MQ Everyplace Password Store Installation and Setup

Contents

Installing MQ Everyplace(R) Password Store

  • Overview
  • Installation and setup
  • Storage Component installation and setup
  • MQe Password Store Connector installation and setup
  • Verifying installation of the MQe QueueManagers
  • Installation and Configuration of MQe Mini-Certificate Server
  • Issuing Certificates for Multiple Client side Instances - TDI MQe Password Store
  • High Availability Considerations - Multiple TDI MQe Password Connectors
    •
  • Certificate Renewal

    • Installing MQ Everyplace(R) Password Store

    Overview

    MQ Everyplace Password Store (MQe Password Store) provides the function necessary to store user passwords into IBM(R) WebSphere(R) MQ Everyplace and transfer user passwords from MQ Everyplace to IBM Directory Integrator. The MQe Password Store package was created to support a growing number of IBM Directory Integrator plug-ins which intercept password changes on various product/platforms.

    The following password synchronization plug-ins are available to intercept a user's password change request:

    IBM Directory Integrator Password Synchronizer for Windows(R)
    Intercepts the Windows login password change.

    IBM Directory Integrator Password Synchronizer for IBM Directory Server
    Intercepts IBM Directory Server password changes.

    IBM Directory Integrator Password Synchronizer for Sun ONE Directory Server
    Intercepts Sun ONE Directory Server password changes.

    These plug-ins can utilize the MQe Password Store function which facilitates the secure propagation of the change to the IBM Directory Integrator where it can be manipulated by an IBM Directory Integrator AssemblyLine.

    The MQe Password Store package consists of two components:

    Storage Component
    Installed on the machine where the password synchronizer is installed and the password synchronizer is configured to use the Storage Component. For each intercepted password update, the Storage Component constructs a message containing the password data and sends it to MQe.

    MQe Password Store Connector
    Installed into the IBM Directory Integrator as a standard Connector. The MQe Password Store Connector is used to connect to MQe, retrieve and parse password update messages and feed an IBM Directory Integrator AssemblyLine.

    MQe is actually embedded into the MQe Password Store components. The Storage Component contains an MQe QueueManager and the MQe Password Store Connector contains an MQe QueueManager. A remote connection between the two MQe QueueManagers transfers messages from the machine where the password synchronizer operates to the machine where the IBM Directory Integrator and the MQe Password Store Connector are run.

    Authenticated MQe Access
    TDI MQe components can be depoyed to take advantage of MQe Mini-Certificate authenticated access. To use these MQe features, it is necessary to download and install Websphere MQ Everyplace version 2.0.1.7 and WebSphere MQ Everyplace Server Support ES06. Use of certificate authenticated access prevents an anonymous MQe client Queue Manager and/or application submitting a change password request to the MQe Password Store Connector.


    Download Websphere MQ EveryPlace Version 2.0.
    Download WebSphere MQ Everyplace Server Support ES06.

    Installation and setup

    Storage Component installation and setup

    The Storage Component of the MQe Password Store is installed when you choose WebSphere MQ Everyplace as a store method from the Password Synchronizers installer.

    Included files

    mqepwstore.jar
    Contains the Storage Component of the MQe Password Store.

    mqeconfig.jar
    Component for automatic creation and configuration of the MQe QueueManagers.

    mqeconfig.props
    Properties file for the Configuration Component.

    ibmjms.jar
    Version 1.1 of IBM's interface definition for the JMS classes.

    MQeBase.jar
    Contains MQ Everyplace base classes, version MQe 2.0.1.7

    MQeJMS.jar
    Contains MQ Everyplace JMS support classes, version MQe 2.0.1.7

    MQeSecurity.jar
    Contains MQ Everyplace secure queue access classes, version MQe 2.0.1.7

    idipwcrypto.jar
    Contains the asymmetric encryption support for the MQe Password Store.

    ibmjcefw.jar
    Used by the asymmetric encryption support.

    ibmjceprovider.jar
    Used by the asymmetric encryption support.

    ibmpkcs.jar
    Used by the asymmetric encryption support.

    ibmpkcs11.jar
    Used by the asymmetric encryption support.

    local_policy.jar
    Used by the asymmetric encryption support.

