Deploying CA-signed SSL certificates to the LGI scenario

Deploying CA-signed SSL certificates to the LGI scenario

This document details, by example, the steps required to create Secure Sockets Layer (SSL) certificates for a WebSphere MQ (WMQ) network, including z/OS and AIX queue managers and WebSphere Process Server (WPS).

The scenario includes the following components:

• Certificate Authority (CA)

The term CA refers to both the entity (e.g. Organisation or department) responsible for signing certificates and the CA certificate itself. In this example, the CA is an internal CA based on z/OS.

• z/OS queue managers

The LGI scenario includes two z/OS queue managers which are both members of the LGI.Z.CLUSTER WMQ cluster. The LGI.Z.CLUSTER cluster channels are secured with SSL.

• AIX queue managers

The LGI scenario includes several AIX queue managers which are members of the LGI.Z.CLUSTER cluster. The LGI.Z.CLUSTER cluster channels are secured with SSL. The LGI.Z.CLUSTER also contains Linux for System z queue managers which can be configured using the AIX instructions.

• WPS for z/OS

WPS is connect to one of the z/OS queue managers using the MQLink.

The following administration interfaces are used:

• RACF RACDCERT commands

Used to administrate SSL artifacts (i.e. Keyrings and certificates) in RACF. They are executed in JCL on z/OS.

• gsk7cmd commands

Used to administrate SSL artifacts (i.e. Key databases and certificates) in GSKit. They are executed from the command line on AIX (and other Unix platforms, such as, Linux for System z).

• FTP commands

Used to transfer certificates between machines.

• MQSC commands

Used to administrate WMQ artifacts (e.g. Queue managers). They are executed using runmqsc on distributed platforms and from SDSF on z/OS.

• WPS Integrated Solutions Console (ISC)

Used to administrate the cluster WPS (via the deployment manager) from a web browser.

This document contains the following sections: 1. CA configuration

2. SSL configuration for a z/OS queue manager 3. SSL configuration for a AIX queue manager 4. SSL configuration for WPS

Note_{: Section 1 must be completed first. Once section 1 is complete, sections 2 to 4 can be carried out in any order.} Note: This document describes the creation of SSL artifacts (i.e. keyrings and certificates) to support SSL on queue manager to queue manager channels (e.g. sender-receiver channels or cluster channels) and MQLink channels. It does not include instructions to create the WMQ channel definitions themselves.

1 CA configuration

In this section you will create the CA keyring and CA certificate on z/OS. The CA is an internal-only CA which means that it is self signed and not signed by an external party.

I. RACDCERT on winmvs70

Create and list the CA certificate.

RACDCERT CERTAUTH GENCERT + SUBJECTSDN(CN('WMQ CA') + OU('LGI') + O('FIT') + L('Hursley') + SP('Hampshire') + C('UK')) + WITHLABEL('LGIWMQCA') RACDCERT CERTAUTH + LIST(LABEL('LGIWMQCA'))

Create the CA keyring, connect the CA certificate, and list the CA keyring contents. RACDCERT ID(SYSTASK) + ADDRING(LGICAKR) RACDCERT ID(SYSTASK) + CONNECT(CERTAUTH LABEL('LGIWMQCA') + RING(LGICAKR) USAGE(CERTAUTH)) RACDCERT ID(SYSTASK) + LISTRING(LGICAR)

2 SSL configuration for a z/OS queue manager (ST03)

In this section you will create a z/OS queue manager certificate, signed by the CA. The queue manager and CA reside on the same z/OS machine.

Note_{: Section 1 must be carried out before starting this section.}

I. RACDCERT on winmvs70

Create and list the queue manager certificate. RACDCERT ID(SYSTASK) GENCERT + SUBJECTSDN(CN('ST03') + OU('LGI') + O('IBM') + L('Hursley') + SP('Hampshire') + C('UK')) + WITHLABEL('ibmWebSphereMQST03') + SIGNWITH(CERTAUTH LABEL('LGIWMQCA')) RACDCERT ID(SYSTASK) + LIST(LABEL('ibmWebSphereMQST03'))

Create the queue manager keyring, connect the CA certificate, connect the queue manager certificate, and list the queue manager keyring contents.

RACDCERT ID(SYSTASK) + ADDRING(WMQST03KR) RACDCERT ID(SYSTASK) + CONNECT(CERTAUTH LABEL('LGIWMQCA') + RING(WMQST03KR) USAGE(CERTAUTH)) RACDCERT ID(SYSTASK) + CONNECT(ID(SYSTASK) LABEL('ibmWebSphereMQST03') + RING(WMQST03KR) USAGE(PERSONAL)) RACDCERT ID(SYSTASK) + LISTRING(WMQST03KR)

II. MQSC on winmvs70

Set the queue manager keyring and refresh the WMQ SSL configuration. /ST03 ALTER QMGR SSLKEYR(WMQST03KR)

3 SSL config for an AIX queue manager (LGI.FRONT.AIX.01)

In this section you will create a key database and certificate request for the queue manager. The certificate request is signed by the CA and then received into the key database.

