Below are the commands to create a self-signed certificate using keytool commands and using the same in the broker. The certificate created here should be shared with service consumers in order to secure the services hosted in the broker. Before running the commands, read about keystores, self-signed certificates, the difference between keystore and truststore and basics of SSL.
Create keystore and self-signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\Keystore.jks” -storepass password -validity 360 -keysize 2048
After executing the above command, provide required details for the certificate and keystore.
Export trust certificate from the keystore.
keytool -export -alias selfsigned -keystore “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\Keystore.jks” -file “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\selfsigned.arm”
Create truststore and import trust certificate
keytool -import -alias selfsigned -file “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\selfsigned.arm” -keystore “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\truststore.jks” -storepass password
Export key from the certificate for consumer
keytool -importkeystore -srckeystore “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\Keystore.jks” -destkeystore “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\key.jks” -deststoretype jks
Now we have Keystore, Truststore, trust certificate(Goes into truststore) and certificate with key.
Execute the below commands to make broker use the certificate for all https connections.
mqsichangeproperties brokerName -b httplistener -o HTTPListener -n enableSSLConnector -v true
Note: Change https port only if required.
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n port -v 7085
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n clientAuth -v true
mqsichangeproperties brokerName -e EGName -o ExecutionGroup -n soapNodesUseEmbeddedListener -v false
mqsichangeproperties brokerName -e EGName -o ExecutionGroup -n httpNodesUseEmbeddedListener -v false
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n keystoreFile -v “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\Keystore.jks”
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n truststoreFile -v “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\truststore.jks”
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n keystorePass -v password
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n truststorePass -v password
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n keyAlias -v selfsigned
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n keypass -v password
Note: Need to restart the broker for changes to work
mqsistop brokerName
mqsistart brokerName
Note: Execute the below command to view the properties set in the commands.
mqsireportproperties brokerName -b httplistener -o HTTPSConnector -a
Exploring SOA and Middleware 