    US_export_policy.jar
    Used by the asymmetric encryption support.

    idicryptokeys.bat
    Utility bat file that creates a test/demo keystore file.

    idicryptokeys.sh
    Utility shell script file that creates a test/demo keystore file.

    Installation of MQ Everyplace is not necessary. The two MQe components (MQeBase.jar and MQeJMS.jar) deployed by the installer are all that is needed to instantiate and use MQ Everyplace. However, if authenticated Queue Manager and queue deployments are required, separate installation of MQe version 2.0.1.7 and MQe Server Support ES06 is required.

    Setup instructions

    Assume that the MQe Password Store is integrated with the IBM Directory Server Password Synchronizer (the process for integration with the other password synchronizers is analogous).
    The install folder of the IBM Directory Server Password Synchronizer is referred to as <install_directory>.

    If authenticated access is required for the MQe runtime and TDI components, complete the configuration and startup of the MQe Mini-Certificate server before continuing with the steps described in this section. Ensure that certificates associated with "PWStoreClient" and "PWStoreServer+passwords" are available for issue.

    1. Create and configure the MQe QueueManager.

      The file mqeconfig.jar placed in <install_directory> contains a utility program (MQe Configuration Component) that automatically creates and configures the MQe QueueManager that is used by the Storage Component.

      1. Before running the MQe Configuration Component, open its properties file mqeconfig.props and set values for the following properties:

        clientRootFolder
        The folder where you want to place the MQe QueueManager (for example, C:\\Program Files\\IBM\DiPlugins\\IDS\\MQePWStore).
        Note:
        When specifying Windows(R) filepaths in the property files, the backslash file separator ( \ ) must be escaped with a second backslash ( \\ ).

        serverIP
        This is the machine name or IP address of the machine where the IBM Directory Integrator and the MQe Password Store Connector are deployed.

        communicationPort
        The TCP/IP port that is used for communication between the two MQe QueueManagers.

        clientRegistryType
        Optional. Required for authenticated MQe access deployments only. If used, value must be set to "PrivateRegistry". The Private Registry stores the certificates issued by the MQe Mini-Certificate server.

        clientRegistryPin
        Optional. Required for authenticated MQe access deployments only. If used, this value represents the "PIN" access code used by the TDI MQe Password Store to access the PrivateRegistry. This value will be stored as plain text in the result MQe ".ini" file produced by step "b" below.

        clientKeyRingPassword
        Optional. Required for authenticated MQe access deployments only. This value is used when requesting a certificate from the MQe Mini-Certificate server It is the seed value for certificate generation. This value will be stored as plain text in the result MQe ".ini" file produced by step "b" below.

        certServerReqPin
        Optional. Required for authenticated MQe access deployments only. This value is used as a one time authentication PIN by this Queue Manager when requesting certificates from the MQe Mini-Certificate server. This value must match the "Request PIN" value from Mini-Certificate server setup steps 4 and 6.

        certServerIPAndPort
        Optional. Required for authenticated MQe access deployments only. This value is used as the destination address for MQe Mini-Certificate server requests. The format of the value is "FastNetwork:<host>:<port>", where host must be the machine name or TCP IP address where the MQe Mini-Certificate server is running, and port value must match the "Port" value from Mini-Certificate server setup step 3 .

        debug
        Specify true or false to correspondingly turn debug information on or off.

        The following is a sample mqeconfig.props configuration file: 

        clientRootFolder=C:\\Program Files\\IBM\\DiPlugins\\IDS\\MQePWStore
serverIP=127.0.0.1
communicationPort=41001

##
## Uncomment the following lines if authenticated MQe access is required
##
#clientRegistryType=PrivateRegistry
#clientRegistryPin=<Private client registry access PIN>
#clientKeyRingPassword=<Seed value for certificate generation>
#certServerReqPin=<One time certificate request PIN>
#certServerIPAndPort=FastNetwork:<Mini-Certificate server hostname or IP>:<port>

debug=true
        Note:
        When specifying Windows filepaths in the property files, the backslash file separator ( \ ) must be escaped with a second backslash ( \\ ).

      2. To create and automatically configure MQe QueueManager for the Storage Component, open a command prompt in the <install_directory> and enter the following command: 
        _jvm\jre\bin\java -cp "./mqeconfig.jar" com.ibm.di.plugin.mqe.config.MQeConfig mqeconfig.props create client

        The log of this command is displayed on the console. After successful completion, the message Client MQe configuration successfully completed displays. If the mqeconfig.props file contains the optional parameters for MQe authenticated access, this step will automatically request the necessary certificates from the MQe Mini-Certificate server.

        Tip: If attempting to perform an MQe certificate authenticated access deployment, it is important to remember that certificates may be requested once only per authenticatable entity. If an exception message similar to the one below is reported during configuration, it may be necessary to re-enable certificate issue for that entity using the Mini-Certificate server GUI.

        [MQeConfig] [28/07/05 10:10:01]: Action failed: Code=351;com.ibm.mqe.MQeExceptio
        n: Registration exception = com.ibm.mqe.MQeException: certificate request failed
        [PWStoreClient 4] (code=8)[PWStoreClient 8] (code=351)
        [MQeConfig] [28/07/05 10:10:01]: Error: Server MQe configiration failed; excepti
        on: java.lang.Exception: Code=351;com.ibm.mqe.MQeException: Registration excepti
        on = com.ibm.mqe.MQeException: certificate request failed[PWStoreClient 4] (code
        =8)[PWStoreClient 8] (code=351)

        Note:
        If you need to change the configuration of the QueueManager, you have two options:
        1. Delete the QueueManager from the disk and create it again following the previous procedure.
        2. Install an MQ Everyplace admin tool compatible with MQ Everyplace 2.0.0.4 QueueManagers (for example, MQe Explorer) and use it to change the QueueManager settings.

    2. Configure the Storage Component.

      The configuration file of the Storage Component is called mqepwstore.props and must be placed in a folder that is on the CLASSPATH of the Password Synchronizer (the classpath of the IBM Directory Server Password Synchronizer is specified through the jvmClassPath property in the IBM Directory Server Password Synchronizer configuration file). Store the mqepwstore.props file in the <install_directory>.

      1. Use the following command from the <install_directory> to generate a partial properties file with some basic settings: 
        _jvm\jre\bin\java com.ibm.di.plugin.mqe.store.MQeGenConfigFile <encryptKeyStoreFilePassword>

        where <encryptKeyStoreFilePassword> is the unencoded password for client keystore used for encrypting passwords (for example, secret).
        The file mqepwstore.props is generated with the following content: 

        #MQe Password Store Properties (with encoded passwords)
#Thu Apr 03 14:32:02 EEST 2003
debug=false
logFile=
encryptKeyStoreFilePassword=0c0bf0e3146b
encryptKeyStoreCertificate=
encryptKeyStoreFilePath=
notificationPort=41002
qmIniFileName=
encrypt=true
      2. This utility does not set all the required properties. It sets the encrypted password and some default property values, but you must set most of the properties:

        qmIniFileName
        The path to the .ini file of the generated MQe QueueManager (usually C:\\Program Files\\IBM\\DiPlugins\\IDS\\MQePWStore\\pwstore_client.ini).

        notificationPort
        The TCP/IP port that is used when the MQe Password Store Connector sends notifications to the Storage Component. Default value is 41002.

        logFile
        The file path of the Storage Component log file. For example, C:\\Program Files\\IBM\\DiPlugins\\IDS\\mqestore.log.

        encrypt
        Specify true or false to correspondingly turn the encryption of passwords on or off.

        encryptKeyStoreFilePath
        The path of the JKS file that is used to encrypt passwords (only taken into account when encrypt is set to true).

        encryptKeyStoreFilePassword
        The encrypted password of the JKS file (only taken into account when encrypt is set to true). This maps to the -storepass parameter for keytool -genkey option (see idicryptokeys.bat or idicryptokeys.sh).

        encryptKeyStoreCertificate
        The alias of the key from JKS file.

        debug
        Specify true or false to correspondingly turn debug information on or off.

