Securing Queue Manager for Client Connection: Part 1 – Using SSL

Queue Manager provides various security mechanism – Authorization using OAM, Connection Authentication (introduced in MQ v8), Channel Authentication Records (CHLAUTH introduced in MQ v7.1) and SSL.

Am writing a series of blog for securing a queue manager for client connection by combining all these security mechanisms – SSL, CHLAUTH, CONNAUTH and OAM.

In this first part of blog series, we will focus on securing QM client connection using SSL. Also in this blog, instead of using self-signed certificates for the demonstration, we will use OpenSSL tool to setup internal CA’s and use them for signing the certificates for QM and the clients. This is to demonstrate working with CA signed certificates in real-time environments.

For recreating these steps, pre-required softwares are

  • OpenSSL to setup up internal Root CA and Intermediate CA’s and signing the Certificate requests
  • MQ v8 or later installed on the Server (Linux machine)
  • MQ Explorer installed on client machine (For only MQ Explorer installation use SupportPac MS0T)

1. Setting up Internal Root and Intermediate CA’s using OpenSSL

Reference: https://jamielinux.com/docs/openssl-certificate-authority/introduction.html

To install OpenSSL in RHEL / CentOS,

yum install openssl
Note: This is typically installed on CentOS by default.

Creating Internal Root CA

  • Create the required directories for storing all keys and certificates. Note: The index.txt and serial files act as a flat file database to keep track of signed certificates.
# mkdir /ssl
# mkdir /ssl/ca
# cd /ssl/ca
# mkdir certs crl newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial
  • Download and Copy the configuration file for the root CA (RootCAConfig.odt) file from the appendix to /ssl/ca/openssl.cnf
  • Create the private key for the root CA using the command provided below. When prompted for pass phrase, please provide the pass phrase for securing the private key. This pass phrase is required for accessing the private key for signing certificates.
# cd /ssl/ca
# openssl genrsa -aes256 -out private/ca.key.pem 4096
# chmod 400 private/ca.key.pem
  • Create the Root CA certificate using the private key we have just created. Enter the pass phrase for the Root CA’s private key when prompted.

 And then provide the requested information for the certificates at the prompts appropriately.

# cd /ssl/ca
# openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 
-days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem

RootCertificate

  • Verify the Root CA certificate that we had just created
    # openssl x509 -noout -text -in certs/ca.cert.pem

Creating Internal Intermediate CA

  • Create the required directories for storing all keys and certificates..
# cd /ssl/ca
# mkdir intermediate
# cd intermediate
# mkdir certs crl csr newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial
# echo 1000 > /ssl/ca/intermediate/crlnumber
  • Download and Copy the configuration file for the Intermediate CA (IntermediateCAConfig.odt) file from the appendix to /ssl/ca/intermediate/openssl.cnf
  • Create the private key for the root CA using the command provided below. When prompted for pass phrase, please provide the pass phrase for securing the private key. This pass phrase is required for accessing the private key for signing certificates.
# cd /ssl/ca
# openssl genrsa -aes256 \
  -out intermediate/private/intermediate.key.pem 4096
# chmod 400 intermediate/private/intermediate.key.pem
  • Create the Intermediate CA’s certificate signing request (CSR). And then provide the requested information for the certificates at the prompts appropriately.
# cd /ssl/ca
# openssl req -config intermediate/openssl.cnf -new -sha256 \
      -key intermediate/private/intermediate.key.pem \
      -out intermediate/csr/intermediate.csr.pem

IntermediateCertRequest

  • Create the Intermediate CA’s certificate signing request (CSR). And then provide the requested information for the certificates at the prompts appropriately.
# cd /ssl/ca
# openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
      -days 3650 -notext -md sha256 \
      -in intermediate/csr/intermediate.csr.pem \
      -out intermediate/certs/intermediate.cert.pem

IntermediateCertSign

  • Verify the Intermediate CA certificate.
# cd /ssl/ca
# openssl x509 -noout -text \ -in intermediate/certs/intermediate.cert.pem
# openssl verify -CAfile certs/ca.cert.pem \                 intermediate/certs/intermediate.cert.pem

Now that we have set the internal Root and Intermediate CA’s for our purpose, we will start working with QM

2. Generating SSL Certificate for QM – SECUREQM

Pre-requisites: MQ v8 server or above is installed in the linux machine and user account mqadmin (member of mqm group) is setup with home directory as /home/mqadmin

