Page 1 of 21

Using SSL TLS in MQ 9.2 to connect a C-based client in Windows to a queue manager in Linux, using self-signed certificates,

2-way authentication

https://www.ibm.com/support/pages/node/6470619

Date last updated: 08-Jul-2021

Angel Rivera IBM MQ Support

https://www.ibm.com/products/mq/support Find all the support you need for IBM MQ

+++ Objective The objective of this document is to provide step-by-step details for: - connecting an MQ 9.2 C-based client from Windows - to a single-instance queue manager running MQ 9.2 in Linux, - using self-signed certificates for 2-way authentication (client authenti-cates the queue manager, and the queue manager authenticates the client). - The MQ sample amqssslc is used for testing, because it does not require a CCDT. For illustration purposes the following protocol will be used (it is TLS 1.2 compliant): TLS_RSA_WITH_AES_128_CBC_SHA256 In this document, these terms are used interchangeably: SSL and TLS. TLS is the successor to SSL, but the term “SSL” is used for historical reasons and the MQ tooling refers to SSL, even though it applies also to TLS. The default behavior is for the MQ Client application to ask for the authentication of the MQ queue manager, this is called “1-way authentication”. The method of “2-way authentication” is when additionally, the MQ queue manager asks for the authentication of the MQ Client application. This tutorial shows all the steps for “2-way authentication”, but identifies those that can be skipped if you are interested only in “1-way authentication”. The configuration for SSL requires many steps and at a different locations. One common source of confusion when doing the setup for SSL/TLS is: in which side of the connection a certain step/command needs to be taken? Is step A done at the host of the MQ client application? Or at the host of the queue manager? This tutorial tries to be very explicit in this respect, and hopefully the confusion could be avoided.

Page 2 of 21

This tutorial provides an “extreme summary” with all the commands, without explanation. The idea is that you can copy these commands into a text editor, edit them to suit your needs and then copy/paste into the command prompts for Windows and Linux. These are the steps for 2-way authentication, and are explained later on in this tutorial: Step 1: Client (Windows): Create SSL client key database (CMS) Step 2: Client (Windows): Create certificate Step 3: Client (Windows): Extract the public SSL client certificate Step 4: Client (Windows): Copy Windows certificate to the SSL server side in Linux Copy/transfer the public/signer SSL certificate administrator.crt in ASCII mode from the Windows host to the Linux host. Step 5: Server (Linux): Create SSL server key database Step 6: Server (Linux): Create certificate Step 7: Server (Linux): Extract the public SSL server certificate Step 8: Server (Linux): Copy Linux certificate to the SSL client side in Windows Copy/transfer the public/signer SSL certificate QM92TLS.crt in ASCII mode from the Linux host to the Windows host. Step 9: Server (Linux): Add the Windows certificate to Linux key database Step 10: Server (Linux): Run MQSC commands for SSL server side queue manager Step 11: Client (Windows): Add the Linux certificate to the Windows key database Step 12: Test of sending message from Client (Windows) to Server (Linux)

Page 3 of 21

+++ C-base sample to use: amqssslc The C-based sample amqssslc, shipped with MQ, will be used to test the SSL / TLS connection with the remote queue manager: https://www.ibm.com/docs/en/ibm-mq/9.2?topic=multiplatforms-tls-sample-program IBM MQ / 9.2 / The TLS sample program AMQSSSLC is a sample C program that demonstrates how to use the MQCNO and MQSCO structures to supply TLS client connection information on the MQCONNX call. This enables a client MQI application to provide the definition of its client connection channel and TLS settings at run time without a client channel definition table (CCDT). In Windows, this sample is located at: C:\Program Files\IBM\MQ\Tools\c\Samples\Bin64\amqssslc.exe In Linux: /opt/mqm/samp/bin/amqssslc

++ References https://www.ibm.com/docs/en/ibm-mq/9.2?topic=messages-enabling-cipherspecs IBM MQ / 9.2 / Enabling CipherSpecs https://www.ibm.com/docs/en/ibm-mq/9.2?topic=cipherspecs-deprecated Deprecated CipherSpecs A list of deprecated CipherSpecs that you are able to use with IBM® MQ if necessary. Note: The LAST right most column in the table indicates the MQ version.release in which the CipherSpec was deprecated.

https://www.ibm.com/support/pages/node/1088020 How do I configure an MQ client c-based application like amqsputc / amqsgetc to connect to an MQ server with SSL?

