Creating IBM Keystores for the Queue Manager and Client
Each end of the TLS connection must have a keystore. A sample script is included in the plug-in's samples directory to create keystores for the queue manager and client.
Setting up the WebSphere MQ queue manager relies on certificates generated using this script. The script is annotated, and is intended to be used as a template to aid you in the creation of your own scripts. Use this script to assist in the creation of TLS connections in an evaluation or development environment only. Because all the certificates created by the script are self-signed, they are inappropriate for production use.
Script Syntax
Run the script on the platform based on your requirements. For example, on the UNIX system running the command: createQueueManagerKeystore.sh keystordir qm-name keystore-password
- keystordir is the directory in which to create the keystores. This can be a working directory or the SSL directory in the queue manager's data directory, so long as the queue manager's keystore is eventually placed in the location configured in its SSL parameters.
- qm-name is the name of the queue manager for which the keystore is being created. This name must use lower case characters only.
- keystore-password is the password used to secure the keystore.
You might either customize the scripts to produce keystores that suit your environment's standards, or enter the commands discretely to accomplish the same thing.
Output of the Script
The objective of each script is to produce two IBM CMS type keystores, each containing an identity and the other's signing CA certificate. That way, a TLS connection can be instantiated using one keystore at each end.
Running this script generates a number of files, most importantly: