The ES03 WebSphere MQ Everyplace SupportPac, "WebSphere MQ Everyplace WTLS Mini-Certificate Server" is available as a separate free download from http://www.ibm.com/software/ts/mqseries/txppacs/. WebSphere MQ Everyplace includes a default mini-certificate issuance service that can be configured to satisfy private registry auto-registration requests. With the tools provided, a solution can setup and manage a mini-certificate issuance service so that it issues mini-certificates to a carefully controlled set of entity names. These are a prerequisite for MQeMTrustAttribute-based message-level security. The characteristics of this issuance service are:
The tools provided in the ES03 SupportPac enable a mini-certificate issuance service administrator to authorize mini-certificate issuance to an entity by registering its entity name and registered address and defining a one-time-use certificate request PIN. This would normally be done after off line checking to validate the authenticity of the requestor. The certificate request PIN can be posted to the intended user, as bank card PINs are posted when a new card is issued. The user of the private registry (for example the WebSphere MQ Everyplace application or WebSphere MQ Everyplace queue manager) can then be configured to provide this certificate request PIN at startup time. When the private registry triggers auto-registration, the mini-certificate issuance service validates the resulting new certificate request , issues the new mini-certificate and then resets the registered certificate request PIN so it cannot be reused. All auto-registration of new mini-certificate requests is processed on a secure channel.
We recommend that you refer to the MQe_MiniCertificateServer documentation included in the ES03 SupportPac, "WebSphere MQ Everyplace WTLS Mini-Certificate Server", for more details of how to install and use the WTLS digital certificate issuance service for WebSphere MQ Everyplace.