      3. When you choose to store the passwords in encrypted format (encrypt set to true), password data is encrypted and decrypted using the RSA key algorithm. You can use the provided idicryptokeys.bat (or idicryptokeys.sh) to help build a test keystore for testing. If you use the idicryptokeys.bat to create a test keystore, your values in the properties file are as follows:
        • encryptKeyStoreFilePath=<anypath>/idicryptotest.jks
          where <anypath> is the location where you keep the the jks file created by idicryptokeys.bat (see -keystore parameter setting in idicryptokeys.bat)
        • encryptKeyStoreFilePassword=<encrypted value of secret> (see -storepass parameter setting in idicryptokeys.bat)
        • encryptKeyStoreCertifcate=idicryptotest (see -alias parameter setting in idicryptokeys.bat)

        To learn more about keystores and keytools, information is available from the following sites:
        • http://www-3.ibm.com/software/webservers/appserv/doc/v40/aes/infocenter/was/05050603.html
        • http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html

      4. If you choose to code the mqepwstore.props properties file, or wish to later change the encryptKeyStoreFilePassword property, you can use a second utility which encodes your new password, so you can copy it into the properties file. To obtain an encoded version of your password issue the following command from the <install_directory>: 
        _jvm\jre\bin\java com.ibm.di.plugin.idipwsync.EncodePW <password>

        where <password> is your ascii password. For example: 

        _jvm\jre\bin\java com.ibm.di.plugin.idipwsync.EncodePW secret

        returns 

        0c0bf0e3146b

        The following is an example of a completed mqepwstore.props file: 

        #MQe Password Store Properties (with encoded passwords)
#Thu Apr 03 14:32:02 EEST 2003
qmIniFileName=C:\\Program Files\\IBM\\DiPlugins\\IDS\\MQePWStore\\pwstore_client.ini
notificationPort=41002
logFile=C:\\Program Files\\IBM\\DiPlugins\\IDS\\mqestore.log
encrypt=true
encryptKeyStoreFilePassword=0c0bf0e3146b
encryptKeyStoreFilePath=C:\\Program Files\\IBM\\DiPlugins\\IDS\\idicryptotest.jks
encryptKeyStoreCertificate=idicryptotest
debug=true

    MQe Password Store Connector installation and setup

    The MQe Password Store Connector is automatically installed with the installation of the IBM Directory Integrator.

    The install folder of the IBM Directory Integrator is referred to as <IBM_Directory_Integrator_root>.

    Included files

    <IBM_Directory_Integrator_root>\jars\connectors\MQePasswordStoreConnector.jar
    The MQe Password Store Connector package.

    <IBM_Directory_Integrator_root>\jars\plugins\mqeconfig.jar
    Component for automatic creation and configuration of the MQe QueueManagers.

    <IBM_Directory_Integrator_root>\jars\plugins\mqeconfig.props
    Properties file for the configuration component.

    <IBM_Directory_Integrator_root>\jars\plugins\mqeconfig.bat
    Utility bat file for the configuration component that sets the classpath to the IBM Directory Integrator directory structure.

    <IBM_Directory_Integrator_root>/jars/plugins/mqeconfig.sh
    Utility shell script file for the configuration component that sets the classpath to the IBM Directory Integrator directory structure.

    <IBM_Directory_Integrator_root>\jars\ibmjms.jar
    Version 1.1 of IBM's interface definition for the JMS classes.

    <IBM_Directory_Integrator_root>\jars\MQeBase.jar
    Contains MQ Everyplace base classes, version MQe 2.0.1.7

    <IBM_Directory_Integrator_root>\jars\MQeJMS.jar
    Contains MQ Everyplace JMS support classes, version MQe 2.0.1.7

    <IBM_Directory_Integrator_root>\jars\MQeSecurity.jar
    Contains MQ Everyplace security classes, version MQe 2.0.1.7

    Setup instructions

    1. Create and configure the MQe QueueManager.

      The file mqeconfig.jar placed in <IBM_Directory_Integrator_root>\jars\plugins contains a utility program (MQe Configuration Component) that automatically creates and configures the MQe QueueManager that is used by the MQe Password Store Connector.