Page 4 of 21

+++ Configuration a) Windows: MQ 9.2.0.2 LTS running in Windows 10. Hostname: tolteca1 USERNAME=Administrator In this technote, the default location for the MQ Data is used: MQ_DATA_PATH=C:\ProgramData\IBM\MQ\

Location for the SSL related files: C:\ProgramData\IBM\MQ\ssl (note: this directory “ssl” needs to be created manually). Full path name of the key database: "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" Set the following environment variable to specify the key database. One very common mistake is to specify the complete filename (which seems natural to do), but this variable requires that the suffix MUST NOT BE SPECIFIED, thus it is the “stem” of the file name, without the “.kdb” CORRECT: set MQSSLKEYR=C:\ProgramData\IBM\MQ\ssl\clientkey In short, if you include the “.kdb”, you will get runtime errors! INCORRECT: set MQSSLKEYR=C:\ProgramData\IBM\MQ\ssl\clientkey.kdb b) Linux Single-instance queue manager running MQ 9.2.0.2 in Linux REHL Intel 64-bit (with TLS) Hostname: fortin1 Name: QM92TLS Port: 1419 User: mqm Location for the SSL related files: /var/mqm/qmgrs/QM92TLS/ssl (note: this directory “ssl” is automatically created by crtmqm). Note that the Windows user name “Administrator” has 13 characters and it has mixed cases (A in uppercase and the rest in lowercase). For this tutorial, it is necessary to create a user in the Linux host that has the first 12 characters and all in lowercase. As user “root”: useradd -u 603 -g mquser -s /bin/bash -d /home/administrato -m administrato As user “mqm”: id administrato uid=603(administrato) gid=1005(mquser) groups=1005(mquser)

Page 5 of 21

Notice that this user belongs to the group “mquser” which is not the group for MQ Administrators, thus, some authorities are needed to allow this user to connect. Run the following commands to allow users to connect to the queue manager and to interact with the MQ Explorer (if needed later on). setmqaut -m QM92TLS -t qmgr -g mquser +connect +inq +dsp setmqaut -m QM92TLS -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -g mquser +inq +browse +get +dsp setmqaut -m QM92TLS -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -g mquser +inq +put +dsp setmqaut -m QM92TLS -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -g mquser +inq +browse +get +dsp +put

Page 6 of 21

+++ Extreme summary Usage note: it is recommended that you copy all the commands in this section and paste them in a plain text editor such as Notepad, which uses monospace font and no wrap around the lines. Then make global replacements for the items such as key database, passwords, user name, queue manager, etc. Finally, you can copy from Notepad each command and execute it in a command prompt for Window or for the remote host in Linux. + Client in Windows: setmqenv -n Installation1 set MQSSLKEYR=C:\ProgramData\IBM\MQ\ssl\clientkey runmqckm -keydb -create -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass -type cms -stash runmqckm -cert -create -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass -label ibmwebspheremqadministrator -dn "CN=administrator,O=IBM,C=USA" -size 2048 runmqckm -cert -list -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass runmqckm -cert -details -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass -label ibmwebspheremqadministrator runmqckm -cert -extract -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass -label ibmwebspheremqadministrator -target administrator.crt -format ascii Exchange keys runmqckm -cert -add -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass -label ibmwebspheremqqm92tls -file QM92TLS.crt -format ascii runmqckm -cert -list -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass Test (do NOT include the suffix .kdb in -k) amqssslc -m QM92TLS -c SSL.SVRCONN -x fortin1.fyre.ibm.com(1419) -k "C:\ProgramData\IBM\MQ\ssl\clientkey" -s TLS_RSA_WITH_AES_128_CBC_SHA256 -l ibmwebspheremqadministrator + Queue manager in Linux: As user root: useradd -u 603 -g mqm -s /bin/bash -d /home/administrato -m administrato As user mqm: . /opt/mqm/binsetmqenv -n Installation1 setmqaut -m QM92TLS -t qmgr -g mquser +connect +inq +dsp setmqaut -m QM92TLS -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -g mquser +inq +browse +get +dsp setmqaut -m QM92TLS -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -g mquser +inq +put +dsp

