This tutorial covers the steps that you will need to take in order to secure the use of MQ Light using SSL/TLS protocols.


Before you begin

You will need to decide whether to use self-signed certificates or certificates signed by a certificate authority. Self-signed certificates provide a quick way to get up and running with SSL, but can be impractical if you need to manage more than two or three MQ Light servers.


Note: If you choose to use self-signed certificates then your web browser can display a warning when you use the MQ Light User Interface. To prevent this from happening, you can instruct your browser to trust the certificate provided by MQ Light, or switch to using certificates signed by a certificate authority that your browser trusts.


For more information about MQ Light security, see Product Overview: Security


After you follow this tutorial you will have configured MQ Light so that it is secured against the risk of data theft, or the risk of disruption to the proper functioning of MQ Light.



Steps

  1. Create, or obtain, the certificates that will be used to protect network traffic and validate the identity of the MQ Light server:
  2. Enable security for the MQ Light server.
    • You will be prompted to make a number of security choices when you start MQ Light for the first time. If you have already started MQ Light, you can change the security settings that MQ Light will use by ensuring that MQ Light is stopped, then running the mqlight-config command. This can be done by issuing the follow commands from the directory that MQ Light was installed into:


              mqlight-stop
              mqlight-config --security

      You will be prompted as to whether you wish to enable Username/Password security:


              Enable user name/password security?  
              (You can change this later)  (Y/N):

    • Enter Y.
    • Supply a username and password. These will later need to be supplied to instances of the MQ Light client, and also when using the MQ Light User Interface. You will then be prompted as to whether you want to enable SSL security:


              Enable SSL security?  
              (You can change this later)  (Y/N):
    • Enter Y. You will be prompted to enter a location for a PKCS#12 file:


              Enter PKCS#12 key store file path:
    • Enter the location for the PKCS#12 file that you created or obtained as part of Step 1. You will be prompted for the pass phrase for this PKCS#12 file:


              Enter key store passphrase:
    • Enter the pass phrase for the PKCS#12 file as determined in Step 1.

    Note: If you stopped the MQ Light server to make these configuration changes, you can start it again by issuing the mqlight-start command. You will need to use the username and password values that you have entered the next time you wish to use the MQ Light User Interface.

  3. Use the sample applications to test your configuration.
    • The sample applications that are provided with the MQ Light client can be used to verify that you have correctly secured your MQ Light configuration. For example, the send.js Node.js application can be used to validate that the MQ Light client can connect to an MQ Light server, and send a message.
    • The sample applications accept a range of command line options for controlling how they connect to the MQ Light server, which enables you to experiment with different settings.

    Issue the following command to use the send.js sample to connect to a secure server, substituting values where required:

    node send.js -s amqps://user@password:host -c certificate.pem

Using SSL with self-signed certificates

MQ Light can be configured to use SSL with self-signed certificates to protect communication between the MQ Light client and the server, and to validate the identity of the MQ Light server. Self-signed certificates can be created without the requirement of a third party certificate authority. The use of self-signed certificates is best suited to small deployments, or for use in a development environment.


Using OpenSSL

To configure MQ Light with a self-signed certificate you will need software that enables you to create a certificate in PEM file format, and create a PKCS#12 format file that contains the certificate and associated private key. In this tutorial we describe how to use OpenSSL to create both the PKCS#12 format file and the PEM format file.



For more information about OpenSSL, see https://www.openssl.org



Steps

  1. Create a new self-signed private key and certificate.
    • You can use the certificate generating openssl req command to create these files. For example, to generate a self-signed certificate, based on a 2048-bit RSA-algorithm based private key, enter the following command:
      openssl req -newkey rsa:2048 -x509 -days 365 -keyout selfsigned.key -out selfsigned.pem -outform PEM

      The certificate will be valid for 365 days from the point the command is issued. The selfsigned.key file will contain the private key, and the selfsigned.pem file will contain the certificate.

    • You will be prompted to create a pass phrase, which you will need again in the following steps, as well as various values to incorporate into your self-signed certificate. The Common Name (CN) value of the certificate should match the host name of the system where you plan on running the MQ Light server. By default, the MQ Light client will check that the common name value matches the name of the host it has been instructed to connect to, and fail the connection request if it does not.
  2. Create a PKCS#12 file that contains the private key and certificate.
    • You can use the openssl pkcs#12 file utility to package the private key and certificate, into a PKCS#12 format file. For example, to generate a PKCS#12 file from the files created in Step 1, enter the following command:
      openssl pkcs12 -export -out selfsigned.p12 -inkey selfsigned.key -in selfsigned.pem

      The output can be found in a file called selfsigned.p12.