  • Setting up the directory for storing the keys
# cd /home/mqadmin
# mkdir ssl
# mkdir ssl/secureqm
  • Create a key database for the Queue Manager SECUREQM using the following command
# runmqckm -keydb -create -db /home/mqadmin/ssl/secureqm/key.kdb \ 
   -pw admin -type cms -stash
  • Queue Manager and the channel processes require read access on the key database & its related files. Hence, set the permissions on the files *.kdb, *.sth, *.crl, and *.rdb, to read and write for the file owner, and to read for the mqm or client user group (-rw-r—–)
# cd /home/mqadmin/ssl/secureqm
# chmod 640 key.kdb key.rdb key.sth
  • Create Certificate Signing Request (CSR) for the SECUREQM using the following command
# runmqckm -certreq -create -db /home/mqadmin/ssl/secureqm/key.kdb \
  -pw admin -label secureqm -dn "CN=secureqm,O=NA,OU=Training,C=IN" \
  -size 2048 -sig_alg SHA256_WITH_RSA \
  -file /home/mqadmin/ssl/secureqm/secureqm.arm
  • Create the SECUREQM certificate using the Intermediate CA’s private key to sign the queue manager’s CSR as shown below
# openssl ca -config intermediate/openssl.cnf \
-extensions server_cert -days 375 -notext -md sha256 \
-in /home/mqadmin/ssl/secureqm/secureqm.arm \
-out intermediate/certs/secureqm.arm
  • Receive the CA signed certificate into the queue manager’s key database using the following command
# runmqckm -cert -receive \
   -file /ssl/ca/intermediate/certs/secureqm.arm \
   -db /home/mqadmin/ssl/secureqm/key.kdb -pw admin -format ascii

We need to add the Root CA & Intermediate CA’s certificate to the queue manager’s key database for setting up the certificate chain of trust.

  • Covert the Intermediate CA’s certificate from PEM to DER format using the following command
# openssl x509 -outform der -in certs/intermediate.cert.pem \
    -out certs/intermediate.cert.der
  • Covert the Root CA’s certificate from PEM to DER format using the following command
# openssl x509 -outform der -in certs/ca.cert.pem \
    -out certs/ca.cert.der
  • Add the Intermediate & Root CA’s certificate to the queue manager’s key database using the following command
# runmqckm -cert -add -db /home/mqadmin/ssl/secureqm/key.kdb \
   -pw admin -label nebula-intermediate \
   -file /ssl/ca/intermediate/certs/intermediate.cert.der \
   -format ascii
# runmqckm -cert -add -db /home/mqadmin/ssl/secureqm/key.kdb \
   -pw admin -label nebula-root -file /ssl/ca/certs/ca.cert.der \
   -format ascii

3. Generating SSL Certificate for the client (MQ Explorer)

  • Setting up the directory for storing the keys
# cd /home/mqadmin
# mkdir ssl
# mkdir ssl/mqexplorer
  • Create a key database for the MQ Explorer client using the following command
# runmqckm -keydb -create \
   -db /home/mqadmin/ssl/mqexplorer/mqex_key.jks \
   -pw admin -type cms -stash
  • Create Certificate Signing Request (CSR) for the mq explorer client using the following command
# runmqckm -certreq -create \
    -db /home/mqadmin/ssl/mqexplorer/mqex_key.jks \
    -pw admin -type jks -label mqexClient \
    -dn "CN=nebula-mqexplorer,O=NA,OU=Training,C=IN" -size 2048 \
    -sig_alg SHA256_WITH_RSA \
    -file /home/mqadmin/ssl/mqexplorer/mqexClient_csr.arm
  • Sign the mq explorer’s CSR using the Intermediate CA’s private key to generate the certificate for the CSR
# cd /ssl/ca
# openssl ca -config intermediate/openssl.cnf 
   -extensions usr_cert -days 375 -notext -md sha256 
   -in /home/mqadmin/ssl/mqexplorer/mqexClient_csr.arm 
   -out intermediate/certs/mqexClient_cert.arm
  • Receive the Intermediate CA signed certificate into the mq explorer’s key database using the following command
# runmqckm -cert -receive 
   -file /ssl/ca/intermediate/certs/mqexClient_cert.arm
   -db /home/mqadmin/ssl/mqexplorer/mqex_key.jks -pw admin 
   -type jks -format ascii
  • Add the Intermediate & Root CA’s certificate to the queue manager’s key database using the following command
# runmqckm -cert -add -db /home/mqadmin/ssl/mqexplorer/mqex_key.jks \
   -pw admin -label nebula-intermediate \
   -file /ssl/ca/intermediate/certs/intermediate.cert.der -format ascii
# runmqckm -cert -add -db /home/mqadmin/ssl/mqexplorer/mqex_key.jks \
  -pw admin -label nebula-root -file /ssl/ca/certs/ca.cert.der \
  -format ascii
  • FTP the mqexplorer directory under /home/mqadmin/ssl/ to the client machine using suitable ftp client.

