This section details how you can check if the SSL certificate chains that exist in your SSL certificate store are complete.
In WebSphere® MQ Version 6.0, a new command is supplied that will check to see if the certificate chains are complete. This command is AMQCCERT (Check Certificate Chains) and can either be run from a command line or batch file, or as part of a wizard. This section will only deal with the use of the wizard.
The wizard is used to select the queue managers and clients that have certificate stores to migrate. It will run the AMQCCERT command against the certificate stores that have been specified and allows you to check the results of the command. If the wizard has been run previously, any queue managers and clients that were previously selected, will display again.
The wizard also allows you to specify that a queue manager does not use SSL connections and the certificate store (if it exists) will not be checked or migrated.
Identify the queue managers or clients that are using SSL channels. See "Determining whether SSL connections have been set up" for guidance on how this is done.
When the Check WebSphere MQ Certificate Store Wizard shows which certificate stores have passed and those that have failed, the wizard allows you to look at the details of why a certificate store may have failed. The following is an example of the type of information shown when you display the details of why a certificate store might have failed:
C:\ssl\client 5724-B41 (C) Copyright IBM Corp. 1994, 2005. ALL RIGHTS RESERVED. The number of certificates in the Microsoft Certificate Store ’c:\ssl\client’ is ’13’. The signer certificate ’GlobalSign Primary Class 1 CA’ is missing for the following certificate. Microsoft Certificate Store: ’c:\ssl\client’. Certificate Subject: ’GlobalSign PersonalSign Class 1 CA’. Certificate Issuer: ’GlobalSign Primary Class 1 CA’. Certificate Serial Number: ’0400 0000 0000 FA3D EEE9 D9’. Certificate Valid From: ’22/01/2004’ to ’28/01/2009’. The signer certificate ’GlobalSign PersonalSign Class 1 CA’ is missing for the following certificate. Microsoft Certificate Store: ’c:\ssl\client’. Certificate Subject: ’wm.shakespeare@hamlet.com’. Certificate Issuer: ’GlobalSign PersonalSign Class 1 CA’. Certificate Serial Number: ’0100 0000 0001 0170 978B 1E’. Certificate Valid From: ’14/01/2005’ to ’14/02/2005’. Certificate chain checking has completed with some failures. The Check Certificate Chains (amqccert) command has completed.
As well as being able to see this through the wizard, this information, along with other progress information, is also written into a log file. This log file is located in the WebSphere MQ data directory and is named amqmsccw.txt.
At this point you have the ability to replace out of date certificates or add missing ones and then go back to the wizard and recheck the stores to ensure they now pass. The wizard will only complete when all the selected certificate stores have been checked and have passed.
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
wmqm1060 |