Examining certificates

Certificates can be examined using the com.ibm.mqe.attributes.MQeListCertificates class. This class opens a registry and allows you to list all the certificates in it, or to examine specific certificates by name. To use the class, you must supply the name of the registry and an MQeFields object that contains the information required to open it:
MQeRegistry.LocalRegType (ascii)
For a public registry, set this parameter to com.ibm.mqe.registry.MQeFileSession. For a private registry, set it to com.ibm.mqe.registry.MQePrivateSession.
MQeRegistry.DirName (ascii)
The name of the directory holding the registry files.
MQeRegistry.PIN(ascii)
The PIN protecting the registry. This is only required for private registries.
No other parameters are required to open the registry for this class. If the registry is a public registry with the name "MQeNode_PublicRegistry"and the class is initialised in the directory that contains the registry, the MQeFields object can be null. If the registry belongs to the mini-certificate server, its name is "MiniCertificateServer". If the registry belongs to a queue, its name is "MiniCertificateServer".
    MQeListCertificates list;
    String fileRegistry = "com.ibm.mqe.registry.MQeFileSession";
    String privateRegistry = "com.ibm.mqe.registry.MQePrivateSession";

    void open(String regName, String regDirectory,
          String regPIN) throws Exception
    {
        MQeFields regParams = new MQeFields();
        // if regPIN == null, assume file registry
        String regType = (regPIN == null) ?
                  fileRegistry : privateRegistry;
        regParams.putAscii(MQeRegistry.RegType, regType);
        regParams.putAscii(MQeRegistry.DirName, regDirectory);
        if (regPIN != null)
            regParams.putAscii(MQeRegistry.PIN, regPIN);

        list = new MQeListCertificates(regName, regParams);
}
This constructor opens the registry. Once this has been done, the registry entries for the certificates can be retrieved. They can be retrieved either individually by name:
MQeFields entry = list.readEntry(certificateName);  
or all the certificate entries in the registry can be retrieved together:
MQeFields entries = list.readAllEntries();
The value returned from readAllEntries() is an MQeFields object that contains a field for each certificate in the registry, the name of the field is the name of the certificate and the contents of the field is an MQeFields object containing the registry entry. You can process each registry entry using an enumeration:
     Enumeration enum = entries.fields();

            if (!enum.hasMoreElements())
                System.out.println("no certificates found");
            else
            {
                while (enum.hasMoreElements())
                {
                    // get the name of the certificate
                    String entity = (String) enum.nextElement();
                    // get the certificate's registry entry
                    MQeFields entry = entries.getFields(entity);

                    // do something with it
                    ...
                }
            }
The certificate can be obtained from the registry entry using the getWTLSCertificate() method:
   Object certificate = list.getWTLSCertificate(entry);
Information can now be obtained from the certificate:
   String subject   = list.getSubject(certificate);
  String issuer    = list.getIssuer(certificate);
  long   notBefore = list.getNotBefore(certificate);
  long   notAfter  = list.getNotAfter(certificate);
The notBefore and notAfter times are the number of seconds since the midnight starting 1st January 1970, that is the standard UNIX® format for dates and times.
Finally, the list object should be closed:
list.close(); 
The MQeListCertificates class is used in the example program, examples.certificates.ListWTLSCertificates, which is a command-line program that lists certificates.
The program has one compulsory and three optional parameters:

ListWTLSCertificates <regName>[<ini
file>][<level>][<cert names>]
where:
regName
The name of the registry whose certificates are to be listed. It can be a private registry belonging to a queue manager, a queue or another entity. It can be a public registry, or, for the administrator, it can be the mini-certificate server's registry. If you want to list the certificates in a queue's registry, you must specify its name as <queue manager>+<queue>, for example myQM+myQueue. If you want to list the certificates in a public registry, it must have the name MQeNode_PublicRegistry. It will not work for a public registry with any other name. The name of the mini-certificate server's registry is MiniCertificateServer .
ini file
This is the name of a configuration file that contains a section for the registry. This is typically the same configuration file that is used for the queue manager or mini-certificate server. For a queue, this is typically the configuration file for the queue manager that owns the queue. This parameter should be specified for all registries except public registries, for which it can be omitted.
level
The level of detail for the listing. This can be:
  • "-b" or "-brief", which prints the names of the certificate, one name per line.
  • "-f" or "-full", which prints the names of the certificates and some of the contents.
This parameter is optional and if omitted the "brief" level of detail is used.
cert names
This is a list of names of the certificates to be listed. It starts with the flag "-cn" followed by names of the certificates, for example -cn ExampleQM putQM .If this parameter is used, only the named certificates are listed. If this parameter is omitted, all the certificates in the registry are listed.
The MQe_Explorer configuration tool can also be used to examine certificates which belong to queue managers or queues.

Terms of use | WebSphere software

(c) Copyright IBM Corporation 2004, 2005. All rights reserved.