MQ

 View Only
Expand all | Collapse all

Set up keystore for TLS channels using the MQ Operator under OpenShift

  • 1.  Set up keystore for TLS channels using the MQ Operator under OpenShift

    IBM Champion
    Posted Mon May 03, 2021 09:04 PM
    Hi MQ folks...

    I am testing out MQ containers deployed in OpenShift using the MQ Operator that ships with CP4I. We are currently using 2020.4 rather than 2021.1 because of issues with another product.

    This means we are using MQ Operator v1.3 (which may be part of the problem).

    Anyway, the target environment we are trying to build uses x.509 certificates for authentication of clients to the queue manager (API channels), and for authentication of queue managers (message channels).

    For this to work in a non-containerized MQ environment, I would add the CA certificates to the key.kdb as trusted certs. The key.kdb is referenced in the SSLKEYR attribute of the QMGR. I would then have SSLPEER values to filter incoming requests on channel definitions and on CHLAUTH statements, and map the incoming certificate DNs to MCAUSERs using CHLAUTH. CHLAUTH would also verify certificate issuers using SSLCERTI.

    I have not been able to work out how to add CA certificates to the queue manager keystore when creating the queue manager using the MQ Operator.

    The manual describes (Example: Configuring TLS) how to complete this task using a self-signed certificate for the queue manager, and without a client certificate - SSLCAUTH(OPTIONAL) on the SVRCONN channel.

    The manual also states that self-signed certificates should not be used for production.

    However, I cannot find any information about how to include CA certificates in the keystore for the queue manager, which means that message channels using TLS won't work because there is no way to validate the certificate, and I can use client certificates (for mTLS) either, for the same reason.

    I have tried adding my CA certificates to a kubernetes secret, and then include the secret in my qmgr both in the trust section of pki, and in the keys section.

    CA certificates listed in trust section of pki

    pki:
      trust:
        - name: ssmqrootca
          secret:
            secretName: ss-ca
            items:
              - ss-root-ca
        - name: ssmqintermediateca
          secret:
            secretName: ss-ca
            items:
              - ss-intermediate-ca
        - name: ssissuerca
            secret:
              secretName: ss-ca
              items:
                - ss-issuer-ca
    keys:
      - secret:
          secretName: qm1-ace-svrconn-trust-secret
          items:
            - tls.key
            - tls.crt
        name: qmacesvrconn

    I also tried adding the CA certs to the keys property, by adding each CA cert into the keys section:

    keys:
      - secret:
          secretName: qm1-ace-svrconn-trust-secret
          items:
            - tls.key
            - tls.crt
        name: qmacesvrconn
      - secret:
          secretName: qm1-ace-svrconn-trust-secret
          items:
            - ss-root-ca
        name: ssrootca
      - secret:
          secretName: qm1-ace-svrconn-trust-secret
          items:
            - ss-intermediate-ca
        name: ssintermediateca
      - secret:
          secretName: qm1-ace-svrconn-trust-secret
          items:
            - ss-issuer-ca
        name: ssissuerca

    None of my attempts has altered the content of the key.kdb in the resultant queue manager container. In each case, the content is the queue manager certificate (from thetls.key and tls.crt values in the qm1-ace-svrconn-trust-secret secret, plus a CA cert with the label CN=cs-ca-certificate,O=cert-manager which seems to be part of the OpenShift cluster or CP4I infrastructure.

    Is there a way to add custom CA certificate chains to a keystore in a container using the MQ Operator under OpenShift?

    Regards,

    ------------------------------
    Neil Casey
    Senior Consultant
    Syntegrity Solutions
    Melbourne, Victoria
    IBM Champion (Cloud) 2019-21
    ------------------------------


  • 2.  RE: Set up keystore for TLS channels using the MQ Operator under OpenShift

    IBM Champion
    Posted Mon May 10, 2021 11:59 PM
    Hi all,

    after waiting a couple of days I raised a case with IBM to ask this question. Following a couple of questions back and forth, we have worked out why my original yaml didn't correctly populate the CA certificates into the MQ keystore.

    When I created the secrets containing the certificates, I named the items things like ss-root-ca and ss-intermediate-ca. I then referenced these names in the queue manager yaml pki.trust section. The queue manager would start, because the tie-up of the references worked, but the certificates were not included in the generated queue manager keystore.

    In order for the CA certificates to be correctly added to the keystore, the items in the secrets have to have names suffixed with .crt.

    I resolved the issue by deleting the secret, and recreating it with content named ss-root-ca.crt, ss-intermediate-ca.crt and ss-issuer-ca.crt. The qmgr yaml is then updated so that the pki.trust section items referenced the new names with the .crt suffixes.

    The queue manager now starts and has the correct CA certificates in the keystore.

    Regards,

    ------------------------------
    Neil Casey
    Senior Consultant
    Syntegrity Solutions
    IBM Champion (Cloud) 2019-21
    ------------------------------