Now that we are done with all certificates generation for both Queue Manager and the client, lets proceed with start using this certificates for communication between QM and the MQ Explorer.

For this, we need to enable our QM for remote connection and to use the SSL key database we have created in the earlier steps.

4. Enabling Remote Connectivity for QM and to use SSL

As far as this blog is concerned, we will disable the other security features CHLAUTH and CONNAUTH (for MQ 8) of the QM. We will extend the setup to use CHLAUTH and CONNAUTH in the subsequent parts of this blog series.

  • Create a queue manager SECUREQM for our setup purpose using the command shown below, using the mqadmin user account which is part of mqm group
# crtmqm -u SYSTEM.DEAD.LETTER.QUEUE SECUREQM
  • Start the queue manager using the command shown below
# strmqm SECUREQM
  • Get into the scripting mode of the queue manager using the runmqsc command as shown below
# runmqsc SECUREQM

All the below steps are to be executed in the scripting window of the queue manager

  • Create and start the listener object to specify the port on which the queue manager is to listen for client connections.
DEFINE LISTENER(TCP.LISTENER) TRPTYPE(TCP) +
   CONTROL(QMGR) PORT(1909)
START LISTENER(TCP.LISTENER)
  • Modify the queue manager property to disable CHLAUTH and CONNAUTH security features and to specify the location of the SSL key database that is to be used by the QM for SSL Communication, as shown below
ALTER QMGR CERTLABL('secureqm') +
    SSLKEYR('/home/mqadmin/ssl/secureqm/key') +
    CHLAUTH(DISABLED) CONNAUTH(' ')
  • Create a new Server Connection channel to be used by the clients for secured connectivity to the queue manager as shown below

Note: we have set MCAUSER property of the channel to specify mqadmin user account which is privileged user account as it belongs to mqm group. Hence QM will not check for access rights for any connection coming on this channel. We are setting this for demonstration purpose only and this is not to be followed in real-time situations or production environment. Ideally privileged user account should not be set for MCAUSER attribute of channel 

DEFINE CHANNEL(MQEXP.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('mqadmin') +
   SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256)

5. Connecting to SECUREQM from MQ Explorer

Pre-requisite: The mqexplorer directory under /home/mqadmin/ssl/ in the MQ Server is ftp’ed on to the client machine where MQ Explorer is installed.

  • Launch the MQ Explorer on the client machine
  • Right click on the Queue Manager folder in MQ Explorer and select the option “Add Remote Queue Manager”

mqexp_ssl1

  • In the Add Queue Manager wizard, specify the QM name as SECUREQM and with the option Connect directly selected, click Next

mqexp_ssl2

  • Specify the connection details of the queue manager – Host Name / IP Address of MQ Server, Port Number as 1909 (port at which QM listener is created & listening) and Server-Connection channel as MQEXP.SVRCONN, and click Next

mqexp_ssl3

  • In the Specify security exit details wizard, without selecting the option Enable security exit, click Next
  • In the Specify user identification details wizard, without selecting the option Enable user identification, click Next
  • In the Specify SSL certificate key repository details wizard, check the option Enable SSL Key repositories. Browse and select the mqex_key.jks file for the Store name property under Trusted Certificate Store as well as Personal Certificate Store categories. Click Next

mqexp_ssl4

  • In the Specify SSL option wizard, check the Enable SSL option wizard and select SSL CipherSpec property value as TLS_RSA_WITH_AES_256_CBC_SHA256 from the list and click Finish

mqexp_ssl5

  • When prompted for the password to access key database, provide the password as “admin” or whatever used at the time of key database creation and click Ok. Queue Manager SECUREQM should be listed in the MQ Explorer on successful connection

mqexp_ssl5a

  • In the MQ Server, check the channel status MQEXP.SVRCONN from the script window of SECUREQM, using the following command. Check for the attributes SSLPEER (denotes the DN of the client) and SSLCERTI  (denotes the DN of the Certificate Issuer), in the output.
# runmqsc SECUREQM
    DISPLAY CHS(MQEXP.SVRCONN) ALL

mqexp_ssl6

6. Appendix

Hope this helps.

Will be following up this blog to extend the client connectivity using SSL with CHLAUTH and later with CONNAUTH.

For any corrections / suggestions / query please do drop a note to reachnebula@learnibmesb.com (or) reachnebula@gmail.com