Page 7 of 21

setmqaut -m QM92TLS -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -g mquser +inq +browse +get +dsp +put runmqckm -keydb -create -db "/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb" -pw serverpass -type cms -stash runmqckm -cert -create -db "/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb" -pw serverpass -label ibmwebspheremqqm92tls -dn "CN=QM92TLS,O=IBM,C=USA" -size 2048 runmqckm -cert -list -db "/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb" -pw serverpass runmqckm -cert -details -db "/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb" -pw serverpass -label ibmwebspheremqqm92tls runmqckm -cert -extract -db "/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb" -pw serverpass -label ibmwebspheremqqm92tls -target QM92TLS.crt -format ascii Exchange keys runmqckm -cert -add -db "/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb" -pw serverpass -label ibmwebspheremqadministrator -file administrator.crt -format ascii runmqckm -cert -list -db "/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb" -pw serverpass runmqsc QM92TLS ALTER QMGR SSLKEYR('/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS') DEFINE CHANNEL('SSL.SVRCONN') CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(REQUIRED) SSLPEER('CN=administrator,O=IBM,C=USA') REPLACE REFRESH SECURITY TYPE(SSL) END

Page 8 of 21

+++ Summary of steps: Client in Windows connecting to a queue manager in Linux ++ Step 1: Client (Windows): Create SSL client key database (CMS) cd %MQ_DATA_PATH% Such as: cd C:\ProgramData\IBM\MQ\ Then create subdirectory for “ssl”: C:\ProgramData\IBM\MQ> mkdir ssl C:\ProgramData\IBM\MQ> cd ssl C:\ProgramData\IBM\MQ\ssl> set MQSSLKEYR=C:\ProgramData\IBM\MQ\ssl\clientkey Note: even though the command is shown in 2 lines, it is really a single line. You must ensure that if you copy/paste the command, you use one single long line: runmqckm -keydb -create -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass -type cms -stash

Notice that 3 new files are created: 07/08/2021 03:40 AM 88 clientkey.kdb 07/08/2021 03:40 AM 80 clientkey.rdb 07/08/2021 03:40 AM 193 clientkey.sth

Page 9 of 21

++ Step 2: Client (Windows): Create certificate This step is needed when doing “2-way authentication”. That is, it is NOT needed when doing “1-way authentication”. + Create the digital certificate. Notice that the label and the CN include the user name in lowercase (administrator). The db is the FULL name of the file “clientkey.kdb”, including the suffix. runmqckm -cert -create -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass -label ibmwebspheremqadministrator -dn "CN=administrator,O=IBM,C=USA" -size 2048 The clientkey.db is updated (notice that the size is bigger, because it has now 1 certificate): 07/08/2021 03:43 AM 5,088 clientkey.kdb 07/08/2021 03:43 AM 80 clientkey.rdb 07/08/2021 03:40 AM 193 clientkey.sth + List newly created SSL certificate in Windows runmqckm -cert -list -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass Certificates in database C:\ProgramData\IBM\MQ\ssl\clientkey.kdb: ibmwebspheremqadministrator

+ List the details of the certificate: runmqckm -cert -details -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass -label ibmwebspheremqadministrator <begin certificate – ignore this line> Label: ibmwebspheremqadministrator Key Size: 2048 Version: X509 V3 Serial Number: 60 E6 D6 EB Issued by: CN=administrator, O=IBM, C=USA Subject: CN=administrator, O=IBM, C=USA Valid: From: Thursday, July 8, 2021 3:43:55 AM PDT To: Friday, July 8, 2022 3:43:55 AM PDT Fingerprint: SHA1: D7:A9:C8:E9:79:47:EF:99:2B:F4:93:12:FF:74:7E:0F:4B:88:78:82 SHA256: FF:71:33:EA:D2:8E:80:08:78:C5:F8:24:9B:F3:9A:05:7D:57:79:C8:6A:7D:E0:AD:4C:F0:45:D4:DB:16:74:26 HPKP: awIGhIdcM/IG5r4lZFhG+1poU3iTlH+s9GQBMbg9HcA=

