See information about the latest product version
Creating SSL certificates for the WebSphere MQ Java Client
The WebSphere® MQ Java™ Client supports SSL-encrypted connections over the server-connection (SVRCONN) channel between an application and the queue manager. To configure SSL-encrypted connections you must first create key stores and certificates.
- Create a broker
- Start the broker
- Set the environment variable JAVA_HOME to the location of the IBM® Key Management tools in the WebSphere MQ install, for example C:\Program Files\IBM\WebSphere MQ\gskit\jre\ or /opt/mqm/ssl/jre.
Each WebSphere MQ queue manager has a key repository for certificates. When an application attempts to connect to a secure queue manager, the application's certificate must be validated against the contents of the queue manager's key repository. One option for configuring SSL for the queue manager is to use a self-signed certificate.
Two certificates must be signed and created. One must be created for the server queue manager, and a second created for the client, for example the WebSphere Message Broker Explorer.
- On Windows, enter the following
command on a command line:
C:\Program Files\IBM\gsk7\bin\gsk7cmd
- On Linux, enter the following
command on a command line:
/opt/mqm/ssl/jre/bin/gsk7cmd
Creating a server certificate for the queue manager
- password
- A password for the certificate repository.
- qmname
- The name of the queue manager for which you want to create a certificate in lower case.
- QMNAME
- The name of the queue manager for which you want to create a certificate in upper case.
Creating a client certificate for the WebSphere Message Broker Explorer
- password
- A password for the certificate repository.
- qmname
- The name of the queue manager for which you want to create a certificate in lower case. This is the same value used in the steps to create a client certificate for the queue manager.
- USERID
- The user id for which you want to create a certificate.
You must now copy the files from the Label_CMS directory to your queue manager's SSL directory. For example, /var/mqm/qmgrs/QM1/ssl or C:\Program Files\IBM\WebSphere MQ\Qmgrs\QM1\ssl. The keystore.jksfile in the LABEL_JKS directory must be on the same machine as the WebSphere Message Broker Explorer. You might also require the AMQCLCHL.TAB file to be copied to the same system as the WebSphere Message Broker Explorer. This file can be found in the queue manager's @ipcc directory, for example, /var/mqm/qmgrs/QM1/@ipcc or C:\Program Files\IBM\WebSphere MQ\qmgrs\QM1\@ipcc.
When you configure the SSL settings in the WebSphere Message Broker Explorer you must specify the full path to the keystore.jksfile.