      If authenticated access is required for the MQe runtime and TDI components, complete the configuration and startup of the MQe Mini-Certificate server before continuing with the steps described in this section. Ensure that certificates associated with "PWStoreServer" and "PWStoreServer+passwords" are available for issue.

      Before running the MQe Configuration Component, open the properties file <IBM_Directory_Integrator_root>\jars\plugins\mqeconfig.props and set values for the following properties:

      serverRootFolder
      The folder where you want to place the MQe QueueManager (for example, C:\\Program Files\\IBM\\IBMDirectoryIntegrator\\MQePWStore).

      communicationPort
      The TCP/IP port that is used for communication between the two MQe QueueManagers (make sure to specify the same port that was used to configure the Storage Component MQe QueueManager).

      serverRegistryType
      Optional. Required for authenticated MQe access deployments only. If used, value must be set to "PrivateRegistry". The Private Registry stores the certificates issued by the MQe Mini-Certificate server.

      serverRegistryPin
      Optional. Required for authenticated MQe access deployments only. If used, this value represents the "PIN" access code used by the TDI MQe Password Connector to access the PrivateRegistry. This value will be stored as plain text in the result MQe ".ini" file produced by step "b" below.

      serverKeyRingPassword
      Optional. Required for authenticated MQe access deployments only. This value is used when requesting a certificate from the MQe Mini-Certificate server. It is the seed value for certificate generation. This value will be stored as plain text in the result MQe ".ini" file produced by step "b" below.

      certServerReqPin
      Optional. Required for authenticated MQe access deployments only. This value is used as a one time authentication PIN by this Queue Manager when requesting certificates from the MQe Mini-Certificate server. This value must match the "Request PIN" value from Mini-Certificate server setup steps 4 and 6.

      certServerIPAndPort
      Optional. Required for authenticated MQe access deployments only. This value is used as the destination address for MQe Mini-Certificate server requests. The format of the value is "FastNetwork:<host>:<port>", where host must be the machine name or TCP IP address where the MQe Mini-Certificate server is running, and port value must match the "Port" value from Mini-Certificate server setup step 3 .

      debug
      Specify true or false to correspondingly turn debug information on or off.

      The following is a sample mqeconfig.props configuration file: 

      serverRootFolder=C:\\Program Files\\IBM\\IBMDirectoryIntegrator\\MQePWStore
communicationPort=41001
##
## Uncomment the following lines if authenticated MQe access is required
##
#serverRegistryType=PrivateRegistry
#serverRegistryPin=<Private Registry access PIN>
#serverKeyRingPassword=<Private Registry key>
#certServerReqPin=<certificate request PIN>
#certServerIPAndPort=FastNetwork:<host>:<port>
debug=true

      To create and automatically configure MQe QueueManager for the MQe Password Store Connector, open a command prompt in the <IBM_Directory_Integrator_root>\jars\plugins folder and execute the following command: 

      mqeconfig.bat mqeconfig.props create server

      The log of this command is displayed on the console. After successful completion, the message Server MQe configuration successfully completed is displayed. If the mqeconfig.props file contains the optional parameters for MQe authenticated access, this step will automatically request the necessary certificates from the MQe Mini-Certificate server.

      Tip: If attempting to perform an MQe certificate authenticated access deployment, it is important to remember that certificates may be requested once only per authenticatable entity. If an exception message similar to the one below is reported during configuration, it may be necessary to re-enable certificate issue for that entity using the Mini-Certificate server GUI.

