docker volume create qmdata
docker pull ibmcom/mq:latest
docker run -ti --entrypoint=/bin/bash --volume qmdata:/mnt/mqm ibmcom/mq:latest
cd /mnt/mqm
mkdir -p MQServer/certs
cd MQServer/certs
Create a key database (also called the keyStore or certificate store), and add and stash the password for it
runmqakm -keydb -create -db key.p12 -pw k3ypassw0rd -type pkcs12 -expire 1000 -stash
ls
> key.p12 key.sth
runmqakm -cert -list all -db key.p12 -stashed
> No certificates were found.
runmqakm -cert -create -db key.p12 -label ibmwebspheremqqm1 -dn "cn=qm,o=ibm,c=uk" -size 2048 -default_cert yes -stashed
runmqakm -cert -list all -db key.p12 -stashed
> Certificates found
* default, - personal, ! trusted, # secret key
- ibmwebspheremqqm1
runmqakm -cert -extract -db key.p12 -stashed -label ibmwebspheremqqm1 -target QM1.cert
ls
> QM1.cert key.p12 key.sth
exit
docker rm <container-ID>
Create a docker network that can be shared between client and server containers (if your client is also containerized)
docker network create mq-demo-network
Start up a new container, start the queue manager and let it pick up the certificate from the Docker volume. We are including commands to attach the volume, specify the network, and the location of the keyStore with its password.
docker run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --volume qmdata:/mnt/mqm --publish 1414:1414 --publish 9443:9443 \
--network mq-demo-network --network-alias qmgr --detach --env MQ_APP_PASSWORD=passw0rd --env \
MQ_TLS_KEYSTORE=/mnt/mqm/MQServer/certs/key.p12 --env MQ_TLS_PASSPHRASE=k3ypassw0rd ibmcom/mq:latest
docker run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --volume qmdata:/mnt/mqm --publish 1414:1414 \
--publish 9443:9443 --network mq-demo-network --network-alias qmgr --detach \
--env MQ_TLS_KEYSTORE=/mnt/mqm/MQServer/certs/key.p12 --env MQ_TLS_PASSPHRASE=k3ypassw0rd \
--name mqdemo ibmcom/mq:latest
docker exec -ti /your-container-id/ /bin/bash
runmqsc QM1
> Starting MQSC for queue manager QM1
DISPLAY CHANNEL(DEV.APP.SVRCONN)
> AMQ8414I: Display Channel details.
CHANNEL(DEV.APP.SVRCONN) CHLTYPE(SVRCONN)
ALTDATE(2018-04-20) ALTTIME(17.01.22)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE) DESCR( )
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(999999999)
MAXINSTC(999999999) MAXMSGL(4194304)
MCAUSER(app) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(OPTIONAL)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
SSLPEER( ) TRPTYPE(TCP)
The DEV.APP.SVRCONN channel has been configured to use the TLS_RSA_WITH_AES_128_CBC_SHA256 CipherSpec. When the SSLCIPH option is set, it turns on TLS encryption for any connections to the queue manager using this channel. We will need to specify the same CipherSpec on the client side for the client and server to be able to connect and carry out the TLS handshake.
The other property to note is SSLCAUTH, which is set to OPTIONAL in this case. This allows for both 1-Way and 2-Way TLS authentication. The server authentication by the client is mandatory so the server always needs a certificate. This is 1-Way authentication. If the client also has a certificate, 2-way authentication can happen. If a client provides a certificate then it will be used for authentication, however if it does not then client authentication does not happen but the connection is still allowed. We are using 1-Way authentication in this tutorial as only the server has a certificate, so our TLS configuration is set up for encryption and server authentication only. The client authentication is carried out separately using the application name and password.
END
exit
docker run -ti --entrypoint=/bin/bash --volume qmdata:/mnt/mqm --network mq-demo-network ibmcom/mq:latest
cd /mnt/mqm
mkdir -p MQClient/certs
cd MQClient/certs
runmqakm -keydb -create -db client_key.p12 -pw tru5tpassw0rd -type pkcs12 -expire 1000
ls
> client_key.p12
runmqakm -cert -list all -db client_key.p12 -pw tru5tpassw0rd
From the /mnt/mqm/MQClient/certs folder, run the command to add the public key certificate to the client’s trustStore
runmqakm -cert -add -label QM1.cert -db client_key.p12 -type pkcs12 -pw tru5tpassw0rd -trust enable -file ../../MQServer/certs/QM1.cert
runmqakm -cert -list all -db client_key.p12 -pw tru5tpassw0rd
> Certificates found
* default, - personal, ! trusted, # secret key
! QM1.cert
sudo keytool -importcert -file QM1.cert -keystore keystore.jks -alias "Alias"
The instructions here don't match your instructions. https://github.com/ibm-messaging/mq-container/blob/master/docs/usage.md Have things changed since you made this document?