Creating IBM Keystores for the Queue Manager and Client
Each end of the TLS connection must have a keystore. A sample script is included in the plug-in's
samples
directory to create keystores for the queue manager and client.
Setting up the IBM MQ queue manager relies on certificates generated using this script. The script is annotated and is intended to be used as a template to aid you in the creation of your scripts. Use this script to assist in the creation of TLS connections in an evaluation or development environment only. Because all the certificates created by the script are self-signed, they are inappropriate for production use.
Location of the Script
Versions of the script are available for UNIX and Windows. The scripts are:
- UNIX
TIBCO_HOME/bw/palettes/bwmq/version/samples/createQueueManagerKeystore.sh
- Microsoft Windows
TIBCO_HOME\bw\palettes\bwmq\version\samples\sslcert.bat
Script Syntax
Run the script on the platform based on your requirements. For example, on the UNIX system running the command: createQueueManagerKeystore.sh keystordirqm-namekeystore-password
where:
- keystordir is the directory in which to create the keystores. This can be a working directory or the SSL directory in the queue manager's data directory, so long as the queue manager's keystore is eventually placed in the location configured in its SSL parameters.
- qm-name is the name of the queue manager for which the keystore is being created. This name must use lower case characters only.
- keystore-password is the password used to secure the keystore.
You might either customize the scripts to produce keystores that suit your environment's standards, or enter the commands discretely to accomplish the same thing.
Output of the Script
The objective of each script is to produce two IBM CMS type keystores, each containing an identity and the other's signing CA certificate. That way, a TLS connection can be instantiated using one keystore at each end.
Running this script generates many files, most importantly:
- qm-name
.sth
is the stash file for the queue manager's key store. - qm-name
.kdb
is the IBM CMS format keystore for the queue manager. client.kdb
is the IBM CMS format keystore to be used to make a Java keystore for the client.