stackoom
  简体   繁体   中英

IBM MQ - SSL Config for Multiple Queue Managers

 原文  2021-02-11 07:13:59       ssl/ ibm-mq

Question

In my IBM MQ, I have multiple queue managers which I need to enable SSL.

I've been following this blog and successfully configured SSL to a single queue manager.

If I have more than 1 queue manager, do I need to have a dedicated keystore for each queue manager?

Is there a way to have a global/common keystore and enable SSL for all the queue managers using that keystore?

Have this question since the blog says,

"A word about the certificate label here. Default name for this certificate is in the form of: 'ibmwebspheremq' + 'queue manager name' (all lower case) In our case this becomes: 'ibmwebpsheremqmyqm01'"

Any guidance would be very much helpful.

IBM MQ v 9.1

2 answers

solution1
 2  2021-02-13 18:27:04

The answer like many of these questions is it depends. If you can send the keystore files around to each machine - securely then you could have the same files for all of your queue manages. If you do it insecurely then people could take a copy of your keystores and impersonate you, and see all your traffic.

If you have your private certificate in an external HSM (think Secure USB store), you cannot get the private key to another machine, and so you will have to get a machine unique certificate.

You can use CERTLABL(...) to specify the name of the certificates in the keystore.

Ive just (today) put up some blog posts about TLS on midrange. See https://colinpaice.blog/2021/02/13/which-cipher-spec-and-certificate-type-should-i-use-for-the-mq-server-tls-1-2

solution2
 1 ACCPTED  2021-02-11 21:04:48

When Queue Managers are on the same machine, then you can use the same keystore for all your Queue Managers. You can just specify the same file in the SSL config of the Queue Managers. For example:-

ALTER QMGR SSLKEYR('/central/ssl/key')

The different Queue Managers will find their personal certificate based on the label of the cert. That's what that quote is about. For example:-

On Queue Manager MQG1

DISPLAY QMGR CERTLABL

QMNAME(MQG1)       CERTLABL(ibmwebspheremqmqg1)

On Queue Manager MQG2

DISPLAY QMGR CERTLABL

QMNAME(MQG2)       CERTLABL(ibmwebspheremqmqg2)

These are the names that the queue manager will look for in the keystore by default. As you can see they are different for each queue manager and so can happily co-exist in the same keystore. If you want to choose different labels for the certificates, just alter the CERTLABL attribute of each Queue Manager.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Depth of IBM MQ queue SSL not working with IBM MQ 8 client jars IBM MQ connection in node js with 2 way SSL Implement SSL in IBM MQ in Node js Issue with SSL connection to IBM WEB MQ IBM MQ - SSL Encrypted Message Browsable in MQ Explorer Enabling SSL for an MQ queue manager on the HP Nonstop How to correct IBM MQ Error when SSL is enabled Connecting to IBM MQ over SSL via .net client IBM MQ throws java.lang.UnsupportedOperationException on SSL handshake
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM