How to setup MQ SSL with ACF2 and MQ using site certificates.
search cancel

How to setup MQ SSL with ACF2 and MQ using site certificates.

book

Article ID: 29741

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction

The MQ SSL setup varies based on a site's setup for their MQ environment.
The following example setup of for two MQ Q managers ABCD and WXYZ working in SSL.

1) GENCERT for a self signed Site cert, label MQ Root CA.  

2) GENCERT for each Q manager ABCD and WXZY creating Personal certificates ABCDCHIN.CERT and WXZYCHIN.CERT, using the Root
    as the signing auth, Usage = Handshake. 

3) Built two KEYRINGS ABCDCHIN.ring and WXYZCHIN.ring with the  MQ Root CA and the the Personal certificate for that Q manager as the default.

The required matchups are the RINGNAME of the ring (ABCDCHIN.ring) matching the ACF2 logonid that runs the channel initiator, and
the LABEL field in the xxxxCHIN.CERT entry looking like ibmWebSphereMQxxxx. 

The MQ parm SSLKEYR identifies the desired RINGNAME value.
The queue manager should be setup to run SSL calls, using the WebSphere MQ ALTER QMGR command ;
    ALTER QMGR SSLTASKS(n)
    where, 'n' is the number of subtasks and must be at least 2

For example:

KEYRING / ABCDCHIN.RING LAST CHANGED BY USER002 ON 12/30/14-10:25
                    DEFAULT(ABCDCHIN.CERT) RINGNAME(ABDCCHIN)                   

The following certificates are connected to this key ring:          

CERTDATA record         Label                    Usage          
CERTAUTH.ROOTCMQ        Root CA                  CERTAUTH       
ABCDCHIN.CERT           ibmWebSphereMQABCD       PERSONAL       
 
KEYRING / WXYZCHIN.RING LAST CHANGED BY USER002 ON 12/30/14-10:25 
                     DEFAULT(WXYZCHIN.CERT) RINGNAME(WXYZCHIN)                   

The following certificates are connected to this key ring:          

CERTDATA record         Label                    Usage        
CERTAUTH.ROOTC          MQ Root CA               CERTAUTH       
WXYZCHIN.CERT           ibmWebSphereMQWXYZ       PERSONAL  

 

Environment

Release: 16.0
Component: ACF2 for Z/OS

Resolution

Explanation of what userid is associated with a given site certificate In ACF2 .

*************************************************************
 ALTER QMGR SSLKEYR(userid1/CSQ1RING)
*************************************************************

"userid1" would be the MQ manager task logonid which would correspond to the KEYRING owner and the Personal certificate owner. 

If the MQ manager task logonid is ABCDCHIN then specify;

     ALTER QMGR SSLKEYR(ABCDCHIN/CSQ1RING) based on the following Keyring and certificates:

 
     KEYRING / ABCDCHIN.RING LAST CHANGED BY USER002 ON nn/nn/nn-00:01
                        DEFAULT(ABCDCHIN.CERT) RINGNAME(CSQ1RING)                   

The following certificates are connected to this key ring:          

CERTDATA record       Label                Usage         
CERTAUTH.ROOTCMQ      Root CA              CERTAUTH      
ABCDCHIN.CERT         ibmWebSphereMQABCD   PERSONAL    


The syntax is ALTER QMGR SSLKEYR(ringowner/ringname).

The Keyring in the ACF2 INFOSTG database is stored with a record id  of userid.suffix where userid is the Keyring owner.

Powered by Wolken Software