[AIX, Linux, Windows]

Changing the certificate presented by the IBM MQ Console to your browser

You can configure the IBM® MQ Console to present a CA-signed certificate for authentication purposes. If you configure the IBM MQ Console to present a CA-signed certificate, the browser no longer presents the self-signed certificate warning when the IBM MQ Console is accessed.

About this task

Security for the IBM MQ Console is provided by the mqweb server that runs the IBM MQ Console. To change the certificate that the mqweb server presents to your browser, first add the new certificate to the mqweb server keystore. Then edit the security configuration in the mqwebuser.xml file to specify the certificate that the server presents.

The procedure makes the following assumptions:
  • You are a privileged user.
  • You are using an AIX®, Linux®, or Windows system.
  • That your mqwebuser.xml file is based on either the basic_registry.xml, local_os_registry.xml, or ldap_registry.xml sample XML files.

Procedure

  1. Optional: Change the default password of the mqweb server keystore key.jks by using the runmqktool command: 
    runmqktool -storepasswd -keystore MQ_DATA_DIRECTORY/web/installations/installationName/servers/mqweb/resources/security/key.jks -storepass oldPassword
          -new newPassword -all
    oldPassword
    Specifies the existing key.jks password. The default password is password.
    newPassword
    Specifies a new key.jks password.
  2. Create a key pair and certificate request to send to the certificate authority:
    1. Create the key pair by using the runmqktool command: 
      runmqktool -genkeypair -keystore MQ_DATA_DIRECTORY/web/installations/installationName/servers/mqweb/resources/security/key.jks -storepass password -storetype JKS
           -alias label -dname distinguished_name 
           -sigalg signature_algorithm
      password
      Specifies the key.jks keystore password.
      label
      Specifies the certificate label. For example, MQWebConsole.
      distinguished_name
      Specifies the X.500 Distinguished Name for the certificate. Enclose the Distinguished Name in double quotation marks.
      For example, "cn=MQWebConsole,o=myOrg,c=UK"
      signature_algorithm
      Specifies the algorithm to use to sign the certificate. For more information, see Signature algorithms
    2. Create the certificate request by using the runmqktool command: 
      runmqktool -certreq -keystore MQ_DATA_DIRECTORY/web/installations/installationName/servers/mqweb/resources/security/key.jks -storepass password -alias label
           -file filename
      password
      Specifies the key.jks keystore password.
      label
      Specifies the certificate label from substep 2.a.
      filename
      Specifies the fully qualified file name for the certificate request.
  3. Send the certificate request file to a certificate authority (CA).
  4. When you have the certificate from the CA, import the certificate and any other certificates in the certificate chain, starting with the root CA certificate, into the keys.jks keystore by using the runmqktool command: 
    runmqktool -importcert -keystore MQ_DATA_DIRECTORY/web/installations/installationName/servers/mqweb/resources/security/key.jks -storepass password
           -alias label -file filename
    password
    Specifies the key.jks keystore password.
    label
    Specifies the certificate label from substep 2.a.
    filename
    Specifies the fully qualified file name of the certificate to import.
  5. Configure the mqweb server to present the CA certificate:
    1. Open the mqwebuser.xml file.

      The mqwebuser.xml file can be found on the following path: MQ_DATA_PATH/web/installations/installationName/servers/mqweb

    2. Turn off the default security configuration by commenting out the following line: 
      
<sslDefault sslRef="mqDefaultSSLConfig"/>
      If you configured the mqweb server to use client certificate authentication, this line of the xml file is already commented out.
    3. Uncomment the section in the mqwebuser.xml file that enables custom certificate configuration. The section contains the following text: 
      <keyStore id="defaultKeyStore" location="key.jks" type="JKS" password="password"/>
    <keyStore id="defaultTrustStore" location="trust.jks" type="JKS" password="password"/>
    <ssl id="thisSSLConfig" clientAuthenticationSupported="true" keyStoreRef="defaultKeyStore" 
           trustStoreRef="defaultTrustStore" sslProtocol="TLSv1.2" serverKeyAlias="default"/>
    <sslDefault sslRef="thisSSLConfig"/>
      If you configured the mqweb server to use client certificate authentication, this section of the xml file is already uncommented.
    4. Optional: If you changed the password for the key.jks keystore in step 1, change the value for password in the defaultKeyStore tags to an encoded version of the password that you set:
      1. From the MQ_INSTALLATION_PATH/web/bin directory, enter the following command:
        securityUtility encode password
      2. Place the output of this command in the password field for the defaultKeyStore.
    5. If you are not using client certificate authentication, comment out the following line: 
      <keyStore id="defaultTrustStore" location="trust.jks" type="JKS" password="password"/>
    6. Change the value of serverKeyAlias from default to the value of the CA certificate label.
  6. Stop the mqweb server by using the endmqweb command.
  7. Start the mqweb server by using the strmqweb command.

Results

When the web server starts, browse to your IBM MQ Console and refresh. The CA certificate is used and you are taken straight to the login page.