To complete this task, follow these steps:
On both QM1 and QM2, ensure the key repository is correctly set up:
On both QM1 and QM2, create a self-signed certificate:
This step is required only on z/OS systems. On both QM1 and QM2, add the certificate created in step 2 to the key repository that was set up in step 1, as described in Adding personal certificates to a key repository.
In order to authenticate a partner's certificate when using self-signed certificates, you must send a copy to the partner system. In order to send it, you must first extract it:
If QM1 and QM2 are running on different systems, transfer the CA part of the QM1 certificate to the QM2 system and vice versa, for example, by ftp.
When you transfer certificates by ftp, you must ensure that you do so in the correct format.
Transfer the following certificate types in binary format:
and transfer the following certificate types in ASCII format:
Add the partner's certificate to the key repository:
On QM1 you need to define a sender channel to use SSL. For example:
DEFINE CHANNEL(QM1.TO.QM2) CHLTYPE(SDR) TRPTYPE(TCP) CONNAME(QM1.MACH.COM) XMIT(QM2) SSLCIPH(RC4_MD5_US) DESCR('Sender channel using SSL from QM1 to QM2')
This example uses CipherSpec RC4_MD5. Note that the CipherSpecs at each end of the channel must be the same.
Only the SSLCIPH parameter is mandatory if you want your channel to use SSL. Refer to Working with CipherSpecs for information about the permitted values for the SSLCIPH parameter.
Refer to the WebSphere MQ Script (MQSC) Command Reference for a complete description of the DEFINE CHANNEL command, and to the WebSphere MQ Intercommunication book for general information about WebSphere MQ channels.
For a description of the i5/OS(TM) CRTMQMCHL command, which is used to define channels on i5/OS, refer to the WebSphere MQ for iSeries V6 System Administration Guide.
On QM1 you need to define a transmission queue for your sender channel to use:
DEFINE QLOCAL(QM2) USAGE(XMITQ)
On QM2 you need to define a receiver channel with the same name as the sender channel you defined in step 7, and using the same CipherSpec:
DEFINE CHANNEL(QM1.TO.QM2) CHLTYPE(RCVR) TRPTYPE(TCP) SSLCIPH(RC4_MD5_US) SSLCAUTH(REQUIRED) DESCR('Receiver channel using SSL from QM1 to QM2')
Now that you have completed all the definitions, if you have not already done so, start the channel initiator on WebSphere(R) MQ for z/OS and, on all platforms, start a listener program on QM2. The listener program listens for incoming network requests and starts the receiver channel when it is needed. For information on how to start a listener, see the WebSphere MQ: Intercommunication manual.
If the channel initiator was already running (on z/OS) or if any SSL channels have run previously, you need to issue a REFRESH SECURITY TYPE(SSL) command. This ensures that all the changes made to the key repository are available.
Start the channel on QM1:
START CHANNEL(QM1.TO.QM2)
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
csqzas0211 |