MQ

 View Only
  • 1.  Can you import an existing MQ Keyring into the MQ Appliance?

    Posted Sun November 10, 2019 09:25 AM

    When looking at the InfoCenter article Moving queue managers secured by using TLS  it has steps to create a self-signed certificate and just states that if you are using a certificate signed by a CA you require extra steps.

     

    I found the createcertrequest and receivecert commands to create the CSR and import the certificate, but nothing about migrating or importing an existing keyring.

     

    The only reference to SSLKEYR I found was in the Handling incompatible features in the queue manager  section where it tells you not to overwrite the attribute.



    ------------------------------
    Devin
    IBM Champion - Cloud 2019
    ------------------------------


  • 2.  RE: Can you import an existing MQ Keyring into the MQ Appliance?

    Posted Sun November 10, 2019 09:27 AM

     Yes, you can! Here are the steps that I followed to import an existing Keyring when we could not wait the 2+ weeks to get the third party to sign, import and trust (for mTLS) as part of our migration to the appliance.

     

    1. The first step is to create the QMGR on the appliance as you normally would, taking into consideration the file size, and all the other attributes of the crtmqm command.
      1. crtmqm MY_QMGR
    2. The next step is to have the appliance create a self-signed certificate; I am not sure it matters but I used the name distinguished name that was in the existing keyring. Always remember the label has to match to the QMGR name
      1. createcert -m MY_QMGR -dn "CN=MY_QMGR,O=myco,C=US" -label ibmwebspheremqmy_qmgr
    3. Now we backup this keyring. The contents of this file is not all that important, however the password that is shown on the screen is. Make sure to note it for use later.
      1. keybackup -m MY_QMGR
    4. On a server where you have the existing keyring and the gskit commands you run the following command to "convert" the keyring from the old stashed password, to the new password that was generated by the keybackup command
      1. gsk8capicmd -keydb -convert -db key.kdb -stashed -type cms -new_db new.kdb -new_format cms -new_pw "password"
      2. make sure you use the password from the keybackup command
    5. rename all of the new_key.* files to key.*
      1. mv new_key.kdb key.kdb
      2. mv new_key.rdb key.rdb
      3. mv new_key.crl key.crl
    6. Package up these three new files into a TAR file and GZip it
      1. tar -zcvf my_qmgr_key.tar.gz key.*
    7. Upload this new TAR file to the MQ appliance in to the mqbackup:/// folder
    8. Then to import the keyring into your QMGR run this restore command
      1. keyrestore -m MQ_QMGR -file my_qmgr_key.tar.gz -password password
      2. make sure to use the password from the keybackup command
    9. restart the QMGR
    10. Profit!


    ------------------------------
    Devin
    IBM Champion - Cloud 2019
    ------------------------------



  • 3.  RE: Can you import an existing MQ Keyring into the MQ Appliance?

    Posted Wed November 02, 2022 09:05 AM
    Edited by Stephanie Wilkerson Thu November 03, 2022 03:54 PM

    This is more of a "hack" way to do it.  From my experience/testing you cannot just take a foreign keystore and use it as a keystore for an Appliance QM. How IBM stores the keystore password prohibits any form of centralized keystore management. 

    But why are you doing a convert of the keystore when all you are doing is just changing the password. 

    This command should suffice:  runmqakm -keydb -changepw -db key.kdb -stashed -new_pw <new password>

    The real question is how can I set the stashed password stored on the appliance. It would be nice if there was a command to set the stashed password and not have IBM change it each time, I do a backup. 



    ------------------------------
    Rob Simons
    ------------------------------



  • 4.  RE: Can you import an existing MQ Keyring into the MQ Appliance?

    Posted Wed November 02, 2022 03:51 PM
    This, for sure, is a hack :)

    As far as I know there is no way to change the password of the internal keystore, which is why you have to do the export, replace, import. We have done this a few times and I don't remember the password changing each time I did a backup, it was just unique for each QMGR.

    If that `runmqakkm` command will change the password & stash, then yeah think it would be a replacement for the gsk8capicmd command.



    ------------------------------
    Devin
    IBM Champion - Cloud 2019
    ------------------------------



  • 5.  RE: Can you import an existing MQ Keyring into the MQ Appliance?

    IBM Champion
    Posted Thu November 03, 2022 08:16 AM
    If memory serves me well the system will also ask you for a password when you do the import. So if you export, unzip and change the password to what you like you can then generate a password before the import change it again, zip and import... This means you can manipulate the keystore outside of the appliance...

    ------------------------------
    Francois Brandelik
    ------------------------------



  • 6.  RE: Can you import an existing MQ Keyring into the MQ Appliance?

    Posted Mon November 14, 2022 11:56 AM

    The keybackup generates a new password each time its run and the keyrestore command only works with the password generated by the keybackup command. 

     

    I've got my remote management process working using ansible.

     

    Here are the basic steps:

    1. Retrieve keystore from my keystore repo
    2. Using rest(filestore), delete the current keybackup file
    3. Using expect, logon to the appliance, issue: 'keybackup -m {{ qmgr }} -force', this step is done as many times are necessary to generate a password that can be used by the expect script for the keyrestore.  You have to exclude any characters that expect script will interpret as command characters like all types of quotes, less than and greater than signs , etc.  This is my regex allowed characters: regex("^[\-\.&%=,?@{}()^a-zA-Z0-9]+$")  there are probably more that could be added but I stopped at this list.
    4. Get the generated password
    5. Change password on my repo keystore to the pw from step 3: 'runmqakm -keydb -changepw -db key.kdb -stashed -new_pw "{{ from step #3 }}" -stash'
    6. Compress the keystore
    7. Convert compressed keystore file to base 64
    8. Using rest(filestore), Upload compressed keystore file to the  mqbackup folder
    9. Using expect, logon to the appliance, issue 'keyrestore -m {{ qmgr }} -f {{ qmgr }}_keyrepos.tar.gz -password \"{{ from step #3 }}\" '
    10. Using rest(admin/mqsc), refresh ssl for the QM

     

    That's it.

     

    I wish IBM created the keybackup command to allow the user to enter the password.

     

     

     






  • 7.  RE: Can you import an existing MQ Keyring into the MQ Appliance?

    IBM Champion
    Posted Thu December 01, 2022 11:18 AM
    Rob, How did u get expect and ansible go thru? Code snippet u can share?​

    ------------------------------
    om prakash
    ------------------------------