How To
Summary
Currently the MQ Appliance does not include a way to import certificates through the command line. You can work around this by using the MQ Appliance keybackup/keyrestore commands:
1) MQ Appliance keybackup
2) Copy the created archive file off the MQ Appliance
3) Unpack the archive and modify the keystore as desired
4) Repack the archive and upload it back to the MQ Appliance
5) MQ Appliance keyrestore
Environment
To implement this guidance you need:
1. IBM MQ Appliance
2. Windows/Unix system with IBM Key Management tools
3. Personal Certificate in a pkcs12 format.
Steps
1. Backup Certificate on the IBM MQ Appliance:
In the mqcli run:
keybackup -m <QManagerName>
Ensure you keep a copy of the password as you will need it for the password in the remainder of this document.
2. Move the resulting .tar.gz file off the appliance:
To copy the file by using the command line interface:
a. Connect to the command line of the appliance as described in Command line access.
b. Log in to the appliance as an administrator.
c. Type
config to enter configuration mode. d. Copy the file by typing the following command:
copy mqbackup:///backup_filename scp://username@ipaddress/[/]directorypath
To copy the file by using the IBM MQ Appliance web UI:
a. Start the IBM MQ Appliance web UI, and click the menu icon 
in the title bar.
in the title bar. b. Select Files to open the File Management window.
c. Open the mqbackup folder.
d. Click the backup file name link to save the file to your local system (the exact method for saving the file depends on the type of browser that you use).
3. On the Windows or Linux system navigate to the tar and unpack it by running:
tar -xvf <KeyBackupFile>
This produces three files:
key.kdb
key.rdb
key.crl
4. Import your personal certificate into the keystore
Command Line:
runmqakm -cert -import -file <Certificate> -type <CertificateType> -target key.kdb -target_pw <Password>
IBM IKeyMan GUI:
a. Open the IKeyMan Gui
b. Open the extracted key.kdb and enter the password.
c. Select the import button
d. Select type "pkcs12"
e. Select your certificate
f. Select your personal certificate and any other signers you want to import
g. If you want to relabel certificates you can at this screen
h. Select "OK" to verify your certificate has been imported.
5. Verify Your Certificate was Imported:
Command Line:
runmqakm -cert -list -db key.kdb -pw <Password>
IBM IKeyMan GUI:
Select the "Validate" button
6. Package the tar file:
tar -zcvf <backupDirectory>.tar.gz key.kdb key.rdb key.crl
7. Upload the File to the Appliance. Ensure you upload it to the mqbackup folder:
To copy the file by using the command line interface:
a. Connect to the IBM® MQ Appliance as described in Command line access.
b. Log in as a user in the administrators group.
c. Type the following command to enter configuration mode:
d. Copy your saved backup file to the target appliance:
copy scp://username@ipaddress/[/]directorypath/filename mqbackup:
e. Type exit to leave config mode.
To copy the file by using the IBM MQ Appliance web UI:
a. Start the IBM MQ Appliance web UI, and click the menu icon in the title bar.
b. Select Files to open the File Management window.
c. Click Actions for the mqbackup folder.
d. Select Upload files from the Actions menu.
e. Click Browse, and browse for the location of the backup file on your local system.
f. Click Upload to upload the file to the mqbackup directory on the appliance.
8. Restore the file:
In the mqcli run:
keyrestore -m <QManagerName> -file <KeyFileName> -password <Password>
9. Confirm that the keystore did import:
In the mqcli run:
listcert -m <QManagerName>
Document Location
Worldwide
[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SS5K6E","label":"IBM MQ Appliance"},"ARM Category":[{"code":"a8m0z00000008JwAAI","label":"Security-\u003ETLS (SSL)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
28 September 2023
UID
ibm16337165