How to build an SSL connection between MQ C client and MQ server using self-signed certificates

Technote (FAQ)


You want to set up a secure connection using self-signed certificates between WebSphere MQ C/C++ client to MQ server. However, in the client environment, there is no MQ queue manager, so you can not use the naming rule for the self-signed certificate, which is “ibmwebspheremq + QMName”.
How can you create a certificate for MQ client?
How about if there are no tools to create the certificate? Why can not you connect to an MQ queue manager when the attribute SSLCAUTH of server connection channel is set to REQUIRED?


You see the following error:
AMQ9637: Channel is lacking a certificate.
EXPLANATION: The channel is lacking a certificate to use for the SSL handshake. The channel name is 'SSLTEST.SVRCONN' (if '????' it is unknown at this stage in the processing). The channel did not start. ACTION: Make sure the appropriate certificates are correctly configured in the repositories for both ends of the channel.


When the attribute SSLCAUTH server connection channel is set to REQUIRED, the server channel needs to receive and authenticate an SSL certificate from the client. To create a certificate for the client and connect to the MQ server, please refer to the instructions below.

1. Create a key store and a self-signed certificate at MQ client with the name:
ibmwebspheremq + username (such as: ibmwebspheremqsmith).
If there are no tools (such as: gsk7capicmd, gsk7cmd) to create the key store and the certificate, you can do this on another machine and copy the generated files (such as: client.crl, client.kdb, client.rdb, client.sth) to the client machine.

gsk7capicmd -keydb -create -db /var/test/ssl/client.kdb -pw Password -type cms -expire 1825 -stash

gsk7capicmd -cert -create -db /var/test/ssl/client.kdb -pw Password -label ibmwebspheremqsmith -dn "CN=SMITH " -size 2048 -expire 1825

2. Extract the signer certificate client.arm for later use.

gsk7capicmd -cert -extract -db /var/test/ssl/client.kdb –pw Password -label ibmwebspheremqsmith -target /var/test/ssl/client.arm -format ascii

3. For the MQ queue manager, you also need to

    1. create the key store
    2. create a self-signed certificate (label is “ibmwebspheremq + QMName”)
    3. extract the signer certificate.

    The label for the following example is: ibmwebspheremqqmtest (the queue manager is QMTEST).
    1. gsk7capicmd -keydb -create -db /var/mqm/qmgrs/QMTEST/ssl/key.kdb -pw Password -type cms -expire 1825 -stash
    2. gsk7capicmd -cert -create -db /var/mqm/qmgrs/QMTEST/ssl/key.kdb –pw Password -label ibmwebspheremqqmtest -dn "CN=QMTEST" -size 2048 –expire 1825
    3. gsk7capicmd -cert -extract -db /var/mqm/qmgrs/QMTEST/ssl/key.kdb –pw Password -label ibmwebspheremqqmtest –target /var/mqm/qmgrs/QMTEST/ssl/key.arm -format ascii
4. Exchange the signer certificate between the client and the server.

For the client:

gsk7capicmd -cert -add -db /var/test/ssl/client.kdb –pw Password -label ibmwebspheremqqmtest –file /var/mqm/qmgrs/QMTEST/ssl/key.arm -format ascii

For the server:

gsk7capicmd -cert -add -db /var/mqm/qmgrs/QMTEST/ssl/key.kdb -pw Password-label ibmwebspheremqsmith -file /var/test/ssl/client/client.arm -format ascii

Once the client certificate is added to the queue manager's keystore, use the "runmqsc" command (or other available queue manager command interface) to issue the command:

5. Set the proper environment variables on the client side. For the use of a client channel definition table (CCDT), you have to set MQCHLTAB and MQCHLLIB besides MQSSLKEYR.

export MQSSLKEYR = /var/test/ssl/client/client

Now, the certificates for the client and the server are ready. You can test the connection using the sample application amqssslc. For this application, please consult the following document.

WebSphere MQ > Application Programming Guide > Sample WebSphere MQ programs > Sample programs (platforms except z/OS) > The SSL/TLS sample program > Running the SSL/TLS sample program

Related information

Using self-signed certificates for mutual authenticatio
Using CA-signed certificates for mutual authentication
Questions regarding WMQ Java JMS clients and the SSL
Set up SSL 2-way authentication between a Java client a

Cross reference information
Segment Product Component Platform Version Edition
Business Integration WebSphere MQ SSL

Product Alias/Synonym

WebSphere MQ WMQ

Rate this page:

(0 users)Average rating

Document information

More support for:

WebSphere MQ

Software version:

7.0, 7.0.1, 7.1, 7.5

Operating system(s):

AIX, HP Itanium, Linux, Solaris, UNIX, Windows

Software edition:

All Editions

Reference #:


Modified date:


Translate my page

Machine Translation

Content navigation