Digital Certificates › Using MQ WebSphere with CA Top Secret Certificates › Example: MQ WebSphere with CA Top Secret Generated Sign

Example: MQ WebSphere with CA Top Secret Generated Sign

This example sets up MQ WebSphere with CA Top Secret generated signed certificates:

1. Enter the command:

   TSS GENCERT(MQCHIN1) DIGICERT(MCI1CERU)
                        SUBJECTN('O="COMPANYA" CN=" MQCHIN1
   	                           cert" OU="SYSTEMSDEPT" C="US" ')
                        LABLCERT('MCI1CERU')
   

   A certificate is generated where:

   • MQCHIN1 is the MQ Channel Initiator region ACID
   • MCI1CERU is the digital certificate and LABLCERT
2. Enter the commands:

   TSS ADD(dept) IBMFAC(IRR.DIGTCERT) <---(skip if previously done)
   TSS PER(acid) IBMFAC(IRR.DIGTCERT.LISTRING)
                 ACCESS(UPDATE)
   TSS PER(acid) IBMFAC(IRR.DIGTCERT.LIST)
                 ACCESS(UPDATE)
   TSS PER(acid) IBMFAC(IRR.DIGTCERT.GENCERT)
                 ACCESS(UPDATE)
   

   The ACID is authorized to read digital certificates.

3. Enter the command:

   TSS GENREQ(MQCHIN1) DIGICERT(MCI1CERU)
                       DCDSN('MQCHIN1.UNSIGNED.CERT') 
   

   The certificate is copied to a dataset in PKCS#10 format.

4. Send the certificate to the Certificate Authority to be signed.
5. Send the signed certificate to a dataset.
6. Enter the command:

   TSS ADD(MQCHIN1) DIGICERT(MCI1CERS)
                    DCDSN('MQCHIN1.SIGNED.CERT')
                    LABLCERT('ibmWebSphereMQCSQ1')
                    TRUST
   

   The certificate is stored on the CA Top Secret Security File where:

   • 'MQCHIN1.SIGNED.CERT' is the dataset
   • MCI1CERS is the new DIGICERT certificate name

   Note: LABLCERT must be 'ibmWebSphereMQxxxx' where 'xxxx' is the MQ channel initiator.

7. Enter the command:

   TSS ADD(MQCHIN1) KEYRING(MCI1RING)
                    LABLRING(MCI1RING)
   

   The MQ Channel Initiator's KEYRING is created.

8. Enter the command:

   TSS ADD(MQCHIN1) KEYRING(MCI1RING)
                    RINGDATA(MQCHIN1,MCI1CERS)
                    USAGE(PERSONAL)
                    DEFAULT
   

   The certificate is added to the KEYRING.

9. If you are using the Certificate Authorities' public key, skip to step 12.
10. Enter the command:

    TSS EXPORT(MQCHIN1) DIGICERT(MCI1CERS)
                        DCDSN('MQCHIN1.SIGNED.CERT')
                        LABLCERT(MCI1CERS)
    

    The certificate is exported to the 'MQCHIN1.SIGNED.CERT'.dataset.

11. Send the certificate to the client.
12. Enter the MQ WebSphere command:

    ALTER QMGR SLKEYR(MCI1RING)
    

    The queue manager's KEYRING is specified.

13. Send the Certificate Authority to the mainframe.
14. Enter the command:

    TSS ADD(CERTAUTH) DIGICERT(MCI1CA)
                      DCDSN('MQCHIN1.CERT.AUTH')
    

    The Certificate Authority is added to CERTAUTH.

15. Enter the command:

    TSS ADD(MQCHIN1) KEYRING(MCI1RING)
                     RINGDATA(CERTAUTH,MCI1CA)
                     USAGE(CERTAUTH)
    

    The Certificate Authority is added to the MQ Channel Initiator's KEYRING.

16. Recycle the MQ Websphere address space.