How do I use the HP OpenSSL utility to manage SSL certificates for my Queue Manager?
Below are instructions for processing a signed certificate by a Certificate Authority using the HPNSS OpenSSL utility for a WebSphere MQ v5.3.1 queue manager. The example commands will need to be altered with the file names you have created.. However, sample scripts have been provided to assist you and can be found in the /opt_installation_path/opt/mqm/samp/ssl directory.
.
1. Create a private key.
openssl genrsa -rand -des3 -out "server_key.pem" 1024.
2. Generate a certificate request.
openssl req -new -days 365 -key "server_key.pem" -out "server_request.pem
3. Once the request is generated send the certificate to a Certificate Authority (such as VeriSign, Global Sign, etc.) for signature.
4. When the CA provides a signed certificate, use the cat command to add the signed request to the private key.
cat server_signed_request.pem server_key.pem > cert.pem
Files:
- The server_signed_request.pem file is the name of the signed certificate request.
- The server_key.pem is the file that contains the private key.
Note:
The procedure for step 4 can be found in the create_ALICE_cert.sh script provided with the WebSphere MQ 5.3.x product.
5. Add the Signer certificate to the trust certificate(s) file.
cat rootcert.pem > trust.pem
Notes:
If a trust.pem file is present remove or rename file prior to issuing the "cat" command
If the certificate request is signed by an intermediate certificate, the certificate chain for the signed personal certificate will need to be added to the trust.pem file. You need to add the root certificate and the intermediate to the trust.pem file. Review create_trust_file.sh script for the syntax.
6. Create a stashed password for the personal certificate file that contains the private key.
a. Export the personal certificate into a PKCS #12 format
openssl pkcs12 -export -in cert.pem -inkey server_key.pem -out personal_cert.p12 -passin pass:certkey -password pass:certkey -chain -CAfile trust.pem
b. Rename the resulting stash file that was created with a name that describes its function.
mv Stash.sth QMName_Stash.sth
Instructions for creating a stashed password file is included in the WebSphere MQ v5.3 System Administration manual and the exportcerts.sh script includes an example.
7. Make sure the trust certificate file, the personal certificate file, and the stashed password file are in the queue manager's ssl directory.
$MQNSKVARPATH/qmgrs/Queue Manager Name/ssl/
Review the installcerts.sh script for an example of using the cp(copy) command to place the pertinent files in the appropriate directory.
Note:
If you need to delete a CA certificate, then simply edit the trust.pem file and delete the certificate. After any operation on the certificate files always perform a verify to check the changes are correct.
The procedure to build and verify the sample configuration(setup.sh) uses the sample shell scripts and MQSC command files in the directory opt_installation_path/opt/mqm/samp/ssl.
.
1. Create a private key.
openssl genrsa -rand -des3 -out "server_key.pem" 1024.
2. Generate a certificate request.
openssl req -new -days 365 -key "server_key.pem" -out "server_request.pem
3. Once the request is generated send the certificate to a Certificate Authority (such as VeriSign, Global Sign, etc.) for signature.
4. When the CA provides a signed certificate, use the cat command to add the signed request to the private key.
cat server_signed_request.pem server_key.pem > cert.pem
Files:
- The server_signed_request.pem file is the name of the signed certificate request.
- The server_key.pem is the file that contains the private key.
Note:
The procedure for step 4 can be found in the create_ALICE_cert.sh script provided with the WebSphere MQ 5.3.x product.
5. Add the Signer certificate to the trust certificate(s) file.
cat rootcert.pem > trust.pem
Notes:
If a trust.pem file is present remove or rename file prior to issuing the "cat" command
If the certificate request is signed by an intermediate certificate, the certificate chain for the signed personal certificate will need to be added to the trust.pem file. You need to add the root certificate and the intermediate to the trust.pem file. Review create_trust_file.sh script for the syntax.
6. Create a stashed password for the personal certificate file that contains the private key.
a. Export the personal certificate into a PKCS #12 format
openssl pkcs12 -export -in cert.pem -inkey server_key.pem -out personal_cert.p12 -passin pass:certkey -password pass:certkey -chain -CAfile trust.pem
b. Rename the resulting stash file that was created with a name that describes its function.
mv Stash.sth QMName_Stash.sth
Instructions for creating a stashed password file is included in the WebSphere MQ v5.3 System Administration manual and the exportcerts.sh script includes an example.
7. Make sure the trust certificate file, the personal certificate file, and the stashed password file are in the queue manager's ssl directory.
$MQNSKVARPATH/qmgrs/Queue Manager Name/ssl/
Review the installcerts.sh script for an example of using the cp(copy) command to place the pertinent files in the appropriate directory.
Note:
If you need to delete a CA certificate, then simply edit the trust.pem file and delete the certificate. After any operation on the certificate files always perform a verify to check the changes are correct.
The procedure to build and verify the sample configuration(setup.sh) uses the sample shell scripts and MQSC command files in the directory opt_installation_path/opt/mqm/samp/ssl.
No comments:
Post a Comment