If you want to use the Secure Sockets Layer (SSL) for channel security, there are a number of tasks you need to perform to set this up on your system. (See the WebSphere MQ Security book for more information about SSL.)
RACDCERT ID(QM1) ADDRING(QM1RING)
The ID should be either the channel initiator address space user ID or the user ID you wish to own the keyring if it is to be a shared keyring.
The label of the certificate must be of the form ibmWebSphereMQqmgr-name, so in this example it is ibmWebSphereMQQM1.
For example:
RACDCERT ID(QM1) GENCERT SUBJECTSDN(CN('username') O('IBM') OU('departmentname') C('England')) WITHLABEL('ibmWebSphereMQQM1')
RACDCERT CONNECT(ID(QM1) LABEL('ibmWebSphereMQQM1') RING(QM1RING))
You also need to connect any relevant signer certificates (from a Certification Authority) to the key ring. That is, all Certification Authorities for this queue manager's SSL certificate and all Certification Authorities for all SSL certificates that this queue manager communicates with. For example:
RACDCERT ID(userid) CONNECT(CERTAUTH LABEL('My CA') RING(ring-name) USAGE(CERTAUTH))
ALTER QMGR SSLKEYR(QM1RING)
or if you are using a shared keyring:
ALTER QMGR SSLKEYR(userid/QM1RING)
where userid is the user ID that owns the shared keyring.
DEFINE AUTHINFO(LDAP1) AUTHTYPE(CRLLDAP) CONNAME(ldap.server(389)) LDAPUSER('') LDAPPWD('')
In this example, the certificate revocation list is stored in a public area of the LDAP server, so the LDAPUSER and LDAPPWD fields are not neccessary.
Next, put your AUTHINFO object into a namelist, using the WebSphere MQ DEFINE NAMELIST command. For example:
DEFINE NAMELIST(LDAPNL) NAMES(LDAP1)
ALTER QMGR SSLCRLNL(LDAPNL)
ALTER QMGR SSLTASKS(8)
This change only takes effect when the channel initiator is restarted.
ALTER CHANNEL(LDAPCHL) CHLTYPE(SDR) SSLCIPH(RC4_MD5_US)
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
sslconfig |