NAME

Frontend to gsk7cmd for creating MQ SSL queuemanager certificates

SYNOPSIS

# create Certification Authority (CA) used to sign certificates:
mq-ca.pl -op=ca -qm=queuemanager -pw=passwd -exp=expire in days \
 -label=label of cetificate [--force] [-debug=0|1|2] 

# create certificate for queuemanager being signed by the above CA:
mq-ca.pl -op=qm -qm=queuemanager -pw=passwd -exp=expire in days \
 -label=label of cetificate [--force] [-debug=0|1|2] 

# create a client certificate being signed by the above CA:
mq-ca.pl -op=client -uname=username -pw=passwd -exp=expire in days \
 -label=label of cetificate [--force] [-debug=0|1|2]

here username is clients username which must be present and member of mqm on
both client and server. Do a 'refresh security' inside the queue-manager.

-op = type of operation:
    ca     - create a CA which is used to sign certtificates
    qm     - name of quememanager to reside queues on
    client - a client which connects to a qm through a listener
-qm  = <queuemanager to reside files on>
-pw  = <CA password> the is set in --op=ca and is being used for --op=client and qm
-cadir = <path to CA repository> (default ./ca)
-exp = <certificate expireperiod in days> default 365 days
-dn  = <distinguished name> identificator, should be unique for all certificates
       just change the CN, can be anything
       ex: 'CN=Experian Secana CA,O=Experian,OU=Decision Analytics,L=Oslo,C=NO'
-gsk7cmd = <path to gsk2cmd binary> does all the certificate/ssl handling for mq             

REQUIREMENTS

This program needs IBM's Global Security Kit v7 installed. You'll find it enclosed with MQv6 and MQv6 fixpacks.

You need to install the following rpms:
* gsk7bas
* MQSeriesKeyMan

HOWTO

This is a frontend to gsk7cmd which is a frontend to the java based iKeycmd. mq-ca.pl will document every stage and show you all needed gsk7cmd commands

First we create the CA which we will use to sign all the certificates: mq-ca.pl -op=ca -qm=swolinux -pw=mypassword -exp=365 \ -label "Experian Decision Analytics Secana CA" -cadir='./ca'

You will get a ./CA directory with the CA key-repository. keep this safe.

Create the queue-manager certificate and signs it with the above CA mq-ca.pl -op=qm -qm=swolinux -pw=mypassword -exp=365 \ -label "Swolinux certificate" -cadir='./ca'

We now get a qmcert-swolinux directory which holds the swolinux self signed keyrepository. This can be placed anywhere but must be readable by the queuemanager process. this is the qmgr SSLKEYR parameter which points here.

Create the client certificate, sign it with the above CA mq-ca.pl -op=client -qm=mbj -pw=mypassword -exp=365 \ -label "mbj client certificate" -cadir='./ca'

Here MQclient.pl on client will run as user mbj, ensure mbj is a user on both client and server and a member of mqm on both client and server

Then copy the ./clientcert-mbj/mbj.* files to the client under ex: /tmp/mqssl/ This is then refered to as --sslkey=/tmp/mqssl/mbj when using MQclient.pl

CHANGES ON QUEUEMANAGER (SERVER)

#change keyrepository of queuemanager:
echo "alter qmgr SSLKEYR('/dist/mq/mqscripts/qmcert-swolinux/swolinux')" | runmqsc swolinux
echo "refresh sequrity type(SSL)" | runmqsc swolinux

#change sslauth to required for client channel 'secana.ssl':
echo "alter channel('secana.ssl') chltype(svrconn) sslcauth(required)" | runmqsc swolinux
echo "refresh security" | runmqsc swolinux

# view changes:
echo "dis qmgr all" | runmqsc swolinux
echo "dis chl('secana.ssl') all" | runmqsc swolinux

CHANGES ON CLIENT

On client you only have to refere the --sslkey parameter in the MQclient.pl call

DEBUG

List certificates in a key-database:
gsk7cmd -cert -list all -db key.kdb -pw *****

To add debug features:
gsk7cmd -Dkeyman.debug=true -Dkeyman.jnitracing=YES ....