Note_{: Section 1 must be carried out before starting this section.}

Note_{: These instructions work on others platform which use the GSKit gsk7cmd command interface (e.g. Linux for}

System Z).

I. Command line on fitmps02

Create the queue manager key database.

gsk7cmd -keydb -create -db "/var/mqm/qmgrs/LGI!FRONT!AIX!01/ssl/ LGIFRONTAIX01.kdb" -pw password -type cms -expire 365 -stash Create the queue manager certificate request.

gsk7cmd -certreq -create -db "/var/mqm/qmgrs/LGI!FRONT!AIX!01/ssl/

LGIFRONTAIX01.kdb" -pw password -label ibmwebspheremqlgi.front.aix.01 -dn " CN=LGI.FRONT.AIX.01, OU=LGI, O=IBM, L=Hursley, ST=Hampshire, C=UK" -file lgi01.req

FTP the queue manager certificate request to the CA machine. ftp winmvs70.cpit

-> asc

-> quote site recfm=vb

-> put lgi01.req SSL.LGI01.REQ

II. RACDCERT on winmvs70

Sign the queue manager certificate request and list the certificate.

RACDCERT ID(SYSTASK) GENCERT(SSL.LGI01.REQ) + SIGNWITH(CERTAUTH LABEL('LGIWMQCA')) + WITHLABEL('ibmwebspheremqlgi.front.aix.01')

RACDCERT ID(SYSTASK) + LIST(LABEL('ibmwebspheremqlgi.front.aix.01'))

Export the signed queue manager certificate request and the public CA certificate. RACDCERT ID(SYSTASK) EXPORT( + LABEL('ibmwebspheremqlgi.front.aix.01')) + DSN(SSL.LGI01.CRT) + FORMAT(CERTB64) + PASSWORD('password') RACDCERT CERTAUTH EXPORT( +

LABEL('LGIWMQCA')) + DSN(SSL.WMQCA.CRT) + FORMAT(CERTDER)

III.Command line on fitmps02

FTP the signed queue manager certificate request and the public CA certificate from the CA machine. ftp winmvs70.cpit

-> asc

-> quote site recfm=vb

-> get SSL.LGI01.CRT lgi01.crt -> bin

-> get SSL.WMQCA.CRT wmqca.crt

Add the public CA certificate to the queue manager's key database.

gsk7cmd -cert -add -db "/var/mqm/qmgrs/LGI!FRONT!AIX!01/ssl/

LGIFRONTAIX01.kdb" -pw password -label LGIWMQCA -file wmqca.crt -format ascii

Receive the signed queue manager certificate request into the queue manager's key database and list contents of the the queue manager's key database.

gsk7cmd -cert -receive -db "/var/mqm/qmgrs/LGI!FRONT!AIX!01/ssl/ LGIFRONTAIX01.kdb" -pw password -file lgi01.crt -format ascii gsk7cmd -cert -list -db "/var/mqm/qmgrs/LGI!FRONT!AIX!01/ssl/

LGIFRONTAIX01.kdb" -pw password

Set the queue manager key database and refresh the WMQ SSL configuration. runmqsc LGI.FRONT.AIX.01

-> ALTER QMGR SSLKEYR('/var/mqm/qmgrs/LGI!FRONT!AIX!01/ssl/LGIFRONTAIX01') -> REFRESH SECURITY TYPE(SSL)

4 SSL configuration for WPS

In this section you will create a certificate request for WPS. The certificate request is signed by the CA and then received into WPS.

Note_{: Section 1 must be carried out before starting this section.}

I. WPS ISC on winmvs71

Create the queue manager certificate request.

Navigate to Security->SSL certificate and key management > Key stores and certificates > BPCBusKeyStore > Personal certificate requests Click New and fill in the fields as follows

• Filename=/WebSphere/V6CSBDM/DeploymentManager/profiles/default/config/ cells/CellSBDPlexEDmgr/bpc.req • Key label=BPCBusCert • Key size=1024 • CN=BPC • O=IBM • OU=LGI • L=Hursley • S=Hampshire • C=GB Click Ok Click Save

II. USS Command line on winmvs71

Convert the queue manager certificate request from ASCII to EBCDIC.

cd /WebSphere/V6CSBDM/DeploymentManager/profiles/default/config/cells/ CellSBDPlexEDmgr

iconv -f 819 -t 1047 bpc.req > bpcconv.req FTP the WPS certificate request to the CA machine.

ftp winmvs70.cpit -> asc

-> quote site recfm=vb

-> put bpcconv.req SSL.BPC.REQ

III.RACDCERT on winmvs70

Sign the WPS certificate request and list the certificate.

RACDCERT ID(SYSTASK) GENCERT(SSL.BPC.REQ) + SIGNWITH(CERTAUTH LABEL('LGIWMQCA')) + WITHLABEL('BPCBusCert')

RACDCERT ID(SYSTASK) + LIST(LABEL('BPCBusCert')) Export the signed WPS certificate request and the public CA certificate.