Page 10 of 21

Extensions: - AuthorityKeyIdentifier: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 89 40 bd 4c 71 fc 0b e4 ...Lq... ] ] - SubjectKeyIdentifier: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 89 40 bd 4c 71 fc 0b e4 ...Lq... ] ] Signature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5) Trust Status: enabled

<end of certificate – ignore this line> + REFERENCE for deleting a certificate: The following command is just for completeness, you do NOT need to issue it for this tutorial. If you need to delete the certificate, you can reuse the command that shows the “details” and replace “details” with “delete”: For example, you can use as the base: runmqckm -cert -details -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass -label ibmwebspheremqadministrator Then replace “details” for “delete”: runmqckm -cert -delete -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass -label ibmwebspheremqadministrator

Page 11 of 21

++ Step 3: Client (Windows): Extract the public SSL client certificate This step is needed when doing “2-way authentication”. That is, it is NOT needed when doing “1-way authentication”. runmqckm -cert -extract -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass -label ibmwebspheremqadministrator -target administrator.crt -format ascii Notice that in the current directory a new file will be created, which is the extracted certificate: 07/08/2021 03:53 AM 1,136 administrator.crt 07/08/2021 03:43 AM 5,088 clientkey.kdb 07/08/2021 03:43 AM 80 clientkey.rdb 07/08/2021 03:40 AM 193 clientkey.sth This certificate file looks like this (only showing some lines though): C:\ProgramData\IBM\MQ\ssl>type administrator.crt -----BEGIN CERTIFICATE----- MIIDEDCCAfigAwIBAgIEYObW6zANBgkqhkiG9w0BAQUFADA0MQwwCgYDVQQGEwNVU0ExDDAKBgNV … /SpdKi/wn0D8n5EEQ6Did+tiCvq6L9kzZVwYu5Xhy9HRDsusHbnlNCcP1Ysrjly5ESpRrnWucxcg u7IavygoKS61806Y3ZZiYjEuFVNMIjuJccZrgDOQ6xwCm3rXFgiAfFQc/zdEtgQ= -----END CERTIFICATE-----

Page 12 of 21

++ Step 4: Client (Windows): Copy Windows certificate to the SSL server side in Linux Copy/transfer the public/signer SSL certificate administrator.crt in ASCII mode from the Windows host to the Linux host. This step is needed when doing “2-way authentication”. That is, it is NOT needed when doing “1-way authentication”. For this tutorial the utility “Filezilla” was used to copy the crt file into the Linux host at: /tmp/administrator.crt

Page 13 of 21

++ Step 5: Server (Linux): Create SSL server key database mqm@fortin1.fyre.ibm.com: /home/mqm cd /var/mqm/qmgrs/QM92TLS/ssl runmqckm -keydb -create -db "/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb" -pw serverpass -type cms -stash Notice that 3 new files are created: -rw------- 1 mqm mqm 88 Jul 8 04:00 QM92TLS.kdb -rw------- 1 mqm mqm 80 Jul 8 04:00 QM92TLS.rdb -rw------- 1 mqm mqm 193 Jul 8 04:00 QM92TLS.sth

Page 14 of 21

++ Step 6: Server (Linux): Create certificate + Create certificate Notice that you MUST USE the queue manager name in LOWERCASE for the label! For the CN, use the upper case. runmqckm -cert -create -db "/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb" -pw serverpass -label ibmwebspheremqqm92tls -dn "CN=QM92TLS,O=IBM,C=USA" -size 2048

Notice that the key database is bigger, because it contains now 1 certificate: -rw------- 1 mqm mqm 5088 Jul 8 04:03 QM92TLS.kdb -rw------- 1 mqm mqm 80 Jul 8 04:03 QM92TLS.rdb -rw------- 1 mqm mqm 193 Jul 8 04:00 QM92TLS.sth + List newly created SSL certificate in Linux runmqckm -cert -list -db "/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb" -pw serverpass Certificates in database /var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb: ibmwebspheremqqm92tls

