Certificates can be examined using the
com.ibm.mqe.attributes.MQeListCertificates class.
This class opens a registry and allows you to list all the certificates in
it, or to examine specific certificates by name. To use the class, you must
supply the name of the registry and an MQeFields object that contains the
information required to open it:
- MQeRegistry.LocalRegType (ascii)
- For a public registry, set this parameter to com.ibm.mqe.registry.MQeFileSession.
For a private registry, set it to com.ibm.mqe.registry.MQePrivateSession.
- MQeRegistry.DirName (ascii)
- The name of the directory holding the registry files.
- MQeRegistry.PIN(ascii)
- The PIN protecting the registry. This is only required for private registries.
No other parameters are required to open the registry for this
class. If the registry is a public registry with the name "MQeNode_PublicRegistry"and
the class is initialised in the directory that contains the registry, the
MQeFields object can be null. If the registry belongs to the mini-certificate
server, its name is "MiniCertificateServer". If the registry belongs to a
queue, its name is "MiniCertificateServer".
MQeListCertificates list;
String fileRegistry = "com.ibm.mqe.registry.MQeFileSession";
String privateRegistry = "com.ibm.mqe.registry.MQePrivateSession";
void open(String regName, String regDirectory,
String regPIN) throws Exception
{
MQeFields regParams = new MQeFields();
// if regPIN == null, assume file registry
String regType = (regPIN == null) ?
fileRegistry : privateRegistry;
regParams.putAscii(MQeRegistry.RegType, regType);
regParams.putAscii(MQeRegistry.DirName, regDirectory);
if (regPIN != null)
regParams.putAscii(MQeRegistry.PIN, regPIN);
list = new MQeListCertificates(regName, regParams);
}
This constructor opens the registry. Once this has been done, the registry
entries for the certificates can be retrieved. They can be retrieved either
individually by name:
MQeFields entry = list.readEntry(certificateName);
or
all the certificate entries in the registry can be retrieved together:
MQeFields entries = list.readAllEntries();
The value returned from
readAllEntries() is an MQeFields
object that contains a field for each certificate in the registry, the name
of the field is the name of the certificate and the contents of the field
is an MQeFields object containing the registry entry. You can process each
registry entry using an enumeration:
Enumeration enum = entries.fields();
if (!enum.hasMoreElements())
System.out.println("no certificates found");
else
{
while (enum.hasMoreElements())
{
// get the name of the certificate
String entity = (String) enum.nextElement();
// get the certificate's registry entry
MQeFields entry = entries.getFields(entity);
// do something with it
...
}
}
The certificate can be obtained from the registry entry using
the
getWTLSCertificate() method:
Object certificate = list.getWTLSCertificate(entry);
Information
can now be obtained from the certificate:
String subject = list.getSubject(certificate);
String issuer = list.getIssuer(certificate);
long notBefore = list.getNotBefore(certificate);
long notAfter = list.getNotAfter(certificate);
The
notBefore and
notAfter times
are the number of seconds since the midnight starting 1st January 1970, that
is the standard UNIX
® format for dates and times.
Finally, the list object should be closed:
list.close();
The
MQeListCertificates class is used in the example program,
examples.certificates.ListWTLSCertificates,
which is a command-line program that lists certificates.
The program has one compulsory and three optional parameters:
ListWTLSCertificates <regName>[<ini
file>][<level>][<cert names>]
where:
- regName
- The name of the registry whose certificates are to be listed. It can be
a private registry belonging to a queue manager, a queue or another entity.
It can be a public registry, or, for the administrator, it can be the mini-certificate
server's registry. If you want to list the certificates in a queue's registry,
you must specify its name as <queue manager>+<queue>,
for example myQM+myQueue. If you want to list the certificates
in a public registry, it must have the name MQeNode_PublicRegistry.
It will not work for a public registry with any other name. The name of the
mini-certificate server's registry is MiniCertificateServer .
- ini file
- This is the name of a configuration file that contains a section for the
registry. This is typically the same configuration file that is used for the
queue manager or mini-certificate server. For a queue, this is typically the
configuration file for the queue manager that owns the queue. This parameter
should be specified for all registries except public registries, for which
it can be omitted.
- level
- The level of detail for the listing. This can be:
- "-b" or "-brief", which prints the names of the certificate, one name
per line.
- "-f" or "-full", which prints the names of the certificates and some
of the contents.
This parameter is optional and if omitted the "brief" level of detail
is used.
- cert names
- This is a list of names of the certificates to be listed. It starts with
the flag "-cn" followed by names of the certificates, for
example -cn ExampleQM putQM .If this parameter is used, only
the named certificates are listed. If this parameter is omitted, all the certificates
in the registry are listed.
The MQe_Explorer configuration tool can also be used to examine
certificates which belong to queue managers or queues.