RACDCERT ID(SYSTASK) EXPORT( + LABEL('BPCBusCert')) +

DSN(SSL.BPC.CRT) + FORMAT(CERTDER) + PASSWORD('password') RACDCERT CERTAUTH EXPORT( +

LABEL('LGIWMQCA')) + DSN(SSL.WMQCA.CRT) + FORMAT(CERTDER)

IV.USS Command line on winmvs71

FTP the signed WPS certificate request and the public CA certificate from the CA machine.

cd /WebSphere/V6CSBDM/DeploymentManager/profiles/default/config/cells/ CellSBDPlexEDmgr

ftp winmvs70.cpit -> bin

-> get SSL.WMQCA.CRT wmqca.crt -> get SSL.BPC.CRT bpc.crt

V. WPS ISC on winmvs71

Add the public CA certificate to the WPS trust store.

Navigate to Security->SSL certificate and key management > Key stores and certificates > BPCBusTrustStore > Signer certificates

Click Add and fill in the fields as follows:

• Alias=LGIWMQCA

• Filename=/WebSphere/V6CSBDM/DeploymentManager/profiles/default/config/ cells/CellSBDPlexEDmgr/wmqca.crt

• Datatype=Binary DER data Click Ok

Click Save

Receive the signed WPS certificate request into the WPS key store.

Navigate to Security->SSL certificate and key management > Key stores and certificates > BPCBusKeyStore > Personal certificates

Click Receive a certificate from a certificate authority and fill in the fields as follows:

• Certificate filename=/WebSphere/V6CSBDM/DeploymentManager/profiles/ default/config/cells/CellSBDPlexEDmgr/bpc.crt

• Data type=Binary DER data Click Ok

Click Save

Enable the WPS certificate for Inbound on cluster member WPSSBN3.

Navigate to Security->SSL certificate and key management > Manage endpoint security configurations->Inbound-CellSBDPlexEDmgr

(CellDefaultSSLSettings,null)->nodes->NodeSBDMVS71N3

(NodeDefaultSSLSettings,null)->servers->WPSSBN3->SIB_MQ_ENDPOINT_SECURE_ADDRESS(BPCBusSSLConfig,bpcbuskey) Select bpsbuscert from Certificate alias in key store

Click Ok

Enable the WPS certificate for Inbound on cluster member WPSSBN4.

Navigate to Security->SSL certificate and key management > Manage endpoint security configurations->Inbound-CellSBDPlexEDmgr

(CellDefaultSSLSettings,null)->nodes->NodeSBDMVS70N4

(NodeDefaultSSLSettings,null)->servers->WPSSBN4->SIB_MQ_ENDPOINT_SECURE_ADDRESS(BPCBusSSLConfig,bpcbuskey) Select bpsbuscert from Certificate alias in key store

Click Ok

Enable the WPS certificate for Outbound on cluster member WPSSBN3.

Navigate to Security->SSL certificate and key management > Manage endpoint security configurations->Outbound-CellSBDPlexEDmgr

(CellDefaultSSLSettings,null)->nodes->NodeSBDMVS71N3

(NodeDefaultSSLSettings,null)->servers->WPSSBN3->Bus to WebSphere MQ (BPCBusSSLConfig,bpc self signed certificate_2)

Select bpsbuscert from Certificate alias in key store Click Ok

Enable the WPS certificate for Outbound on cluster member WPSSBN4.

Navigate to Security->SSL certificate and key management > Manage endpoint security configurations->Outbound-CellSBDPlexEDmgr

(CellDefaultSSLSettings,null)->nodes->NodeSBDMVS70N4

(NodeDefaultSSLSettings,null)->servers->WPSSBN4->Bus to WebSphere MQ (BPCBusSSLConfig,bpc self signed certificate_2)

Select bpsbuscert from Certificate alias in key store Click Ok

Click Save

Set the WPS certificate as the default client and server certificate.

Navigate to Security->SSL certificate and key management > SSL configurations > BPCBusSSLConfig

Fill in the fields as follows:

• Default server certificate alias=bpcbuscert

• Default client certificate alias=bpcbuscert Click Ok

Click Save

Restart both application servers.

Navigate to Servers->Application Servers Select WPSSBN3 and WPSSBN4.

Click Stop. Wait for the servers to stop. Click Start. Wait for the servers to start. Put the receiver channel to WPS into inactive state.

Navigate to Service integration->Buses > BPC.CellSBDPlexEDmgr.Bus > Foreign buses > ST03

Click WebSphere MQ link Click Receiver channel Select Force for Quiesce state. Select Stopped for Target state.

Select TO.BPCZ.qmgr and click Stop. Wait for the channel to stop. Start the sender channel from WPS.

Navigate to Service integration->Buses > BPC.CellSBDPlexEDmgr.Bus > Foreign buses > ST03

Click WebSphere MQ link Click Sender channel Select Stopped for Target state.

Select BPC.TO.ST03 and click Stop. Wait for the channel to stop. Select BPC.TO.ST03 and click Start. Wait for the channel to start.

VI.MQSC on winmvs70

Start the sender channel from the z/OS queue manager. /ST03 STA CHL('TO.BPCZ.qmgr')

Display the channel status to ensure that channels in both directions are running. /ST03 DIS CHS('TO.BPCZ.qmgr')

/ST03 DIS CHS('BPC.TO.ST03 ')