This, for sure, is a hack :)
As far as I know there is no way to change the password of the internal keystore, which is why you have to do the export, replace, import. We have done this a few times and I don't remember the password changing each time I did a backup, it was just unique for each QMGR.
If that `runmqakkm` command will change the password & stash, then yeah think it would be a replacement for the gsk8capicmd command.
------------------------------
Devin
IBM Champion - Cloud 2019
------------------------------
Original Message:
Sent: Tue November 01, 2022 05:58 PM
From: Rob Simons
Subject: Can you import an existing MQ Keyring into the MQ Appliance?
This is smore of a "hack" way to do it. From my experience/testing you cannot just take a foreign keystore and use it as a keystore for an Appliance QM. How IBM stores the keystore password prohibits any form of centralized keystore management.
But why are you doing a convert of the keystore when all you are doing is just changing the password.
This command should suffice: runmqakm -keydb -changepw -db key.kdb -stashed -new_pw <new password>
The real question is how can I set the stashed password stored on the appliance. It would be nice if there was a command to set the stashed password and not have IBM change it each time, I do a backup.
------------------------------
Rob Simons
Original Message:
Sent: Sun November 10, 2019 09:27 AM
From: Devin Richards
Subject: Can you import an existing MQ Keyring into the MQ Appliance?
Yes, you can! Here are the steps that I followed to import an existing Keyring when we could not wait the 2+ weeks to get the third party to sign, import and trust (for mTLS) as part of our migration to the appliance.
- The first step is to create the QMGR on the appliance as you normally would, taking into consideration the file size, and all the other attributes of the crtmqm command.
crtmqm MY_QMGR
- The next step is to have the appliance create a self-signed certificate; I am not sure it matters but I used the name distinguished name that was in the existing keyring. Always remember the label has to match to the QMGR name
createcert -m MY_QMGR -dn "CN=MY_QMGR,O=myco,C=US" -label ibmwebspheremqmy_qmgr
- Now we backup this keyring. The contents of this file is not all that important, however the password that is shown on the screen is. Make sure to note it for use later.
keybackup -m MY_QMGR
- On a server where you have the existing keyring and the gskit commands you run the following command to "convert" the keyring from the old stashed password, to the new password that was generated by the keybackup command
gsk8capicmd -keydb -convert -db key.kdb -stashed -type cms -new_db new.kdb -new_format cms -new_pw "password"
- make sure you use the password from the keybackup command
- rename all of the new_key.* files to key.*
mv new_key.kdb key.kdb
mv new_key.rdb key.rdb
mv new_key.crl key.crl
- Package up these three new files into a TAR file and GZip it
tar -zcvf my_qmgr_key.tar.gz key.*
- Upload this new TAR file to the MQ appliance in to the
mqbackup:///
folder - Then to import the keyring into your QMGR run this restore command
keyrestore -m MQ_QMGR -file my_qmgr_key.tar.gz -password password
- make sure to use the password from the keybackup command
- restart the QMGR
- Profit!
------------------------------
Devin
IBM Champion - Cloud 2019
Original Message:
Sent: Sun November 10, 2019 09:24 AM
From: Devin Richards
Subject: Can you import an existing MQ Keyring into the MQ Appliance?
When looking at the InfoCenter article Moving queue managers secured by using TLS it has steps to create a self-signed certificate and just states that if you are using a certificate signed by a CA you require extra steps.
I found the createcertrequest
and receivecert
commands to create the CSR and import the certificate, but nothing about migrating or importing an existing keyring.
The only reference to SSLKEYR
I found was in the Handling incompatible features in the queue manager section where it tells you not to overwrite the attribute.
------------------------------
Devin
IBM Champion - Cloud 2019
------------------------------