Net Express 5.1 connecting to IBM MQ using the MQ client libraries

Net Express 5.1

Connecting to IBM MQ using IBM MQ Client library.

We have a couple of IBM MQ connections working ok, but a vendor now requires us to store the SSL certificate in the IBM MQ Keystore with a password.

What I need to know is where in the IBM MQ structures (copy books) can I define the password for the Keystore.

An example would be much appreciated.

Page 1 / 1

Net Express 5.1

Connecting to IBM MQ using IBM MQ Client library.

We have a couple of IBM MQ connections working ok, but a vendor now requires us to store the SSL certificate in the IBM MQ Keystore with a password.

What I need to know is where in the IBM MQ structures (copy books) can I define the password for the Keystore.

An example would be much appreciated.

My understanding - I haven't had to do this myself - is that for non-Java clients, the standard MQ mechanism for supplying the passphrase for they private key is to use IBM's KDB mechanism. That converts the keystore into a number of separate files, which should be placed into a single directory and pointed to by an environment variable. One of the files contains the passphrase in an obfuscated format. The system administrator is meant to restrict access to the files using filesystem permissions to reduce the chance of exposing the private key.

See for example this StackOverflow thread:
community.microfocus.com/.../enterprise-server-security-fixes-july-2017

Note that providing access to the private key, whether using a keystore and passphrase or some other mechanism, is one of the classic problems of cryptographic systems. There's no solution that meets everyone's needs. While having an obfuscated passphrase in a file on the client system is not ideal, the more-secure alternatives require human interaction (e.g. entering a passphrase at system startup) or specialized hardware (HSMs and the like), which still only defer the problem.

Net Express 5.1

Connecting to IBM MQ using IBM MQ Client library.

We have a couple of IBM MQ connections working ok, but a vendor now requires us to store the SSL certificate in the IBM MQ Keystore with a password.

What I need to know is where in the IBM MQ structures (copy books) can I define the password for the Keystore.

An example would be much appreciated.

Hi Michael

Many thanks for your reply, after a bit more investigation we found the problem, the password was a bit of a red herring.

The actual problem was the MQCONNX call was using the service User ID the task was running under, this was not matching the one generated in the certficate. Made sure the task was running under the user Id expected for the certificate and the TLS/SSL handshake worked perfectly.

Many Thanks

Richard

Sign up

Please log in or register:

Welcome to the Rocket Forum!

Please log in or register:

Scanning file for viruses.

This file cannot be downloaded