Configuring MQ Connectivity security by using CA certificates

You can configure security between Eclipse Amlen and IBM® MQ by using CA certificates to secure the connection.

Complete steps 1 to 4 in Configuring the IBM MQ server connection channel.
You can configure security between Eclipse Amlen and IBM MQ by using self-signed certificates. Self-signed certificates can get you started quickly in a test environment, but CA certificates are more secure than self-signed certificates. For more information about configuring security by using self-signed certificates, see Configuring MQ Connectivity security by using self-signed certificates.
The following steps take place on the IBM MQ server:
  1. Create two key repositories, by using the runmqckm -keydb -create command. Create one key repository for IBM MQ, and one for Eclipse Amlen.

    For more information about creating key repositories in IBM MQ, see Setting up a key repository in the IBM MQ documentation.

  2. Request a personal certificate for the IBM MQ queue manager from the CA, by using the runmqckm -certreq -create command.

    A server certificate for IBM MQ must have the label ibmwebspheremqQMGRName, where QMGRName specifies the name of the queue manager the certificate is used with, in lowercase.

    For more information about requesting a personal certificate, see Requesting a personal certificate in the IBM MQ documentation.

  3. Optional: If you are using a client certificate, request a personal certificate for Eclipse Amlen from the CA, by using the runmqckm -certreq -create command.

    A client certificate for Eclipse Amlen must have the label ibmwebspheremqadmin.

    For more information about requesting a personal certificate, see Requesting a personal certificate in the IBM MQ documentation.

  4. Receive a personal certificate from the CA into the IBM MQ key repository, by using the runmqckm -cert -receive command.

    For more information about receiving a personal certificate, see Receiving personal certificates in the IBM MQ documentation.

  5. Optional: If you are using a client certificate, receive a personal certificate from the CA into the Eclipse Amlen key repository, by using the runmqckm -cert -receive command.

    For more information about receiving a personal certificate, see Receiving personal certificates in the IBM MQ documentation.

  6. Add the server CA certificate to the Eclipse Amlen key repository, by using the runmqckm -cert -add command.

    For more information about adding a CA certificate to a key repository, see Adding a CA certificate in the IBM MQ documentation.

  7. Optional: Add the client CA certificate to the IBM MQ key repository, by using the runmqckm -cert -add command.

    For more information about adding a CA certificate to a key repository, see Adding a CA certificate in the IBM MQ documentation.

  8. Associate the queue manager with the IBM MQ key repository files, by using the ALTER QMGR MQSC command with the SSLKEYR parameter.

    For more information about the ALTER QMGR MQSC command and the options available, see ALTER QMGR in the IBM MQ documentation.

  9. If you are not using a client certificate for Eclipse Amlen, update the server-connection channel, by using the ALTER CHANNEL MQSC command. Change the SSLCAUTH attribute to OPTIONAL.

    For more information about the ALTER CHANNEL MQSC command and the options available, see ALTER CHANNEL in the IBM MQ documentation.

The following step takes place on Eclipse Amlen:
  1. Upload the Eclipse Amlen key repository database file and password stash file to Eclipse Amlen.
    For more information about uploading the key repository database file and password stash file, see Configuring the MQ Connectivity SSL key repository.
Complete the remaining steps in Configuring the IBM MQ server connection channel.