Create a Certificate Signing Request for IBM WebSphere MQ

To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match your private key. You will have to replace the SSL Certificate and may be charged.

The CSR needs to contain the following attributes:

Common Name – Must match the URL you plan to secure exactly – is usually your fully-qualified domain name (e.g. devel.ssl247.ie or mail.devel.ssl247.ie). Remember the www. Is important – include it if you want to secure https://www.yoursite.com & exclude it if you want to secure https://yoursite.com.
Organisation - The legal (officially registered) name of your organization/company include Inc., LLP., Pvt, Plc. Ltd. SARL., etc.
Organisational unit - The name of your department within the organization (this is often "IT," "Web," or is just left blank).
City/locality - The city or town in which your organization is located.
State/province - The state in which your organization is located.
Country - Click here for the official list of ISO country codes for this field.



Note: GeoTrust certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".

We recommend that you contact IBM for additional information.

Step 1: Preparing your system to use the iKeyman utility.

  1. Start the iKeyman graphical user interface (GUI) using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).
    Note: To use the iKeyman GUI, be sure that your machine can run the X Windows system.
  2. Be sure to set the following:
    • Set the DISPLAY environment variable. For example: export DISPLAY=mypc:0.
    • Ensure that the user's path contains /usr/bin.
    • Set the JAVA_HOME environment variable:

      1. AIX: export JAVA_HOME =/usr/mqm/ssl/jre
      2. HP-UX: export JAVA_HOME =/opt/mqm/ssl
      3. Linux: export JAVA_HOME =/opt/mqm/ssl/jre
      4. Solaris: export JAVA_HOME =/opt/mqm/ssl

Step 2: Setting up a key repository.

  1. Open the iKeyman GUI, or use the UNIX or Windows command line to do one of the following:

    Using the iKeyman GUI:
    Choose New from the Key Database File menu. Click Key database type, and select CMS. Type values forFile Name and Location, and set a password.

    Using iKeycmd (UNIX command line):
    Use these commands:
    gsk7cmd -keydb -create -db filename -pw password -type cms -expire days –stash

    Using iKeycmd (Windows command line):
    Use these commands:
    runmqckm -keydb -create -db filename -pw password -type cms -expire days –stash where:
    • -db filename is the fully qualified name of a CMS key database, with an extension .kdb.
    • -pw password is the password for the CMS key database, with an extension .cms.
    • -type cms is the type of database.
    • -expire days is the expiration time in days of the database password. The default is 60 days.
    • -stash tells iKeycmd to stash the key database password to a file.

On Windows, the key database file (.kdb) is created with read permission for all user IDs, so it is not necessary to change permissions. On UNIX, .kdb and .sth files are created. Access permissions for the key database file are set to give access only to the user ID from which you used iKeyman or iKeycmd.

  1. If you are running UNIX, run chmod to give access to an MCA. For example:
  • chmod g+r /var/mqm/qmgrs/QM1/ssl/key.kdb
  • chmod g+r /var/mqm/qmgrs/QM1/ssl/key.sth
  1. If you are running a queue manager, change the key repository location. For example:
  • ALTER QMGR SSLKEYR ('/var/mqm/qmgrs/QM1/ssl/MyKey')

Step 3: Generating a CSR.

Using the iKeyman GUI

  1. Start the iKeyman graphical user interface (GUI) using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).
  2. In the iKeyman GUI, choose Open from the Key Database File menu. Click Key database type, and selectCMS.
  3. Click Browse to navigate to the directory containing the key database files.
  4. Select the appropriate key database file, for example key.kdb.
  5. Click Open.
  6. Type the key database password and click OK.
  7. Click New Certificate Request from the Create menu.
  8. Type the following in the Key Label field:
  • For a queue mananger, ibmwebspheremq followed by the name of your queue manager (in lowercase). For example, for QM1, type ibmwebspheremqqm1.
  • For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID (in lowercase). For example, ibmwebspheremqmyuserid.
  1. Type values for Common Name, Organization, Organizational Unit, City/Locality, State/Province and select a Country from the list.
  2. For Enter the name of a file in which to store the certificate request, either accept the default certreq.arm, or type a new pathname.
  3. Click OK. When the confirmation window displays, click OK again.
  4. The file you created contains the CSR. Submit the CSR to GeoTrust.

Using iKeycmd (command line interface)

  1. To generate a CSR in iKeycmd (using UNIX command line), use these commands:
  • gsk7cmd -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size-file filename

To generate a CSR in iKeycmd (using Windows command line), use these commands:

  • runmqckm -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size-file filename

where:

  • -db filename is the fully qualified name of a CMS key database, with an extension .kdb.
  • -pw password is the password for the CMS key database, with an extension .cms.
  • -label label is the key label attached to the certificate.
  • -dn distinguished_name is the X.500 distinguished name enclosed in double quotes. Note that Common Name,Organization, Organizational Unit, City/Locality, State/Province and Country attributes are required.
  • -size key_size is the key size. The value should be 2048.
  • -file filename is the filename for the certificate request.