      [MQeConfig] [28/07/05 10:10:01]: Action failed: Code=351;com.ibm.mqe.MQeExceptio
      n: Registration exception = com.ibm.mqe.MQeException: certificate request failed
      [PWStoreServer 4] (code=8)[PWStoreServer 8] (code=351)
      [MQeConfig] [28/07/05 10:10:01]: Error: Server MQe configiration failed; excepti
      on: java.lang.Exception: Code=351;com.ibm.mqe.MQeException: Registration excepti
      on = com.ibm.mqe.MQeException: certificate request failed[PWStoreserver 4] (code
      =8)[PWStoreServer 8] (code=351)

      Note:
      If for some reason you need to change the configuration of the QueueManager, you have two options:
      • Delete the QueueManager from the disk and create it again following the previous procedure.
      • Install an MQ Everyplace admin tool (for example, MQe Explorer) compatible with MQ Everyplace 2.0.0.4 QueueManagers and use it to change the QueueManager settings.

    2. Configure the MQe Password Store Connector.

      The MQe Password Store Connector is configured through the IBM Directory Integrator as a standard IBM Directory Integrator Connector.
      The following parameters are available:

      QueueManager ini file
      The path to the ini file of the generated MQe QueueManager. Usually C:\Program Files\IBM\IBMDirectoryIntegrator\MQePWStore\pwstore_server.ini.

      GetNext Timeout
      Specify the number of milliseconds the Connector waits for a new password update message to appear in the QueueManager queue. Specify -1 to wait forever, and 0 to return immediately if no message is available.

      Storage notification server
      Specify in a <host>:<port> format the Storage Component server that listens for notifications from the MQe Password Store Connector. The default value for the port is 41002 and the host must be the IP address of the machine where the Password Synchronizer and the Storage Component are deployed.

      Decrypt messages
      Check this field if the Storage Component encrypts the password update messages and they need to be decrypted by the MQe Password Store Connector.

      Key Store File
      The path of the JKS file used to decrypt password data (only taken into account when the Decrypt messages field is selected).

      Key Store File Password
      The password of the JKS file (only taken into account when the Decrypt messages field is selected).

      Key Store Certificate Alias
      The alias of the key from JKS file (only taken into account when the Decrypt messages field is selected).

      Key Store Certificate Password
      The password used to retrieve the private key. If not specified the value of the Key Store File Password parameter is used to retrieve the private key (only taken into account when the Decrypt messages field is selected).

      Detailed Log
      Check this field for more detailed log messages.

      When the MQe Password Store Connector is configured to decrypt password data (the Decrypt messages field is selected), use the JKS file generated for the Storage Component and specify the corresponding values for the Key Store File Password, Key Store Certificate Alias and Key Store Certificate Password parameters.

    3. MQe Password Store Connector schema.

      The MQe Password Store Connector supports the Iterator mode only. It retrieves password update messages from MQe, parses them and constructs Entry objects using a fixed schema of Attributes and Properties.

      Each Entry delivered by the MQe Password Store Connector is populated with the following Attributes and Properties:

      UserId (attribute)
      Contains the ID of the user (entry) for which the password has been updated. In the case of LDAP Password Synchronizers (IBM Directory Server and Sun ONE Directory Server), this attribute specifies the distinguished name of the LDAP user entry.

      UpdateType (attribute)
      Contains one of the following values:

      replace
      Specifies that the entry's list of passwords has been replaced with the values specified by the Passwords attribute.

      add
      Specifies that the values of the Passwords attribute have been added to the entry's list of passwords.

      delete
      Specifies that the values of the Passwords attribute have been removed from the entry's list of password.

      Passwords (attribute)
      A multivalued attribute containing the changed password values. This attribute is always present in the Entry object, even when the number of password values is zero.

      PasswordCount (property)
      Specifies the number of password values contained in the Passwords attribute. The same meta-information can be retrieved through the Passwords attribute object.
      Note:
      This is a Property object which is not mapped in the AssemblyLine Attribute Mapping process. You can access this Property through the conn Connector object only.

    Verifying installation of the MQe QueueManagers

    The MQe Configuration Component delivered in mqeconfig.jar can be run in test mode to verify the installation of the two MQe QueueManagers and test the communication channel between them.

