MQ

Configuring mutual TLS(MTLS) authentication for MFT

By BHAVYA K R posted 3 days ago

  
In this tutorial, we’ll take a look at how TLS authentication can be configured for MFT agents.

In this tutorial, we’ll show you how to secure the queue manager and a MFT Agent, enabling them to complete a two-way TLS handshake and secure a messaging channel.

As a first step we'll setup anonymous authentication.

First enable security on the queuemanager side
runmqsc QM2
ALTER CHANNEL(DEV.APP.SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(ANY_TLS12)
ALTER CHANNEL(DEV.APP.SVRCONN) CHLTYPE(SVRCONN) SSLCAUTH(OPTIONAL)
EXIT
type EXIT to exit the interface

Now that we’ve prepared the channel for anonymous authentication, move into the ssl directory for your queue manager (ours is QM2).

cd /var/mqm/qmgrs/QM2/ssl

Create a keystore (a .kdb file) using the MQ security tool command runmqakm:
runmqakm -keydb -create -db key.kdb -pw key123 -stash
sudo chgrp mqm *
sudo chmod 640 *
Next, create a self-signed certificate and private key and put them in the keystore. The command below sets a label, which must have a specific format: ibmwebspheremq<QueueManagerNameInLowercase>.

In our example, the correct command for a queue manager QM2 is this command:
runmqakm -cert -create -db key.kdb -stashed -dn "cn=qm,o=ibm,c=in" -label ibmwebspheremqqm2

Now, let’s extract the queue manager certificate, which we’ll then give to the MFT agent.
runmqakm -cert -extract -label ibmwebspheremqqm2 -db key.kdb -stashed -file QM.cert

Now that we’ve extracted our certificate, we need to save it into the truststore of MFT agent (the store containing the trusted certificates), which we’ll also need to create.

In the users home directory, create a directory say by name mftcerts
mkdir /home/testuser/mftcerts
cd /home/testuser/mftcerts
In our example we are running mft commands under user testuser.

Create the agent truststore and add the queue manager certificate.
runmqakm -keydb -create -db clientTruststore.p12 -pw client123 -type pkcs12
runmqakm -cert -add -db clientTruststore.p12 -pw client123 -label ibmwebspheremqqm2 -file /var/mqm/qmgrs/QM2/ssl/QM.cert -format binary

Now that certificates are in place , update the agent.properties with the following details
vi /var/mqm/mqft/config/QM2/agents/A1/agent.properties

agentSslKeyStore=/home/testuser/mftcerts/clientTruststore.p12
agentSslKeyStoreCredentialsFile=/home/testuser/MQMFTCredentials.xml
agentSslKeyStoreType=pkcs12
agentSslTrustStore=/home/testuser/mftcerts/clientTruststore.p12
agentSslTrustStoreCredentialsFile=/home/testuser/MQMFTCredentials.xml
agentSslTrustStoreType=pkcs12
agentSslCipherSpec=TLS_RSA_WITH_AES_128_CBC_SHA256

Also update the MQMFTCredentials with the password details of truststore.
<tns:file path="/home/student/myapp/clientTruststore.p12" password=<password > />

After this start the agent using command fteStartAgent command
fteStartAgent A1 -p QM2

check output0.log for successful start of Agent or use fteListAgent command.

Setting up mutual authentication

Now that we’ve sent the message verifying the server certificate, we can also require that the agent provides a certificate to the server(MQ here), thereby setting up mutual authentication

First, we’ll need to set the channel authentication to required so that both the server and client(MFT Agent here ) will need to provide a trusted certificate. Do this with these commands:
runmqsc QM2
ALTER CHANNEL(DEV.APP.SVRCONN) CHLTYPE(SVRCONN) SSLCAUTH(REQUIRED)
EXIT

Now we’re ready to create a public and private key pair for the MFT Agent. Enter your mft user directory and create a key and keystore with these commands:
cd /home/testuser/mftcerts
runmqakm -keydb -create -db clientKeystore.p12 -pw client123 -type pkcs12
runmqakm -cert -create -db clientKeystore.p12 -dn "cn=agent,o=ibm,c=in" -label ibmwebspheremqagent1
Extract the agent certificate to the file clientcertificateone.crt with this command:
runmqakm -cert -extract -label ibmwebspheremqagent1 -db clientKeystore.p12 -file clientcertificateone.cert

Now, we’ll add that certificate to the queue manager’s key repository, so the server knows that it can trust the agent.
Navigate back to your queue manager’s ssl directory and add the certificate to the key repository (the key.kdb file).
cd /var/mqm/qmgrs/QM2/ssl
runmqakm -cert -add -db key.kdb -stashed -label ibmwebspheremqagent1 -file /home/testuser/mftcerts/clientcertificateone.cert
List the certificates in the key repository with this command:
runmqakm -cert -list -db key.kdb -stashed

Now that we’ve made changes to our keystore, we can force our queue manager to pick up these changes by issuing a command directly to our queue manager one last time:
runmqsc QM2
REFRESH SECURITY(*) TYPE(SSL)
EXIT
Now update the agent.propeties and MQMFTCredentails.xml with the appropriate values
vi /var/mqm/mqft/config/QM2/agents/A1/agent.properties

agentSslKeyStore=/home/testuser/mftcerts/clientKeystore.p12
agentSslKeyStoreCredentialsFile=/home/testuser/MQMFTCredentials.xml
agentSslKeyStoreType=pkcs12
agentSslTrustStore=/home/testuser/mftcerts/clientTruststore.p12
agentSslTrustStoreCredentialsFile=/home/testuser/MQMFTCredentials.xml
agentSslTrustStoreType=pkcs12
agentSslCipherSpec=TLS_RSA_WITH_AES_128_CBC_SHA256

vi MQMFTCredentials.xml
<tns:file path="/home/testuser/mftcerts/clientKeystore.p12" password="client123" />

Try and start the agent using fteStartAgent command and it should successfully start.

2 comments
22 views

Permalink

Comments

yesterday

Thanks Morag.. Will look into your suggestion

2 days ago

Hi there - it would be great to see an example that didn't use self-signed certificates. Could you update this post to show that too?