Summary:
This shows an example of creating our own self signed PKCS #12 certificate to replace the expired certificate that is used for the Tibco + SSL handshake.
Instructions:
Stop the CA PIM Message Queue service. This can be accomplished within 'services.msc' in Windows, or '/etc/init.d/ca-acrptmq stop' within *nix.
Open a command prompt as an Administrator, or root within an SSH session.
We need to create a PKCS #12 certificate, and below I have demonstrated how this can be accomplished on a *nix system (within Windows, it's the same syntax, only Windows requires OpenSSL.exe whereas *nix needs the OpenSSL package to be on the targeted machine).
[root@host private]# openssl genrsa -out private.key 4096
Generating RSA private key, 4096 bit long modulus
...................................................................................................................++
............++
e is 65537 (0x10001)
--
[root@host private]# openssl req -new -key private.key -out my_request.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@host private]# openssl x509 -req -days 365 -in my_request.csr -signkey private.key -out my_cert.crt
Signature ok
subject=/C=country/ST=place/L=where/O=company/OU=Support/CN=host/[email protected]
Getting Private key
[root@host private]# openssl pkcs12 -export -in my_cert.crt -inkey private.key -out acmq.p12 -name "acmq"
Enter Export Password:
Verifying - Enter Export Password:
[root@host private]# openssl pkcs12 -export -in my_cert.crt -inkey private.key -out acmq.p12 -name "acmq"
Enter Export Password:
Verifying - Enter Export Password:
[root@host private]# pwd
/etc/pki/CA/private
[root@host bin]# cd /opt/CA/AccessControlServer/MessageQueue/tibco/ems/5.1/bin/tibemsd
[root@host bin]# ./tibemsadmin -mangle
TIBCO Enterprise Message Service Administration Tool.
Copyright 2003-2009 by TIBCO Software Inc.
All rights reserved.
Version 5.1.4 V5 11/14/2009
Enter phrase to mangle:
Confirm phrase to mangle:
$man$JfSdO2iR-xkmDJa9yx7tMCd4G4s
[root@host bin]# cd /opt/CA/AccessControlServer/MessageQueue/conf/data
Navigate to CMInstallDIr\MessageQueue\tibco\cfgmgmt\ems\data
[root@host data]# cp tibemsd.conf tibemsd_orig.conf
Open Tibemsd.conf for edit. Locate the ssl_server_identity section. Set the ssl_server_identity token value to the full pathname and file name of the PKCS#12 keystore.
[root@host data]# cat tibemsd.conf | grep ssl_server_identity
ssl_server_identity = "////opt////CA////AccessControlServer////MessageQueue/conf/acmq.p12"
Set the ssl_password token value to the mangled password generated above.
[root@host data]# cat tibemsd.conf | grep ssl_password
ssl_password = $man$JfSdO2iR-xkmDJa9yx7tMCd4G4s
Copy the PKCS#12 keystore created for the Message Queue to the /ENTMInstallDir/MessageQueue/Conf directory.
Navigate to CMInstallDir\MessageQueue\Tibco\ems\5.1\bin
Run the following command to encrypt the keystore file password:
Start the CA PIM Message Queue service. This can be accomplished within 'services.msc' in Windows, or '/etc/init.d/ca-acrptmq stop' within *nix.
Use (acmq) as the alias for the Message Queue certificate added to the Message Queue keystore. To verify that you are using the right password, check the content of the Tibco keystore. If there are communication problems you can review the error messages in the server.log in JBoss_HOME\server\defaullt\log and the ems.log files in \Program Files\CA\Access\ControlServer\MessageQueue\tibco\log.