Prerequisites for adding IBM MQ monitor via SSL

Prerequisites for adding IBM MQ monitor via SSL

To add the IBM monitor via SSL, please follow the required steps given below with respect to authentication type:

SSL Authentication is optional (One-way SSL)

If SSL Authentication is optional (One-way SSL), you need to load the MQ server's CA certificate to Applications Manager. Below are the steps to do so:
  1. Using IBM Key Manager Tool or runmqckm commands, load the MQ Server CA certificate to Applications Manager Truststore.
  2. Under IBM Key Manager Tool, open the IBM MQ Keystore.
  3. Under Personal certificates, select the certificate and click on Extract Certificate.
  4. Select Binary DER format and click on OK.
  5. If using commands, execute the following command:
runmqckm -cert -export -db dbname -pw password -label label -type cms -target filename -target_pw password -target_type jks

The certificate will now be created at the location specified.
  1. Now add the certificate to Applications Manager by navigating to Admin -> Manage Certificates -> Trust Certificates in the Applications Manager console.
  2. Select the Certificate option and choose apm.keystore as the truststore. Then select the certificate by clicking on Choose files button and click Import.

SSL Authentication is required (Two-way SSL)

If SSL Authentication is required (Two-way SSL), you need to load the MQ server's Certificate Keystore to Applications Manager. Below are the steps to do so:
  • Using IBM Key Manager Tool or runmqckm commands, load the MQ Server certificate keystore to Applications Manager Truststore.
  • Under IBM Key Manager Tool, open the IBM MQ Keystore.
  • Under Personal certificates, select the certificate and click on Export/Import.
  • Select Export key and select Key file type as JKS. Click OK.
  • If using commands, execute the following command:
runmqckm -cert -extract -db filename -pw password -label label -target filename -format ascii

The certificate keystore will be created now at the location specified.
  • Now add the keystore to Applications Manager by navigating to Admin -> Manage Certificates -> Trust Certificates in the Applications Manager console.
  • Select the Keystore/Truststore and choose apm.keystore as the truststore. Then select the JKS keystore by clicking on Choose file button, provide the password and click on Fetch certificate.
  • The certificates will be listed. Select the certificate and click on Import Certificate.
Finally, specify the Cipherspec used by the channel in the SSL Cipher Spec field in the Add Monitor page of the IBM WebSphere MQ monitor. 
Note: Elliptic curve certificate cannot be used with RSA ciphers and vice-versa. For more information, refer here 


          • Related Articles

          • I am getting "Unable to connect via SSL" error. What could be the reason ?

            Please check if you have followed the prerequisites for adding IBM Websphere MQ monitor via SSL.   "Unable to connect via SSL" error could occur due to following reasons : SSL is enabled for the channel, but SSL Enabled option is not selected in ...
          • LDAP - Unable to find valid SSL Certificate

            If there is an error while adding LDAP Server Monitor with the message "Unable to find valid SSL Certificate", then please try the below steps to troubleshoot the issue. When the error occurs we can find the below traces in the "stderr.txt.*" log ...
          • Troubleshooting SSL Handshake Error

            SSL Handshake Error SSL Handshake error occurs when a secure connection cannot be established to the URL added for monitoring. Common reasons for it are wrong SSL protocol version, incompatible ciphers, and invalid/missing client-side certificate.  ...
          • How to monitor SSL Certificate of FTPS server?

            Two modes to invoke client security in FTPS Explicit mode Implicit mode Explicit mode (Default port 21) - This port shouldn't be used In Explicit mode, an FTPS client must "explicitly request" security from an FTPS server by sending an FTP command ...
          • Troubleshooting URL Monitor

            Here are few of the common errors you may come across in URL monitor, we have mentioned the steps you can follow to troubleshoot them.   General troubleshooting for URL monitor Ensure that the URL is accessible from the server in which Applications ...