Ask a Question

Alert ID : INFO881

Last Modified : 05/03/2018

Certificate Signing Request (CSR) Generation Instructions - IBM WebSphere MQ

Description

This document provides Certificate Signing Request (CSR) generation instructions for IBM WebSphere MQ server.  If you are unable to use these instructions for your server, GeoTrust recommends that you contact the server vendor or the organization, which supports IBM WebSphere MQ server.

To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, one, your SSL Certificate will no longer match and a replacement has to be made.

GeoTrust recommends that you contact IBM for additional information.

Generate Keypair and CSR

NOTE: A key length of 1024 bit is the default, but GeoTrust recommends the use of a 2048 bit key.
 
Step 1: Preparing your system to use the iKeyman utility.
  1. Start the iKeyman graphical user interface (GUI) using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).  
    Note: To use the iKeyman GUI, be sure that your machine can run the X Windows system.  
  2. Be sure to set the following:
    • Set the DISPLAY environment variable. For example: export DISPLAY=mypc:0.
    • Ensure that the user's path contains /usr/bin.
    • Set the JAVA_HOME environment variable:

                          1. AIX: export JAVA_HOME =/usr/mqm/ssl/jre 
                          2. HP-UX: export JAVA_HOME =/opt/mqm/ssl 
                          3. Linux: export JAVA_HOME =/opt/mqm/ssl/jre 
                          4. Solaris: export JAVA_HOME =/opt/mqm/ssl

Step 2: Setting up a key repository.

  1. Open the iKeyman GUI, or use the UNIX or Windows command line to do one of the following:  
     
    Using the iKeyman GUI: 
    Choose New from the Key Database File menu. Click Key database type, and select CMS. Type values for File Name and Location, and set a password. 
     
    Using iKeycmd (UNIX command line): 
    Use these commands:   
    gsk7cmd -keydb -create -db filename -pw password -type cms -expire days –stash
     
    Using iKeycmd (Windows command line): 
    Use these commands: 
    runmqckm -keydb -create -db filename -pw password -type cms -expire days –stash

    where:
    • -db filename is the fully qualified name of a CMS key database, with an extension .kdb.
    • -pw password is the password for the CMS key database, with an extension .cms.
    • -type cms is the type of database.
    • -expire days is the expiration time in days of the database password. The default is 60 days.
    • -stash tells iKeycmd to stash the key database password to a file.

On Windows, the key database file (.kdb) is created with read permission for all user IDs, so it is not necessary to change permissions. On UNIX, .kdb and .sth files are created. Access permissions for the key database file are set to give access only to the user ID from which you used iKeyman or iKeycmd.

  1. If you are running UNIX, run chmod to give access to an MCA. For example:
    • chmod g+r /var/mqm/qmgrs/QM1/ssl/key.kdb 

    • chmod g+r /var/mqm/qmgrs/QM1/ssl/key.sth
  1. If you are running a queue manager, change the key repository location. For example:
    • ALTER QMGR SSLKEYR ('/var/mqm/qmgrs/QM1/ssl/MyKey')

Step 3: Generating a CSR.Using the iKeyman GUI

  1. Start the iKeyman graphical user interface (GUI) using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).
  2. In the iKeyman GUI, choose Open from the Key Database File menu. Click Key database type, and select CMS.
  3. Click Browse to navigate to the directory containing the key database files.
  4. Select the appropriate key database file, for example key.kdb.
  5. Click Open.
  6. Type the key database password and click OK.
  7. Click New Certificate Request from the Create menu.
  8. Type the following in the Key Label field:
    • For a queue manager, ibmwebspheremq followed by the name of your queue manager (in lowercase). For example, for QM1, type ibmwebspheremqqm1.
    • For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID (in lowercase). For example, ibmwebspheremqmyuserid.
  1. Type values for Common Name, Organization, Organizational Unit, City/Locality, State/Province and select a Country from the list.
  1. For Enter the name of a file in which to store the certificate request, either accept the default certreq.arm, or type a new pathname.
  2. Click OK. When the confirmation window displays, click OK again.
  3. The file you created contains the CSR. Submit the CSR to GeoTrust.
  4. Verify your CSR with the GeoTrust CSR Checker

Using iKeycmd (command line interface)

  1. To generate a CSR in iKeycmd (using UNIX command line), use these commands:
    • gsk7cmd -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size-file filename

  2. To generate a CSR in iKeycmd (using Windows command line), use these commands:
    • runmqckm -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size-file filename

    where:
    • -db filename is the fully qualified name of a CMS key database, with an extension .kdb.
    • -pw password is the password for the CMS key database, with an extension .cms.
    • -label label is the key label attached to the certificate.
    • -dn distinguished_name is the X.500 distinguished name enclosed in double quotes. Note that only the CN, O, and C attributes are required, and that you can supply only one OU attribute.
    • -size key_size is the key size. We recommend that you make this value 2048 
    • -file filename is the filename for the certificate request.
       
  3. The file you created contains the CSR. Submit the CSR to GeoTrust.