Setting up SSL security on the FTE client agent

In this scenario, we set up a one-way SSL channel connection. One-way means that only the queue manager presents a certificate, which the client

authenticates.

There are a number of ways to obtain a certificate for queue manager:

򐂰 Create self-signed certificates.

򐂰 Have an internal certification authority.

򐂰 Request a certificate from a certification authority.

Self-signed certificates are used in the WebSphere MQ server-connection channel from NYFIN to New York and created by the WebSphere MQ iKeyMan tool.

To create a key repository for queue manager NYQM on Linux:

1. On the New York machine, confirm that the gsk7bas package is installed.

2. Open a Linux terminal, and issue commands by the wmbadmin user.

3. Create a key repository for the queue manager using the command shown in Example 7-4:

– Key database type: CMS – File Name: key.kdb

– Location: /var/mqm/qmgrs/NYQM/ssl – Password: 111111

Example 7-4 The command of creating a key repository

gsk7capicmd -keydb -create -db /var/mqm/qmgrs/NYQM/ssl/key.kdb -pw 111111 -type cms -expire 365 -stash

4. Create a self-signed certificate for the client using the command in Example 7-5:

– Key Label: ibmwebspheremqnyqm (must be ibmwebspheremq followed by the queue manager name in lowercase)

– Common Name: NYQM (You can have a different naming convention for the common name; feel free to enter any other value.)

– Organization: JKHL (any company's name)

Example 7-5 The command of creating a self-signed certificate

gsk7capicmd -cert -create -db /var/mqm/qmgrs/NYQM/ssl/key.kdb -pw 111111 -label ibmwebspheremqnyqm -dn "CN=NYQM,O=JKHL" -size 1024 -x509version 3 -expire 365

5. List the certificates in the key repository using the command in Figure 7-12 on page 173.

Chapter 7. Phase 1: Basic file transfers 173 Figure 7-12 The certificates in the key repository

Now the NYQM has a certificate. NYQM presents this certificate to the NYFIN FTE client agent when the agent connects. To validate the queue manager's certificate, the client needs the certification authority (CA) certificate.

To extract the CA certificate on NYQM and copy it to NYFIN client agent:

6. Issue the extract command in Example 7-6), export the certificate to the local file system, and save the certificate as ibmwebspheremqnyqm.der:

– File Name: ibmwebspheremqnyqm.der (binary format) – Location: /var/mqm/qmgrs/NYQM/ssl/

Example 7-6 Extracting the certificate to local file system

gsk7capicmd -cert -extract -db /var/mqm/qmgrs/NYQM/ssl/key.kdb -pw 111111 -label ibmwebspheremqnyqm -target

/var/mqm/qmgrs/NYQM/ssl/ibmwebspheremqnyqm.der -format binary

7. Copy the certificate file to the file system on NYFIN machine.

To install the CA certificate in the FTE client agent’s key repository, some steps are executed on the NYFIN machine:

8. Put the CA certificate file (ibmwebspheremqnyqm.der) in a local directory, such as the C:\IBM\SLL directory on the NYFIN machine.

9. On the NYFIN machine, open the command prompt window, and switch to the <WMQFTE_install_directory>\jre\bin directory. Enter ikeyman, and open the IBM Key Management tool, as shown in Figure 7-13 on page 174.

Figure 7-13 IBM Key Management Tool

10.Create a key repository for the FTE client agent on NYFIN. Select Key Database File→ New, as shown in Figure 7-14 on page 175. Input the information and click OK:

– Key database type: JKS (Java Applications must use the type) – File Name: key.jks

– Location: C:\IBM\SSL

Chapter 7. Phase 1: Basic file transfers 175 Figure 7-14 Creating a key repository for NYFIN FTE client agent

11.At the password prompt, type the password for this repository, and then click OK, as shown in Figure 7-15.

Figure 7-15 The password window

12.In the main view of the IBM Key Management Tool, click Add, as shown in Figure 7-16 on page 176.

Figure 7-16 The interface of IBM Key Management Tool

13.In the next window, Figure 7-17 on page 177, enter:

– Certificate file name: ibmwebspheremqnyqm.der – Location: C:\IBM\SSL\

Click OK.

Chapter 7. Phase 1: Basic file transfers 177 Figure 7-17 Add the certificate to the key repository on NYFIN FTE client agent

14.Type a label for the certificate, such as ibmwebspheremqnyqm, as shown in Figure 7-18.

Figure 7-18 The label for the certificate

The certificate now appears in the Signer Certificates repository, as shown in Figure 7-19 on page 178.

Figure 7-19 Self-signed certificate in the Signer Certificates List

15.Select one server-connection channel for the NYFIN client agent with SSL.

Set the channel SSL CipherSpec, for example, choose RC4_MD5_US, as shown in Figure 7-20 on page 179. Click OK.

Chapter 7. Phase 1: Basic file transfers 179 Figure 7-20 Server-connection channel SSL properties

16.Add SSL properties to the agent.properties file on the NYFIN machine. Open the agent.properties file in the directory <FTE configuration

data>\config\WASHQM\agents\NYFIN.AGENT, edit the contents, as shown in Figure 7-21 on page 180, and save the file.

Note: During an FTE install the agent's default configuration is defined and the FTE installer references it in the <FTE_install>/install.properties file.

This default configuration is expressed as <FTE configuration data>.

Figure 7-21 Agent.properties of FTE client agent on NYFIN machine

17.Start NYFIN.AGENT, and check the output log for results.

After JKHL enables SSL security on the NY_FIN agent, JKHL starts secure file transfers to receive ad hoc reports of changes to office system passwords.