    • You will be prompted to supply the pass phrase associated with the private key, which was created in Step 1. You will also be prompted to enter a pass phrase to protect the PKCS#12 file. The pass phrase protecting the PKCS#12 file will be required when you configure the MQ Light server to use this file.
  3. Distribute and assign filesystem permissions to the PKCS#12 file and PEM file.
    • The PKCS#12 file (in this example, selfsigned.p12) will be required on the system where you plan on running the MQ Light sever. By generating the PKCS#12 on the system where the MQ Light server will be run, you can avoid having to transport the file.
    • When the file is present on a filesystem accessible by the MQ Light server, you can restrict access to the file so that it is only accessible to the operating system user that will be used to run the MQ Light server.
      For example, on Linux and Mac OS, when the PKCS#12 file is owned by the same operating system user as will be used to run the MQ Light server, use the following command:

      chmod go-rwx selfsigned.p12

      On Windows, modify the permissions of selfsigned.p12 to enable only the MQ Light user to read the file by using the file properties Security tab to restrict access. Alternatively, you can make the change from a command prompt. For example, if the user running MQ Light belongs to a domain, use the following command:

      icacls selfsigned.p12 /inheritance:r /grant:r <DOMAIN>\<USER>:(OI)(CI)F /T

      If the user does not belong to a domain, use the following command:

      icacls selfsigned.p12 /inheritance:r /grant:r <USER>:(OI)(CI)F /T

    • The PEM file (in this example, selfsigned.pem) will be required on any system where you wish to run an MQ Light client that connects to the server that you have secured with the corresponding PKCS#12 file. You can secure this file with filesystem permissions to prevent it from being accessed by any other user than that which will be use the MQ Light client.
  4. Return to Step 2 to complete the security tutorial


Using SSL with certificate authority signed certificates

MQ Light can be configured to use SSL certificates, signed by a certificate authority, to protect communication between the MQ Light client and the server, and to validate the identity of the MQ Light server. Certificates that have been signed by a certificate authority typically require more effort to create than self-signed certificates, but are more convenient to administer when used with a larger deployment of MQ Light.


Using OpenSSL

To configure MQ Light with a certificate authority signed certificate, you will need to select a certificate authority to use, and follow their processes for making a certificate signing request. In this tutorial we describe how to use OpenSSL to generate a certificate signing request.



For more information about OpenSSL, see https://www.openssl.org



Your certificate authority may provide their own instructions for generating a certificate signing request, in which case you should follow the certificate authorities instructions, in place of the information in this tutorial.



Steps

  1. Generate a private key.
    • You can use the key generating openssl genrsa command to create a private key. For example, use the following command to generate a 2048-bit RSA-algorithm based private key:
      openssl genrsa -des3 -out privatekey.pem 2048
    • You will be prompted to create a pass phrase to protect the private key, which you will need again in the following steps.
  2. Create a certificate signing requesting, using the private key.
    • The OpenSSL certificate request utility can be used to create a certificate signing request. Use the following command to create a request (request.csr) based on the private key generated in Step 1 (privatekey.pem):
      openssl req -new -key privatekey.pem -out request.csr
    • You will be prompted to supply the following:
      • The pass phrase used to protect the private key.
      • A set of values to put into the certificate request. The Common Name (CN) value that you specify must exactly match the host name, or the domain name that will be used to host your MQ Light server or servers.
      • Any extra attributes, which can include an optional challenge password and optional company name. Consult the documentation provided by the certificate authority that you are using to determine what, if anything, to enter in these fields.
  3. Make a signing request to the certificate authority.
    • The information supplied in the signing request will depend on how your chosen certificate authority operates, and what information is required to sign a certificate.
    • You will need to supply the certificate authority with a copy of the certificate signing request (request.csr).
    • The certificate authority can return files in a number of different formats. In this example, a signed certificate named signedcert.pem, and the certificate authorities root certificate named caroot.pem are returned in PEM format. If this is not the case, you can convert the files, or modify the following steps of this tutorial to account for the differences.
  4. Create a PKCS#12 format file.
    • Use the openssl pkcs#12 file utility to package the private key (privatekey.key), the signed certificate (signedcert.pem), and the certificate authority root certificate (caroot.pem) into a PKCS#12 file. For example, to generate a PKCS#12 file enter the following command:
      openssl pkcs12 -export -out casigned.p12 -inkey privatekey.key -in signedcert.pem -certfile caroot.pem
    • This outputs in a file called casigned.p12.
  5. Distribute and assign filesystem permissions to the PKCS#12 file.
    • The PKCS#12 file (casigned.p12) will be required on the system where you plan on running the MQ Light sever.
    • When the file is present on a filesystem accessible by the MQ Light server, you can restrict access to the file so that it is only accessible to the operating system user that will be used to run the MQ Light server.
      For example, on Linux and Mac OS, when the PKCS#12 file is owned by the same operating system user as will be used to run the MQ Light server, use the following command:

      chmod go-rwx casigned.p12

      On Windows, modify the permissions of casigned.p12 to enable only the MQ Light user to read the file by using the file properties Security tab to restrict access. Alternatively, you can make the change from a command prompt. For example, if the user running MQ Light belongs to a domain, use the following command:

      icacls casigned.p12 /inheritance:r /grant:r <DOMAIN>\<USER>:(OI)(CI)F /T

      If the user does not belong to a domain, use the following command:

      icacls casigned.p12 /inheritance:r /grant:r <USER>:(OI)(CI)F /T

  6. Return to Step 2 to complete the security tutorial

3 comments on"Securing MQ Light"

  1. When I enable SSL, my web browser just times out trying to connect to the MQ light server and connections via the Java libraries fail because of a “EOFException: SSL peer shut down incorrectly”. Any idea why?

  2. I am new for ssl, I am trying to install SSL using Gskit ver8 utility on Linux platform , kindly help me out in this.

Join The Discussion

Your email address will not be published.