    To run the test, do the following:

    1. Open a command prompt on the IBM Directory Integrator machine, in the <IBM_Directory_Integrator_root>\jars\plugins folder. Enter the following command: 
      mqeconfig.{bat|sh} mqeconfig.props test server

      The message Press Enter to receive test message ... is displayed on the console. Do not press anything.

    2. Open a command prompt on the Storage Component machine, in the <install_directory>. Enter the following command: 
      _jvm\jre\bin\java -cp "./mqeconfig.jar" com.ibm.di.plugin.mqe.config.MQeConfig mqeconfig.props test client
    3. The message Press Enter to send test message ... is displayed on the console. Press Enter.

    4. The message Test message sent. is displayed, followed by a message Press Enter to close .... Press Enter again.
      The message QueueManager terminated. indicates clean termination of the QueueManager and the application exits.

    5. Go back to the first console, on the IBM Directory Integrator machine.
    6. Press Enter. A message Success: test MQe message successfully received. indicates that the two QueueManagers are properly installed and configured to communicate with each other. A message starting with Test failed: indicates that the QueueManagers are not properly installed or configured.
    7. When the message Press Enter to close ... displays, press Enter. A message QueueManager terminated. indicates clean termination of the QueueManager and the application exits.

    Installation and Configuration of MQe Mini-Certificate Server

    If secure authenticated access is required for the MQe runtime and TDI MQe components, then it will be necessary to install and configure the MQe Mini-Certificate Server. This MQe component is available in MQe Server Support ES06, and must be downloaded separately. The Mini-Certificate server must be running on a machine within the target network, and be accessible by both the TDI MQe Storage Component and TDI MQe Password Connector machines. Accessiblity is required during setup of the MQe Queue Manager for each of these TDI components, and is not necessary at runtime. Use of MQe Mini-Certificates prevents anonymous MQe applications from submitting or processing change password MQe messages.

    The role of the Mini-Certificate server is to issue certificates to each of the MQe Queue Managers associated with the TDI Storage Component and TDI MQe Password Connector. During configuration, the Queue Manager request certificates from the MQe Mini-Certificate server. The Mini-Certificate server issues certificates to the Queue Managers only when the Queue Manager sends the correct request "PIN" value. The Queue Managers securely store the certificates in their local Private Registries. At runtime, the certificates are presented and verified before change password requests are submitted and received by the TDI MQe components.

    Setup
    MQe Server Support ES06 provides detailed overview and instructions related to the Mini-Certificate server in the file named MQe_MiniCertServer.pdf which ships and installs with ES06. Please refer to this maunal for specific detailed instructions.

    The goal of configuring the Mini-Certificate server is to create the "authenticatable entities" permitted to use the MQe runtime and associated certificates. Authenticatable entities will be created for the TDI MQe client Queue Manager, TDI server Queue Manager, and the primary queue which tranfers the password change notification messages.

    A summary specific to TDI is supplied below:

    1. Install the MQe Server Support ES06 kit on machine in the target network. The machine must accessible from the machine running the TDI MQe components. It is possible to install ES06 on one of the TDI component host machines if desired.
    2. Open the MQe Mini-Certificate GUI.
    3. Create a new profile. On the note pane window that results, configure the following:
    4. Create the TDI MQe Client Queue Manager entity. With the new profile created, it is now possible to create the required authenticatable entites. Right click on the "MQe root" node and select "New Entity". On the note pane window that results, configure the following:
    5. Create the TDI MQe Server Queue Manager entity. Right click on the "MQe root" node and select "New Entity". On the note pane window that results, configure the following:
    6. Create the password queue entity. Right click on the "PWStoreServer" node and select "New Entity". On the note pane window that results, configure the following:
    7. Start the server.

