Tag: broker

IBM IIB – Self-signed certificate

~ Santhosh Yadav N U ~ Leave a comment

Below are the commands to create a self-signed certificate using keytool commands and using the same in the broker. The certificate created here should be shared with service consumers in order to secure the services hosted in the broker. Before running the commands, read about keystores, self-signed certificates, the difference between keystore and truststore and basics of SSL.

Create keystore and self-signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\Keystore.jks” -storepass password -validity 360 -keysize 2048

After executing the above command, provide required details for the certificate and keystore.

Export trust certificate from the keystore.

keytool -export -alias selfsigned -keystore “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\Keystore.jks” -file “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\selfsigned.arm”

 

Create truststore and import trust certificate

keytool -import -alias selfsigned -file “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\selfsigned.arm” -keystore “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\truststore.jks” -storepass password

 

Export key from the certificate for consumer
keytool -importkeystore -srckeystore “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\Keystore.jks” -destkeystore “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\key.jks” -deststoretype jks

Now we have Keystore, Truststore, trust certificate(Goes into truststore) and certificate with key.

Execute the below commands to make broker use the certificate for all https connections.

mqsichangeproperties brokerName -b httplistener -o HTTPListener -n enableSSLConnector -v true

Note: Change https port only if required.
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n port -v 7085
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n clientAuth -v true
mqsichangeproperties brokerName -e EGName -o ExecutionGroup -n soapNodesUseEmbeddedListener -v false
mqsichangeproperties brokerName -e EGName -o ExecutionGroup -n httpNodesUseEmbeddedListener -v false
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n keystoreFile -v “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\Keystore.jks”
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n truststoreFile -v “C:\IBM\MQSI\8.0.0.4\jre16\lib\security\BrokerName\truststore.jks”
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n keystorePass -v password
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n truststorePass -v password
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n keyAlias -v selfsigned
mqsichangeproperties brokerName -b httplistener -o HTTPSConnector -n keypass -v password

Note: Need to restart the broker for changes to work
mqsistop brokerName
mqsistart brokerName

Note: Execute the below command to view the properties set in the commands.
mqsireportproperties brokerName -b httplistener -o HTTPSConnector  -a

 

Error in starting the Broker (IIB)

~ Santhosh Yadav N U ~ Leave a comment

Here is a quick solution to the problem faced while starting an IIB Message Broker.

Error:

C:\IBM\MQSI\8.0.0.4>mqsistart MyBroker

BIP8015E: The component cannot be started.

The command cannot start the required component.

The possible causes of this error are: insufficient user ID permissions; lack of system resources (not enough memory); the WebSphere MQ environment is not configured correctly for the user who is running the command (for example, the mqm library is missing from the user’s path).

Cause:

Yet to figure out(Will add soon).

Solution:

  1. Create a local user

Open Administrative Tools -> Computer Management -> Local Users and Groups.

Right click on Users -> New User, enter details and click create.

Creating user1

  1. Add the user to mqm and administrator groups.

Right click on the newly created user -> Properties -> MemberOf -> Add -> Advanced

Adding to group2

Click on the Find Now button and select the groups.

  1. Tell broker service to use this newly created user for starting.

Open Task Manager -> Services -> Services (Button with Admin symbol)

Broker Properties3

Right click on the IBM WebSphere Message Broker service and select properties.

In the Logon tab, select ‘This Account’ and Browse to select the created user.

Once you get the below window, click on Advanced and click Find Now to see the list of users in the system as shown in the below screenshots.

Selecting groups4

Selecting groups5

Select the newly created user and enter the password.

Selecting user6

Done. Good to start the broker with the new user.