How To
Summary
MQ specifies requirements for the queue manager and clients personal certificate label names.
See knowledge center at:
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q014340_.htm
Steps
If you have a certificate with the wrong label name in a keystore, or you just want to change the label name, you can rename the certificate label name in the keystore.
1) Take copy of the keystore files, as precaution, backup the current files, for safe keeping.. in case you need to switch back.
2) rename/relabel the queue manager's certificate
The runmqckm/runmqakm provide a '-cert -rename' option
example command:
$ runmqckm -cert -rename -db key.kdb -label ibmwebspheremqqmgr1 -new_label ibmwebspheremqqmgr2
Another option, you will could to export, delete, import - with new label name
-
export a personal certificate from a keystore, this exports the full personal certificate, private + public key:
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q012840_.htm
$ runmqckm -cert -export -db filename -pw password -label -type cms -target filename -target_pw password -target_type pkcs12
(-target here is the file you will save off the certificate to, note yougive it a password, used below on import filename and password)
Delete the personal certificate from the keystore:
$ runmqckm -cert -delete -db filename -pw password -label [labelname]
-
import the personal certificate into the keystore with a new labelname: (note addition of new_label vs. infocenter command)
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q012850_.htm
$ runmqckm -cert -import -file filename -pw password -type pkcs12 -target filename -target_pw password -target_type cms -label [old-labelname] -new_label [new-labelname]
(-file is the file you saved the certificate to, along with its password)
(-target is the keystore db, and target_pw is the keystore password)
After you've done this, you can list the certificates to ensure the labels are correct, remember the default label name MUST be ibmwebspheremq followed by the queue manager name in all LOWERCASE. If this is the personal certificate for the queue manager, make sure your QMGR's CERTLABL matches the actual label name in the keystore.
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q014340_.htm
$ runmqakm -cert -list personal -db key.kdb
To list the certificates and verify the label is correct, I like to use runmqakm, when listing certificates as it also adds a prefix to verify which are personal certificates versus signer/public key certificates.
I hope this helps.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
04 September 2020
UID
ibm16326879