IBM Support

In MQ, how do you rename the certificate label if the label name is incorrect? (SSL TLS)

How To


Summary

MQ specifies requirements for the queue manager and clients personal certificate label names.

See knowledge center at:

https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q014340_.htm

Steps

If you have a certificate with the wrong label name in a keystore, or you just want to change the label name, you can rename the certificate label name in the keystore.

1) Take copy of the keystore files, as precaution, backup the current files, for safe keeping.. in case you need to switch back.

2) rename/relabel the queue manager's certificate

The runmqckm/runmqakm provide a '-cert -rename' option

example command:

$ runmqckm -cert -rename -db key.kdb -label ibmwebspheremqqmgr1 -new_label ibmwebspheremqqmgr2

Another option, you will could to export, delete, import - with new label name

  • export a personal certificate from a keystore, this exports the full personal certificate, private + public key:

https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q012840_.htm

$ runmqckm -cert -export -db filename -pw password -label -type cms -target filename -target_pw password -target_type pkcs12

(-target here is the file you will save off the certificate to, note yougive it a password, used below on import filename and password)

Delete the personal certificate from the keystore:

(You can NOT undo once you delete the certificate, thus it is important to have a backup)

$ runmqckm -cert -delete -db filename -pw password -label [labelname]

  • import the personal certificate into the keystore with a new labelname: (note addition of new_label vs. infocenter command)

https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q012850_.htm

$ runmqckm -cert -import -file filename -pw password -type pkcs12 -target filename -target_pw password -target_type cms -label [old-labelname] -new_label [new-labelname]

(-file is the file you saved the certificate to, along with its password)
(-target is the keystore db, and target_pw is the keystore password)

After you've done this, you can list the certificates to ensure the labels are correct, remember the default label name MUST be ibmwebspheremq followed by the queue manager name in all LOWERCASE.  If this is the personal certificate for the queue manager, make sure your QMGR's CERTLABL matches the actual label name in the keystore.

https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q014340_.htm

$ runmqakm -cert -list personal -db key.kdb

To list the certificates and verify the label is correct, I like to use runmqakm, when listing certificates as it also adds a prefix to verify which are personal certificates versus signer/public key certificates.

I hope this helps.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":[{"code":"a8m0z00000008JwAAI","label":"Security->TLS (SSL)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
04 September 2020

UID

ibm16326879

Page Feedback