+ List the details of the certificate. runmqckm -cert -details -db "/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb" -pw serverpass -label ibmwebspheremqqm92tls Label: ibmwebspheremqqm92tls Key Size: 2048 Version: X509 V3 Serial Number: 60 E6 DB 7E Issued by: CN=QM92TLS, O=IBM, C=USA Subject: CN=QM92TLS, O=IBM, C=USA Valid: From: Thursday, July 8, 2021 4:03:26 AM PDT To: Friday, July 8, 2022 4:03:26 AM PDT Fingerprint: SHA1: D0:BA:19:CE:52:66:3C:D6:81:95:64:A8:FF:AC:96:18:A4:70:24:A6 SHA256: 59:F8:B2:A1:2B:FB:D8:7A:FD:3D:73:2F:E3:1A:E1:6A:2D:5D:A7:46:56:55:8C:49:5A:32:1C:39:60:EF:63:03 HPKP: 0VA+6+z5fQAHsFBP8eQo/g7cyX1qzBQajsJD571o3P8= Extensions: - AuthorityKeyIdentifier: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 0f f1 98 3b 08 a4 c8 1c ........ ]

Page 15 of 21

] - SubjectKeyIdentifier: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 0f f1 98 3b 08 a4 c8 1c ........ ] ] Signature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5) Trust Status: enabled

Page 16 of 21

++ Step 7: Server (Linux): Extract the public SSL server certificate runmqckm -cert -extract -db "/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb" -pw serverpass -label ibmwebspheremqqm92tls -target QM92TLS.crt -format ascii Notice that there is a new file, which has the certificate for the queue manager. -rw------- 1 mqm mqm 1118 Jul 8 04:08 QM92TLS.crt -rw------- 1 mqm mqm 5088 Jul 8 04:03 QM92TLS.kdb -rw------- 1 mqm mqm 80 Jul 8 04:03 QM92TLS.rdb -rw------- 1 mqm mqm 193 Jul 8 04:00 QM92TLS.sth

Page 17 of 21

++ Step 8: Server (Linux): Copy Linux certificate to the SSL client side in Windows Copy/transfer the public/signer SSL certificate QM92TLS.crt in ASCII mode from the Linux host to the Windows host. Copy the QM92TLS.crt file from the “ssl” subdirectory into “tmp”: mqm@fortin1.fyre.ibm.com: /var/mqm/qmgrs/QM92TLS/ssl $ cp QM92TLS.crt /tmp/. For this tutorial, we have already Filezilla running in the Windows host, thus, we will use that to copy the QM92TLS.crt from Linux into Windows.

+ For “2-way authentication”, in Linux, copy the administrator.crt file from /tmp into the ssl directory: mqm@fortin1.fyre.ibm.com: /var/mqm/qmgrs/QM92TLS/ssl $ cp /tmp/administrator.crt . $ ls -l -rw-r--r-- 1 mqm mqm 1136 Jul 8 04:29 administrator.crt -rw------- 1 mqm mqm 1118 Jul 8 04:08 QM92TLS.crt -rw------- 1 mqm mqm 5088 Jul 8 04:03 QM92TLS.kdb -rw------- 1 mqm mqm 80 Jul 8 04:03 QM92TLS.rdb -rw------- 1 mqm mqm 193 Jul 8 04:00 QM92TLS.sth + In Windows we have now: C:\ProgramData\IBM\MQ\ssl>dir 07/08/2021 03:53 AM 1,136 administrator.crt 07/08/2021 03:43 AM 5,088 clientkey.kdb 07/08/2021 03:43 AM 80 clientkey.rdb 07/08/2021 03:40 AM 193 clientkey.sth 07/08/2021 04:17 AM 1,118 QM92TLS.crt

Page 18 of 21

++ Step 9: Server (Linux): Add the Windows certificate to Linux key database This step 2 is needed when doing “2-way authentication”. That is, it is NOT needed when doing “1-way authentication”. + Add the public/signer certificate runmqckm -cert -add -db "/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb" -pw serverpass -label ibmwebspheremqadministrator -file administrator.crt -format ascii

