  11. Remember to refresh your SSL config on your queue manager to pick up the new SSL changes to your queue manager.