Hi MQ folks...
I am testing out MQ containers deployed in OpenShift using the MQ Operator that ships with CP4I. We are currently using 2020.4 rather than 2021.1 because of issues with another product.
This means we are using MQ Operator v1.3 (which may be part of the problem).
Anyway, the target environment we are trying to build uses x.509 certificates for authentication of clients to the queue manager (API channels), and for authentication of queue managers (message channels).
For this to work in a non-containerized MQ environment, I would add the CA certificates to the key.kdb as trusted certs. The key.kdb is referenced in the SSLKEYR attribute of the QMGR. I would then have SSLPEER values to filter incoming requests on channel definitions and on CHLAUTH statements, and map the incoming certificate DNs to MCAUSERs using CHLAUTH. CHLAUTH would also verify certificate issuers using SSLCERTI.
I have not been able to work out how to add CA certificates to the queue manager keystore when creating the queue manager using the MQ Operator.
The manual describes (
Example: Configuring TLS) how to complete this task using a self-signed certificate for the queue manager, and without a client certificate - SSLCAUTH(OPTIONAL) on the SVRCONN channel.
The manual also states that self-signed certificates should not be used for production.
However, I cannot find any information about how to include CA certificates in the keystore for the queue manager, which means that message channels using TLS won't work because there is no way to validate the certificate, and I can use client certificates (for mTLS) either, for the same reason.
I have tried adding my CA certificates to a kubernetes secret, and then include the secret in my qmgr both in the trust section of pki, and in the keys section.
CA certificates listed in trust section of pki
pki:
trust:
- name: ssmqrootca
secret:
secretName: ss-ca
items:
- ss-root-ca
- name: ssmqintermediateca
secret:
secretName: ss-ca
items:
- ss-intermediate-ca
- name: ssissuerca
secret:
secretName: ss-ca
items:
- ss-issuer-ca
keys:
- secret:
secretName: qm1-ace-svrconn-trust-secret
items:
- tls.key
- tls.crt
name: qmacesvrconn
I also tried adding the CA certs to the keys property, by adding each CA cert into the keys section:
keys:
- secret:
secretName: qm1-ace-svrconn-trust-secret
items:
- tls.key
- tls.crt
name: qmacesvrconn
- secret:
secretName: qm1-ace-svrconn-trust-secret
items:
- ss-root-ca
name: ssrootca
- secret:
secretName: qm1-ace-svrconn-trust-secret
items:
- ss-intermediate-ca
name: ssintermediateca
- secret:
secretName: qm1-ace-svrconn-trust-secret
items:
- ss-issuer-ca
name: ssissuerca
None of my attempts has altered the content of the key.kdb in the resultant queue manager container. In each case, the content is the queue manager certificate (from thetls.key and tls.crt values in the qm1-ace-svrconn-trust-secret secret, plus a CA cert with the label CN=cs-ca-certificate,O=cert-manager which seems to be part of the OpenShift cluster or CP4I infrastructure.
Is there a way to add custom CA certificate chains to a keystore in a container using the MQ Operator under OpenShift?
Regards,
------------------------------
Neil Casey
Senior Consultant
Syntegrity Solutions
Melbourne, Victoria
IBM Champion (Cloud) 2019-21
------------------------------