How to build an SSL connection between MQ C client and MQ server using self-signed certificates

You see the following error:
AMQ9637: Channel is lacking a certificate.
EXPLANATION: The channel is lacking a certificate to use for the SSL handshake. The channel name is 'SSLTEST.SVRCONN' (if '????' it is unknown at this stage in the processing). The channel did not start. ACTION: Make sure the appropriate certificates are correctly configured in the repositories for both ends of the channel.

When the attribute SSLCAUTH server connection channel is set to REQUIRED, the server channel needs to receive and authenticate an SSL certificate from the client. To create a certificate for the client and connect to the MQ server, please refer to the instructions below.

1. Create a key store and a self-signed certificate at MQ client with the name:
ibmwebspheremq + username (such as: ibmwebspheremqsmith).
If there are no tools (such as: gsk7capicmd, gsk7cmd) to create the key store and the certificate, you can do this on another machine and copy the generated files (such as: client.crl, client.kdb, client.rdb, client.sth) to the client machine.

gsk7capicmd -keydb -create -db /var/test/ssl/client.kdb -pw Password -type cms -expire 1825 -stash

gsk7capicmd -cert -create -db /var/test/ssl/client.kdb -pw Password -label ibmwebspheremqsmith -dn "CN=SMITH " -size 2048 -expire 1825

2. Extract the signer certificate client.arm for later use.

gsk7capicmd -cert -extract -db /var/test/ssl/client.kdb –pw Password -label ibmwebspheremqsmith -target /var/test/ssl/client.arm -format ascii

3. For the MQ queue manager, you also need to

1. create the key store
2. create a self-signed certificate (label is “ibmwebspheremq + QMName”)
3. extract the signer certificate.

The label for the following example is: ibmwebspheremqqmtest (the queue manager is QMTEST).
1. gsk7capicmd -keydb -create -db /var/mqm/qmgrs/QMTEST/ssl/key.kdb -pw Password -type cms -expire 1825 -stash
2. gsk7capicmd -cert -create -db /var/mqm/qmgrs/QMTEST/ssl/key.kdb –pw Password -label ibmwebspheremqqmtest -dn "CN=QMTEST" -size 2048 –expire 1825
3. gsk7capicmd -cert -extract -db /var/mqm/qmgrs/QMTEST/ssl/key.kdb –pw Password -label ibmwebspheremqqmtest –target /var/mqm/qmgrs/QMTEST/ssl/key.arm -format ascii

4. Exchange the signer certificate between the client and the server.

For the client:

gsk7capicmd -cert -add -db /var/test/ssl/client.kdb –pw Password -label ibmwebspheremqqmtest –file /var/mqm/qmgrs/QMTEST/ssl/key.arm -format ascii

For the server:

gsk7capicmd -cert -add -db /var/mqm/qmgrs/QMTEST/ssl/key.kdb -pw Password-label ibmwebspheremqsmith -file /var/test/ssl/client/client.arm -format ascii

Once the client certificate is added to the queue manager's keystore, use the "runmqsc" command (or other available queue manager command interface) to issue the command:
REFRESH SECURITY SSL

5. Set the proper environment variables on the client side. For the use of a client channel definition table (CCDT), you have to set MQCHLTAB and MQCHLLIB besides MQSSLKEYR.

export MQSSLKEYR = /var/test/ssl/client/client

Now, the certificates for the client and the server are ready. You can test the connection using the sample application amqssslc. For this application, please consult the following document.

WebSphere MQ > Application Programming Guide > Sample WebSphere MQ programs > Sample programs (platforms except z/OS) > The SSL/TLS sample program > Running the SSL/TLS sample program