Summary:

This shows an example of creating our own self signed PKCS #12 certificate to replace the expired certificate that is used for the Tibco + SSL handshake. 

Instructions: 

Stop the CA PIM Message Queue service.  This can be accomplished within 'services.msc' in Windows, or '/etc/init.d/ca-acrptmq stop' within *nix.

Open a command prompt as an Administrator, or root within an SSH session.

We need to create a PKCS #12 certificate, and below I have demonstrated how this can be accomplished on a *nix system (within Windows, it's the same syntax, only Windows requires OpenSSL.exe whereas *nix needs the OpenSSL package to be on the targeted machine).

[root@host private]# openssl genrsa -out private.key 4096 

Generating RSA private key, 4096 bit long modulus 

...................................................................................................................++ 

............++ 

e is 65537 (0x10001) 

-- 

[root@host private]# openssl req -new -key private.key -out my_request.csr 

You are about to be asked to enter information that will be incorporated 

into your certificate request. 

What you are about to enter is what is called a Distinguished Name or a DN. 

There are quite a few fields but you can leave some blank 

For some fields there will be a default value, 

If you enter '.', the field will be left blank. 

Country Name (2 letter code) [XX]:US 

State or Province Name (full name) []:

Locality Name (eg, city) [Default City]:

Organization Name (eg, company) [Default Company Ltd]: 

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []: 

Email Address []:

Please enter the following 'extra' attributes 

to be sent with your certificate request 

A challenge password []: 

An optional company name []: 

[root@host private]# openssl x509 -req -days 365 -in my_request.csr -signkey private.key -out my_cert.crt 

Signature ok 

subject=/C=country/ST=place/L=where/O=company/OU=Support/CN=host/[email protected] 

Getting Private key 

[root@host private]# openssl pkcs12 -export -in my_cert.crt -inkey private.key -out acmq.p12 -name "acmq" 

Enter Export Password: 

Verifying - Enter Export Password: 

[root@host private]# openssl pkcs12 -export -in my_cert.crt -inkey private.key -out acmq.p12 -name "acmq" 

Enter Export Password: 

Verifying - Enter Export Password: 

[root@host private]# pwd 

/etc/pki/CA/private 

[root@host bin]# cd /opt/CA/AccessControlServer/MessageQueue/tibco/ems/5.1/bin/tibemsd 

[root@host bin]# ./tibemsadmin -mangle 

TIBCO Enterprise Message Service Administration Tool. 

Copyright 2003-2009 by TIBCO Software Inc. 

All rights reserved. 

Version 5.1.4 V5 11/14/2009 

Enter phrase to mangle: 

Confirm phrase to mangle: 

$man$JfSdO2iR-xkmDJa9yx7tMCd4G4s 

[root@host bin]# cd /opt/CA/AccessControlServer/MessageQueue/conf/data 

Navigate to CMInstallDIr\MessageQueue\tibco\cfgmgmt\ems\data

[root@host data]# cp tibemsd.conf tibemsd_orig.conf 

Open Tibemsd.conf for edit.  Locate the ssl_server_identity section.  Set the ssl_server_identity token value to the full pathname and file name of the PKCS#12 keystore.

[root@host data]# cat tibemsd.conf | grep ssl_server_identity 

ssl_server_identity = "////opt////CA////AccessControlServer////MessageQueue/conf/acmq.p12" 

Set the ssl_password token value to the mangled password generated above.

[root@host data]# cat tibemsd.conf | grep ssl_password 

ssl_password = $man$JfSdO2iR-xkmDJa9yx7tMCd4G4s

Copy the PKCS#12 keystore created for the Message Queue to the /ENTMInstallDir/MessageQueue/Conf directory.

Navigate to CMInstallDir\MessageQueue\Tibco\ems\5.1\bin

Run the following command to encrypt the keystore file password:

Start the CA PIM Message Queue service.  This can be accomplished within 'services.msc' in Windows, or '/etc/init.d/ca-acrptmq stop' within *nix.

Use (acmq) as the alias for the Message Queue certificate added to the Message Queue keystore.  To verify that you are using the right password, check the content of the Tibco keystore. If there are communication problems you can review the error messages in the server.log in JBoss_HOME\server\defaullt\log and the ems.log files in \Program Files\CA\Access\ControlServer\MessageQueue\tibco\log.