MQ

I need to create a CSR to secure the connection between two of our MQ servers -- one in cloud and one on z/OS.  I've read through the documentation and it seems the IKeyman utility is the recommended tool to use for this.  My main question is what is the easiest way to get IKeyman installed?  Does this come with the IBM MQ installation?  Our cloud deployment (Ubuntu Linux) does not install every package included in the MQ tar file, so may explain why I don't see it.

Ideally, I would like to install IKeyman locally on my Mac, generate the CSR and then send it to our security team to be signed.  However, I'm open to other tools for doing this if there is an easier route.

Thanks,
Jim

------------------------------
Jim Creasman
------------------------------

Original Message:
Sent: 5/4/2021 10:59:00 AM
From: Jim Creasman
Subject: Creating CSR for MQ using IKeyman utility

I need to create a CSR to secure the connection between two of our MQ servers -- one in cloud and one on z/OS.  I've read through the documentation and it seems the IKeyman utility is the recommended tool to use for this.  My main question is what is the easiest way to get IKeyman installed?  Does this come with the IBM MQ installation?  Our cloud deployment (Ubuntu Linux) does not install every package included in the MQ tar file, so may explain why I don't see it.

Ideally, I would like to install IKeyman locally on my Mac, generate the CSR and then send it to our security team to be signed.  However, I'm open to other tools for doing this if there is an easier route.

Thanks,
Jim

------------------------------
Jim Creasman
------------------------------

Hi Jim,

there are a couple of things to consider when creating a CSR. The first is that the CSR is only half of what gets created. The other half is a private key, which needs to be kept secure. Ideally I normally recommend that a private key should be generated (together with the CSR) on the machine where it will be used. This is because copying and moving a private key increases the risk that it could be exposed. The CSR can be safely sent to the CA to be signed as it contains only the public key.

The second thing is specific to distributed MQ. MQ ships with IBM GSKit and relies on it to implement TLS security in the queue manager. The various applications available to manage MQ CMS keystores (runmqakm runmqkcm and strmqikm) are MQ specific aliases of the underlying gskit utilities. If these utilities are not available on your MQ system, it means that the gskit component hasn't been installed. You need to install it before TLS will work, even if you are generating the keys and CSRs elsewhere. You MUST have gskit installed in your container image of MQ if TLS is going to work.

For MQ outside containers, I recommend using runmqakm to create your keystore on the machine, and in the directory, where the MQ queue manager will access it. That way the private key doesn't need to be copied around. You can use runmqakm to generate a strong random passphrase, or you can generate the passphrase using another tool. I don't recommend using human usable passphrases. If you are using the command line utilities you will never need to enter the passphrase again, as the stash file can be used in all cases to access the keystore. If you wish to use the GUI key tool, you do need to enter the passphrase in order to open the keystore.

runmqckm can also be used as a command line tool to manage CMS keystores, but runmqakm is much faster and can provide more secure encryption algorithms.

The Secure Messaging Scenarios with WebSphere MQ redbook publication has a section (section 8.11) which provides examples of using runmqakm to manage CMS keystores. See https://www.redbooks.ibm.com/abstracts/sg248069.html?Open

If you do want access to the gskit tools, they are included in the redistributable MQ client installation. That's the easiest way to install them if you want them somewhere other than where your queue manager will run. Unfortunately, that is only available for Linux and Windows. You can get a MacOS version by downloading the MQ MacOS Toolkit - https://developer.ibm.com/components/ibm-mq/tutorials/mq-macos-dev/

For MQ in containers, you are likely to have to generate the key and CSR before container creation, and inject the files into the running container, perhaps as kubernetes secrets, or through other technologies. The mechanisms for doing this have changed over the last few years (several times) and the latest cp4i managed MQ Operator has a different way to manage it compared to earlier versions or compared to running the container image outside of CP4i or OpenShift. Depending on the exact mechanism for injecting the key and certificate into the container, you may not be able to use gskit to generate the key, or you may need both gskit and openssl. For example, the MQ Operator wants the key and certificate in a kubernetes secret. That requires the key in a pem format, which is not supported by gskit. If you used gskit to create the key, you would need to place it in a pkcs12 file using gskit, and then export it to a pem file using openssl. In that case, it would probably be easier to just use openssl to generate the key and csr.

I notice that you will also need certificates on z/OS. Certificates on z/OS need to be managed under the SAF (RACF, CA/ACF2 or CA/TopSecret etc). The product tools should be used rather than gskit which is only used for distributed MQ.

Regards,


------------------------------
Neil Casey
Senior Consultant
Syntegrity Solutions
Melbourne, Victoria
IBM Champion (Cloud) 2019-21
------------------------------

Original Message:
Sent: Tue May 04, 2021 10:58 AM
From: Jim Creasman
Subject: Creating CSR for MQ using IKeyman utility

I need to create a CSR to secure the connection between two of our MQ servers -- one in cloud and one on z/OS.  I've read through the documentation and it seems the IKeyman utility is the recommended tool to use for this.  My main question is what is the easiest way to get IKeyman installed?  Does this come with the IBM MQ installation?  Our cloud deployment (Ubuntu Linux) does not install every package included in the MQ tar file, so may explain why I don't see it.

Ideally, I would like to install IKeyman locally on my Mac, generate the CSR and then send it to our security team to be signed.  However, I'm open to other tools for doing this if there is an easier route.

Thanks,
Jim

------------------------------
Jim Creasman
------------------------------

Thanks, Neil and Rab for the info.  @Neil Casey, I especially appreciate the thorough explanation and things to consider.  Very helpful.  Our MQ server is a cloud deployment so I'll need to store the secret somewhere and inject it at deployment.  We do this with other secrets so this can hopefully be handled in the same manner.​  

I'll post any additional comments or questions I have in this thread as I work through the steps.

Regards,
Jim

------------------------------
Jim Creasman
------------------------------

Original Message:
Sent: Tue May 04, 2021 10:58 AM
From: Jim Creasman
Subject: Creating CSR for MQ using IKeyman utility

I need to create a CSR to secure the connection between two of our MQ servers -- one in cloud and one on z/OS.  I've read through the documentation and it seems the IKeyman utility is the recommended tool to use for this.  My main question is what is the easiest way to get IKeyman installed?  Does this come with the IBM MQ installation?  Our cloud deployment (Ubuntu Linux) does not install every package included in the MQ tar file, so may explain why I don't see it.

Ideally, I would like to install IKeyman locally on my Mac, generate the CSR and then send it to our security team to be signed.  However, I'm open to other tools for doing this if there is an easier route.

Thanks,
Jim

------------------------------
Jim Creasman
------------------------------