Then check log files:
ikmcdbg.log, ikmgdbg.log, ikmjdbg.log

You can also try and recreate the problem using the gui-tool gsk7ikm
with full debug:
gsk7ikm -Dkeyman.debug=true -Dkeyman.jinitracing=ON \
 -Djava.security.debug=ALL 2>ikeyman.txt

Also since gsk7 seems to be so buggy, please update to latest version: As of Jan2008 it is 'Websphere MQ v6 linux x86 fixpack 6.0.2.3' a 359MB! large download. You need a ibm partnerworld login to get it.

See more about debugging:
http://www.ibm.com/support/docview.wss?uid=swg27006684
http://www.ibm.com/support/docview.wss?uid=swg21202820

All certificates you create must have a unique dn, change the CN to make it unique.

A COMPLETE RUN

This run is just icluded as a reference to gsk7cmd which can be quite confusing

#create CA:
$ ./mq-ca.pl -op=ca -cadir='./ca' -pw mypassword123
#Set environment variable:
export JAVA_HOME=/opt/mqm/ssl/jre
#Create directory './ca'
/bin/mkdir -p ./ca
#ok 0.00 sec
#Create CA key repository './ca/myCA.kdb'
/bin/gsk7cmd -keydb -create -db './ca/myCA.kdb' -pw mypassword123 -type cms -expire 366
#ok 4.14 sec
#Create a self signed CA certificate in './ca/myCA.kdb'
/bin/gsk7cmd -cert -create -db './ca/myCA.kdb' -type cms -pw mypassword123 -label 'Experian Secana Public CA' -dn 'CN=Experian Secana CA,O=Experian,OU=Decision Analytics,L=Oslo,C=NO' -expire 366 -size 1024
#ok 4.25 sec
#Extract CA public certificate './ca/myCA.cer'
/bin/gsk7cmd -cert -extract -db './ca/myCA.kdb' -pw mypassword123 -label 'Experian Secana Public CA' -target './ca/myCApublic.cer'
#ok 4.19 sec

$ ls -l /dist/mq/mq-scripts/ca
-rw-r--r--  1 secana secana     80 Mar  5 13:34 myCA.crl
-rw-r--r--  1 secana secana 120080 Mar  5 13:34 myCA.kdb
-rw-r--r--  1 secana secana    868 Mar  5 13:34 myCApublic.cer
-rw-r--r--  1 secana secana     80 Mar  5 13:34 myCA.rdb
(it is important the user we use mq-ca.pl as has write access to the keyrepository)

$ export JAVA_HOME=/opt/mqm/ssl/jre
$ gsk7cmd -cert -list personal -db 'ca/myCA.kdb' -pw mypassword123
Certificates in database: ./ca/myCA.kdb
  Experian Secana Public CA

create queuemanager certificate and sign it with the previously created CA:

$ ./mq-ca.pl --op=qm -qm=swolinux --cadir='./ca' -pw mypassword123
#Set environment variable:
export JAVA_HOME=/opt/mqm/ssl/jre
#Create queue-manager directory 'qmcert-swolinux'
/bin/mkdir -p qmcert-swolinux
#ok 0.00 sec
#Creating qm-key repository 'qmcert-swolinux/swolinux.kdb'
/bin/gsk7cmd -keydb -create -db 'qmcert-swolinux/swolinux.kdb' -pw mypassword123 -type cms -expire 365 -stash
#ok 4.13 sec
#Add the CA cert './ca/myCAcertfile.cer' to qm-key repository
/bin/gsk7cmd -cert -add -db 'qmcert-swolinux/swolinux.kdb' -pw mypassword123 -label 'Experian Secana Public CA' -file './ca/myCApublic.cer' -format ascii -trust enable
#ok 4.06 sec
#Creating certificate request 'qmcert-swolinux/swolinux.req' in key database 'qmcert-swolinux/swolinux.kdb'
/bin/gsk7cmd -certreq -create -db 'qmcert-swolinux/swolinux.kdb' -pw mypassword123 -label 'ibmwebspheremqswolinux' -dn 'CN=swolinux - queuemanager,O=Experian,OU=Decision Analytics,L=Oslo,C=NO' -file 'qmcert-swolinux/swolinux.req'
#ok 5.63 sec
#CA signs 'qmcert-swolinux/swolinux.req' certificate request
/bin/gsk7cmd -cert -sign -db './ca/myCA.kdb' -pw mypassword123 -label 'Experian Secana Public CA' -file 'qmcert-swolinux/swolinux.req' -target 'qmcert-swolinux/swolinux.cer' -expire 365
#ok 2.33 sec
#Receive signed certificate 'qmcert-swolinux/swolinux.cer' into qm-key repository
/bin/gsk7cmd -cert -receive -db 'qmcert-swolinux/swolinux.kdb' -pw mypassword123 -file 'qmcert-swolinux/swolinux.cer'
#ok 4.64 sec
#Cleaning up temporary files
/bin/rm qmcert-swolinux/swolinux.cer
#ok 0.00 sec
/bin/rm qmcert-swolinux/swolinux.req
#ok 0.00 sec 

