This is what I did, but in a windows environment.
Make sure this ptf is on if you are exporting erd pkcs12 certs
UW94302/OW56418
We need to Create the CA certificate on z/OS using RACF so that
Z/OS can be a certificate authority.
Windows queue manager MQSN
Z/OS SEDQ
First I created a RACF userid for the chin.
//SxxxxxxA JOB (0,0),'TSO',MSGLEVEL=(1,1),
//
CLASS=B,MSGCLASS=X,NOTIFY=SXXXXX,REGION=1024K
//ADDRACF EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
DELUSER SEDQCHIN
ADDUSER SEDQCHIN OWNER(SSF) DFLTGRP(SYS1) +
NOPASSWORD OMVS(UID(0) PROGRAM(/bin/sh)
HOME(/SEDQCHIN))
RDEFINE STARTED SEDQCHIN.** STDATA(USER(SEDQCHIN)
TRUSTED)
SETROPTS RACLIST(STARTED) REFRESH
/*
Second I created a RACF userid for the windows box.
In order to create and sign a cert for a windows qmgr called MQSN
We need to create a userid.
//SxxxxxxA JOB (0,0),'TSO',MSGLEVEL=(1,1),
//
CLASS=B,MSGCLASS=X,NOTIFY=SxxxxxxW,REGION=1024K
//ADDRACF EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
DELUSER MQSN
ADDUSER MQSN OWNER(SSF) DFLTGRP(SYS1) +
NOPASSWORD OMVS(UID(0) PROGRAM(/bin/sh) HOME(/u/MQSN))
RDEFINE STARTED MQSN.** STDATA(USER(MQSN)
GROUP(SYS1) TRUSTED)
SETROPTS RACLIST(STARTED) REFRESH
/*
Give CHIN access to keyring
//SxxxxxxA JOB (0,0),'TSO',MSGLEVEL=(1,1),
// CLASS=B,MSGCLASS=X,NOTIFY=SxxxxxW,REGION=1024K
//ADDRACF EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LISTRING +
CLASS(FACILITY) ID(SEDQCHIN) ACCESS(UPDATE)
PERMIT IRR.DIGTCERT.LIST +
CLASS(FACILITY) ID(SEDQCHIN) ACCESS(CONTROL)
SETROPTS RACLIST(FACILITY) REFRESH
/*
To create the CA certificate on RACF that will be used to sign incoming
certificate requests (top of the certificate chain), we used the
following
RACDCERT command. The WITHLABEL contents are used on the
GENCERT command that we use when signing other certificates
requests:
I ran this command to make RACF A certificate authority.
RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('Your Company
Name') OU('HQ') O('Your Company
name') L('San Antonio') SP('Texas') C('US'))
KEYUSAGE(CERTSIGN) WITHLABEL('SS1 Local CERT
Authority')
Generate and sign the windows certificate
RACDCERT ID(MQSN) GENCERT
SUBJECTSDN(CN('MQSIN.xxxxx.org') OU('MIS')
O('Your Company Name') L('San Antonio') SP('Texas')
C('US')) WITHLABEL('ibmwebspheremqmqsn')
SIGNWITH(CERTAUTH LABEL('SS1 Local CERT Authority'))
KEYUSAGE(HANDSHAKE DATAENCRYPT)
If you get IRRD113I The certificate that you are creating has an
incorrect date range. The certificate is added with NOTRUST status.
Then run
RACDCERT ID(MQSN) ALTER (LABEL('ibmwebspheremqmqsn'))
TRUST
Now export the CA certificate for windows
RACDCERT ID(MQSN) EXPORT(LABEL('ibmwebspheremqmqsn'))
DSN('XXXX.MQ.MQSN.CERT') FORMAT(PKCS12DER) PASSWORD('xxxxxxxx')
The above exported file is ftp'd to the windows box and then
imported into the queue manager under the SSL tab. I don't
know what unix uses, but try windows first then you at least know
that your environment works.
We now need certificates for the z/OS systems to use, one for each
channel initiator.
We will create private certificates for the SEDQ queue manager for its
CHINIT the user ID of each CHINIT is required in a certificate.
RACDCERT ID(SEDQCHIN) GENCERT
SUBJECTSDN(CN('SEDQ SS1') OU('HQ')
O('Your Company Name')
L('San Antonio') SP('Texas') C('US'))
WITHLABEL('ibmWebSphereMQSEDQ')
SIGNWITH(CERTAUTH LABEL('SS1 Local CERT Authority'))
KEYUSAGE(HANDSHAKE DATAENCRYPT)
Important: Ensure that the Subjectdsn field for each QMGR is unique.
If you get IRRD113I The certificate that you are creating has an
incorrect date range. The certificate is added with NOTRUST status.
Then run
RACDCERT ID(SEDQCHIN) ALTER
(LABEL('ibmWebSphereMQSEDQ')) TRUST
Now we will create the keyring. One should be created for each queue
manager.
RACDCERT ID(SEDQCHIN) ADDRING(SEDQRING)
Now we need to add the CA certificate to the ring.
RACDCERT ID(SEDQCHIN) CONNECT (CERTAUTH LABEL('SS1
Local CERT Authority') RING(SEDQRING) USAGE(CERTAUTH))
Now we need to add the CHINIT certificate to SEDQRING
RACDCERT ID(SEDQCHIN) CONNECT(ID(SEDQCHIN)
LABEL('ibmWebSphereMQSEDQ')
RING(SEDQRING) USAGE(PERSONAL)
The ring and it's certificates can be listed by the following command..
RACDCERT ID(SEDQCHIN) LISTRING(SEDQRING)
On z/OS
I Changed the queue manager object on the queue manager so it has
the
correct KEYRING specified on the SSLKEYR attribute and specifiy a
number
of SSL tasks to be started.
/SEDQ ALTER QMGR SSLKEYR(SEDQRING) SSLTASKS(5)
The CHINIT needs to be re-started for this to take effect.
/SEDQ STOP QMGR
/SEDQ START QMGR PARM(SEDQZPRM)
________________________________
From: MQSeries List [mailto:[EMAIL PROTECTED] On
Behalf Of Cergol, Jerry
Sent: Friday, July 29, 2005 11:38 AM
To: [email protected]
Subject: WMQ Encryption
I run z/OS WMQ 5.3.1 and all of my QMGR's are either on my z/OS systems
or some Sun Unix Solaris platforms. All of the QMGR's that I deal with
are internal to my organization.
I have a requirement to message with a QMGR on remote Unix
system in another organization.
The difference will be the requirement for encryption which has not been
a previous requirement for any of my internal QMGR's.
And what makes this scenario a problem instead of a normal "research &
implement" sequence is that this all needs to be defined and operational
by August 8th, 2005.
So is there a cookbook recipe for defining, setting up
and establishing WMQ messaging with encryption - or will I have to
consider writing my own channel exits? Is there a quick way to do this
with existing WMQ parms/settings?
Jerry Cergol
Cleveland Clinic Foundation
17325 Euclid Avenue
Cleveland, Ohio 44112
I T Division - Parker Building
IBM Mainframe Technical Support
Location CL31-52 tel:+1.216.738.4620
Pager 20492 [EMAIL PROTECTED]
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
