Implementation Guide › Changing CA ControlMinder Service Account Settings › Changing Message Queue Communication Settings › Change the Password for the Message Queue SSL Keystore

Change the Password for the Message Queue SSL Keystore

The Message Queue SSL keystore stores the server certificates that the Message Queue uses for SSL communication. When you change the password for the Message Queue SSL keystore, you update the public/private key pair that signs the server certificates.

You may need to regularly change the password for the Message Queue SSL keystore to comply with your organization's security and password policies.

Before you change the password for the Message Queue SSL keystore, note the following:

• The default password is the communication password that you specify when you install CA ControlMinder Enterprise Management.
• The password has the following limitations:
  • Must be 6-50 characters long
  • Must not contain high ASCII characters
  • Must not contain double quotes ( " )
• The password is stored in the following file, where ACServer is the directory in which you installed CA ControlMinder Enterprise Management:

  ACServer/MessageQueue/conf/keystore.p12
  

Important! If you have more than one Distribution Server in your enterprise, first change the password on the Distribution Server installed on the Enterprise Management Server, then change the password on the other Distribution Servers in your enterprise. The Message Queue is part of the Distribution Server.

To change the password for the Message Queue SSL keystore

1. Stop the CA ControlMinder Message Queue service.
2. Open a command prompt window and navigate to the following directory, where JDK is the directory in which you installed the Java Development Kit:

   JDK/bin
   

3. Run the following command:

   keytool -genkey -keyalg RSA -keysize 1024 -keystore "keystore.p12" -storetype PKCS12 -dname "cn=acmq" -alias acmq -storepass "password" -keypass "password"
   

   -genkey

   Specifies that the command creates a key pair (public and private keys).

   -keyalg RSA

   Specifies to use the RSA algorithm to generate the key pair.

   -keysize 1024

   Specifies that the size of the generated key is 1024 bits.

   -storetype PKCS12

   Specifies that the generated key is in the PKCS12 file format.

   -dname "cn=acmq"

   Specifies that X.500 distinguished name for the generated certificate is acmq. This name is used in the issuer and subject fields of the certificate.

   -alias acmq

   Specifies to update the keystore entry names acmq.

   -storepass "password"

   Specifies the password that protects the Message Queue SSL keystore. The password must be identical to the password that you specify for the -keypass parameter.

   -keypass "password"

   Specifies the password that protects the private key of the new key pair. The password must be identical to the password that you specify for the -storepass parameter.

   The keytool utility changes the password for the Message Queue SSL keystore.

4. Navigate to the following directory, where DistServer is the directory in which you installed the Distribution Server:

   DistServer/MessageQueue/tibco/bin/ems
   

5. Run the following command:

   tibemsadmin -mangle password 
   

   The password for the SSL keystore is encrypted.

Change the Message Queue URL

The Message Queue uses the localhost as the URL.You can modify the URL to use the fully qualified distinguished name (FQDN) of the host by modifying the tibco-jms-ds.xml file.

The URL information is stored in the Message Queue in the following XML file, where JBoss_HOME is the directory where you installed JBoss:

JBoss_home/server/default/deploy/jms/tibco-jms-ds.xml

Follow these steps:

1. Stop the JBoss Application Server, the CA ControlMinder Message Queue service and all the CA ControlMinder services.
2. Back up the tibco-jms-ds.xml file that is placed at the following location:

   JBoss_home\server\default\deploy\jms
   

3. Open the tibco-jms-ds.xml file and perform the following steps:
   1. Locate localhost.
   2. Replace localhost with FQDN.
   3. Perform steps a and b for every instance of localhost.
   4. Save and close the file.
4. Browse to the following location to modify the communication key:

   HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Common\commmunication
   

5. Locate the key value Distribution_Server.

   The default value is ssl://localhost:7243.

6. Replace the ssl://localhost:7243 value with ssl://<FQDN>:7243.
7. Start all CA ControlMinder services, including the CA ControlMinder Message Queue service.
8. Start the JBoss service.

   The CA ControlMinder Message Queue URL is changed.