Notice that the size of the kdb became larger (it has now 2 certificates) -rw-r--r-- 1 mqm mqm 1136 Jul 8 04:29 administrator.crt -rw------- 1 mqm mqm 1118 Jul 8 04:08 QM92TLS.crt -rw------- 1 mqm mqm 10088 Jul 8 04:32 QM92TLS.kdb -rw------- 1 mqm mqm 80 Jul 8 04:32 QM92TLS.rdb -rw------- 1 mqm mqm 193 Jul 8 04:00 QM92TLS.sth + List the certificates. runmqckm -cert -list -db "/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb" -pw serverpass Certificates in database /var/mqm/qmgrs/QM92TLS/ssl/QM92TLS.kdb: ibmwebspheremqqm92tls ibmwebspheremqadministrator

Page 19 of 21

++ Step 10: Server (Linux): Run MQSC commands for SSL server side queue manager + For “2-way authentication”: runmqsc QM92TLS ALTER QMGR SSLKEYR('/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS')

DEFINE CHANNEL('SSL.SVRCONN') CHLTYPE(SVRCONN) TRPTYPE(TCP) + SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(REQUIRED) + SSLPEER('CN=administrator,O=IBM,C=USA') REPLACE

REFRESH SECURITY TYPE(SSL)

END

+ For “1-way authentication”: runmqsc QM92TLS ALTER QMGR SSLKEYR('/var/mqm/qmgrs/QM92TLS/ssl/QM92TLS')

DEFINE CHANNEL('SSL.SVRCONN') CHLTYPE(SVRCONN) TRPTYPE(TCP) + SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(OPTIONAL) + SSLPEER('') REPLACE

REFRESH SECURITY TYPE(SSL)

END

Page 20 of 21

++ Step 11: Client (Windows): Add the Linux certificate to the Windows key database + Add the public/signer certificate C:\ProgramData\IBM\MQ\ssl> runmqckm -cert -add -db "C:\ProgramData\IBM\MQ\ssl\clientkey.kdb" -pw clientpass -label ibmwebspheremqqm92tls -file QM92TLS.crt -format ascii C:\ProgramData\IBM\MQ\ssl> dir 07/08/2021 03:53 AM 1,136 administrator.crt 07/08/2021 04:35 AM 10,088 clientkey.kdb 07/08/2021 04:35 AM 80 clientkey.rdb 07/08/2021 03:40 AM 193 clientkey.sth 07/08/2021 04:17 AM 1,118 QM92TLS.crt + List the certificates C:\ProgramData\IBM\MQ\ssl> runmqckm -cert -list -db “C:\ProgramData\IBM\MQ\ssl\clientkey.kdb” -pw clientpass Certificates in database C:\ProgramData\IBM\MQ\ssl\clientkey.kdb: ibmwebspheremqadministrator ibmwebspheremqqm92tls

Page 21 of 21

++ Step 12: Test of sending message from Client (Windows) to Server (Linux) C:\ProgramData\IBM\MQ\ssl> amqssslc -m QM92TLS -c SSL.SVRCONN -x fortin1.fyre.ibm.com(1419) -k "C:\ProgramData\IBM\MQ\ssl\clientkey" -s TLS_RSA_WITH_AES_128_CBC_SHA256 -l ibmwebspheremqadministrator Sample AMQSSSLC start Connecting to queue manager QM92TLS Using the server connection channel SSL.SVRCONN on connection name fortin1.fyre.ibm.com(1419). Using SSL CipherSpec TLS_RSA_WITH_AES_128_CBC_SHA256 Using SSL key repository stem C:\ProgramData\IBM\MQ\ssl\clientkey Certificate Label: ibmwebspheremqadministrator No OCSP configuration specified. Connection established to queue manager QM92TLS Sample AMQSSSLC end Note: If there were runtime errors, you need to view the local general error log for MQ in Windows, file AMQERR01.LOG: C:\ProgramData\IBM\MQ\errors>dir 07/07/2021 05:48 AM 11,744 AMQERR01.LOG 05/10/2021 07:47 AM 0 AMQERR02.LOG 05/10/2021 07:47 AM 0 AMQERR03.LOG In case that there are no entries relevant for the scenario in this local file, then you need to take a look at the error logs for the queue manager QM92TLS in Linux. mqm@fortin1.fyre.ibm.com: /var/mqm/qmgrs/QM92TLS/errors $ ls -l -rw-rw---- 1 mqm mqm 45229 Jul 8 03:18 AMQERR01.LOG

+++ end