For queuemanager then point MQclient.pl --sslkey=/dist/mq/mq-scripts/qmcert-swolinux/swolinux or copy the directory anywhere else more convenient like /var/mqm/ssl which is the default SSLKEYR.

$ ls -l /dist/mq/mq-scripts/qmcert-swolinux
-rw-r--r--  1 secana secana     80 Mar  5 13:34 swolinux.crl
-rw-r--r--  1 secana secana 125080 Mar  5 13:34 swolinux.kdb
-rw-r--r--  1 secana secana     80 Mar  5 13:34 swolinux.rdb
-rw-r--r--  1 secana secana    129 Mar  5 13:34 swolinux.sth

Create a client certificate for the user mbj and sign it with the previosuly generated CA:

$ ./mq-ca.pl --op=client -username=mbj --cadir='./ca' -pw mypassword123
#Set environment variable:
export JAVA_HOME=/opt/mqm/ssl/jre
#Create queue-manager directory 'clientcert-mbj'
/bin/mkdir -p clientcert-mbj
#ok 0.00 sec
#Creating qm-key repository 'clientcert-mbj/key.kdb'
/bin/gsk7cmd -keydb -create -db 'clientcert-mbj/mbj.kdb' -pw mypassword123 -type cms -expire 365 -stash
#ok 3.99 sec
#Add the CA cert './ca/myCAcertfile.cer' to qm-key repository
/bin/gsk7cmd -cert -add -db 'clientcert-mbj/mbj.kdb' -pw mypassword123 -label 'Experian Secana Public CA' -file './ca/myCApublic.cer' -format ascii -trust enable
#ok 3.89 sec
#Creating certificate request 'clientcert-mbj/mbj.req' in key database 'clientcert-mbj/mbj.kdb'
/bin/gsk7cmd -certreq -create -db 'clientcert-mbj/mbj.kdb' -pw mypassword123 -label 'ibmwebspheremqmbj' -dn 'CN=swolinux - client,O=Experian,OU=Decision Analytics,L=Oslo,C=NO' -file 'clientcert-mbj/mbj.req'
#ok 5.38 sec
#CA signs 'clientcert-mbj/mbj.req' certificate request
/bin/gsk7cmd -cert -sign -db './ca/myCA.kdb' -pw mypassword123 -label 'Experian Secana Public CA' -file 'clientcert-mbj/mbj.req' -target 'clientcert-mbj/mbj.cer' -expire 365
#ok 2.33 sec
#Receive signed certificate 'clientcert-mbj/mbj.cer' into mbj-key repository
/bin/gsk7cmd -cert -receive -db 'clientcert-mbj/mbj.kdb' -pw mypassword123 -file 'clientcert-mbj/mbj.cer'
#ok 4.47 sec

ls -l /dist/mq/mq-scripts/clientcert-mbj/
-rw-r--r--  1 secana secana     80 Mar  5 13:38 mbj.crl
-rw-r--r--  1 secana secana 125080 Mar  5 13:38 mbj.kdb
-rw-r--r--  1 secana secana     80 Mar  5 13:38 mbj.rdb
-rw-r--r--  1 secana secana    129 Mar  5 13:37 mbj.sth

Copy the above directory to the client (aka /tmp/mqssl) and use --sslkey=/tmp/mqssl for MQclient.pl This certificate is userdependable, which means it can be used on any client as long as the user is mbj connecting to the same queuemanager.

AUTHOR

Morten Bjoernsvik - morten.bjornsvik@experian-scorex.no - 2008

cpanm MQSeries

perl -MCPAN -e shell
install MQSeries