Configuring MQ Connectivity security by using self-signed certificates

You can configure security between Eclipse Amlen and IBM® MQ by using self-signed certificates to secure the connection.

Complete steps 1 to 4 in Configuring the IBM MQ server connection channel.
You can configure security between Eclipse Amlen and IBM MQ by using CA certificates. Self-signed certificates can get you started quickly in a test environment, but CA certificates are more secure than self-signed certificates. For more information about configuring security by using CA certificates, see Configuring MQ Connectivity security by using CA certificates.
The following steps take place on the IBM MQ server:
  1. Create two key repositories, by using the runmqckm -keydb -create command. Create one key repository for IBM MQ, and one for Eclipse Amlen.

    For more information about creating key repositories in IBM MQ, see Setting up a key repository in the IBM MQ documentation.

  2. Create a self-signed certificate for the IBM MQ queue manager, by using the runmqckm -cert -create command.

    A server certificate for IBM MQ must have the label ibmwebspheremqQMGRName, where QMGRName specifies the name of the queue manager the certificate is used with, in lowercase.

    For more information about creating a self-signed certificate, see Creating a self-signed personal certificate in the IBM MQ documentation.

  3. Optional: If you are using a client certificate, create a self-signed certificate for Eclipse Amlen, by using the runmqckm -cert -create command.

    A client certificate for Eclipse Amlen must have the label ibmwebspheremqadmin. For more information about creating a self-signed certificate, see Creating a self-signed personal certificate in the IBM MQ documentation.

  4. Extract the public part of the IBM MQ certificate, by using the runmqckm -cert -extract command.

    For more information about extracting the public part of a certificate, see Extracting the public part of a self-signed certificate in the IBM MQ documentation.

  5. Optional: If you are using a client certificate, extract the public part of the Eclipse Amlen certificate, by using the runmqckm -cert -extract command.

    For more information about extracting the public part of a certificate, see Extracting the public part of a self-signed certificate in the IBM MQ documentation.

  6. Add the public part of the IBM MQ certificate to the Eclipse Amlen key repository, by using the runmqckm -cert -add command.

    For more information about adding the public part of a certificate to a key repository, see Adding the public part of a self-signed certificate to a key repository in the IBM MQ documentation.

  7. Optional: If you are using a client certificate, add the public part of the Eclipse Amlen certificate to the IBM MQ key repository, by using the runmqckm -cert -add command.

    For more information about adding the public part of a certificate to a key repository, see Adding the public part of a self-signed certificate to a key repository in the IBM MQ documentation.

  8. Associate the queue manager with the IBM MQ key repository files, by using the ALTER QMGR MQSC command with the SSLKEYR parameter.

    For more information about the ALTER QMGR MQSC command and the options available, see ALTER QMGR in the IBM MQ documentation.

  9. If you are not using a client certificate for Eclipse Amlen, update the server-connection channel, by using the ALTER CHANNEL MQSC command. Change the SSLCAUTH attribute to OPTIONAL.

    For more information about the ALTER CHANNEL MQSC command and the options available, see ALTER CHANNEL in the IBM MQ documentation.

The following step takes place on Eclipse Amlen:
  1. Upload the Eclipse Amlen key repository database file and password stash file to Eclipse Amlen.
    For more information about uploading the key repository database file and password stash file, see Configuring the MQ Connectivity SSL key repository.
Complete the remaining steps in Configuring the IBM MQ server connection channel.