    Issuing Certificates for Multiple Client side Instances - TDI MQe Password Store

    In some deployments, it may be necessary to configure mulitple TDI MQe Password Store components. For example, if password change plugins have been configured for mulitple Windows Domain Controllers. In this case, then it is likely that there will separate instances of MQe client side Queue Managers with the name "PWStoreClient". Additionally, for each of the client Queue Managers, there will be a remote queue proxy connection to the MQe server side Queue Manager queue used by the TDI MQe Password Connector. The remote queue proxy name is "PWStoreServer+passwords". When this type of deployment scenario is used, the authentication certificates associated with these two MQe entities (i.e. "PWStoreClient", "PWStoreServer+passwords") will be requested and issued multiple times. This happens each time the mqeconfig utility is exectued as described in Storage Component Installation and Setup . Before executing the second and each subsequent instances of the mqeconfig utility, it will necessary to re-enable certificate issue for each of the MQe entities mentioned above. The steps for this are described below:

    1. Open the MQe Mini-Certificate GUI
    2. Select the TDI MQe Client Queue Manager entity. Right click on the "PWStoreClient" node and select "Properties". On the note pane window that results, configure the following:
    3. Select the "passwords" queue entity. If the steps above have been followed, the "passwords" entity should appear as a child of the "PWStoreServer" entity. Right click on the "passwords" node and select "Properties". On the note pane window that results, configure the following:

    High Availability Considerations - Multiple TDI MQe Password Connectors

    For some deployments, it may be preferable to configure the TDI MQe Password Connector, such that it supports a particular high availablity requirement. It is expected that an implementation supporting this type of requirement would employ mulitple instances of the TDI MQe Password Connector, each with its own associated MQe Queue Manager configuration. In this case mulitple identical MQe server side configurations would be deployed allowing a network load balancer to route requests from the TDI MQe Password Store client to an available server instance. Each MQe Queue Manager on the server side will be configured using the mqeconfig utility. When this utility executes it will automatically request authentication certificates from the MQe Mini-Certificate server for the entities named "PWStoreServer" and "PWStoreServer+passwords". These represent the Queue Manager and Queue names respectively. Before executing the second and each subsequent instance of the mqeconfig utility, it will necessary to re-enable certificate issue for the two MQe entities mentioned above. The steps for this are described below:

    1. Open the MQe Mini-Certificate GUI
    2. Select the TDI MQe Client Queue Manager entity. Right click on the "PWStoreServer" node and select "Properties". On the note pane window that results, configure the following:
    3. Select the "passwords" queue entity. If the steps above have been followed, the "passwords" entity should appear as a child of the "PWStoreServer" entity. Right click on the "passwords" node and select "Properties". On the note pane window that results, configure the following:

    Certificate Renewal using the MQe Mini-Certificate Server

    The certificates issued by the MQe Mini-Certificate server have a configurable validity period. The default validity period is 12 months. The MQe documentation states that issued certificates should be renewed before the period expires. To enable this, the mqeconfig utility includes an option to renew certificates for each authenticatable entity. The authenticable entity names requiring certificate renewal are as follows:

    For each instance of TDI MQe configurations, the following steps may be performed and repeated as required in order to renew previously issued authentication certificates. The MQe Mini-Certificate server that issued the original certificates must be running.

    TDI Password Store Client Side

    1. Open the MQe Mini-Certificate GUI
    2. Right click on the MQe authenticatable entity for which certificate renewal is required, e.g. "PWStoreServer+passwords". On the note pane window that results, configure the following:
    3. Use a text editor to set the following properties of the <tdi_install_directory>/mqeconfig.props files
    4. Open a command prompt in the <tdi_install_directory> of the Password Synchronizer, and enter the following command: 
      _jvm\jre\bin\java -cp "./mqeconfig.jar" com.ibm.di.plugin.mqe.config.MQeConfig mqeconfig.props renewcert client

    TDI Password Connector Server Side

    1. Open the MQe Mini-Certificate GUI
    2. Right click on the MQe authenticatable entity for which certificate renewal is required, e.g. "PWStoreServer+passwords". On the note pane window that results, configure the following:
    3. Use a text editor to set the following properties of the <tdi_install_directory>/mqeconfig.props files
    4. Open a command prompt in the <tdi_install_directory>/plugins/jars of the MQe Password Connector, and enter the following command: 
      mqeconfig.{bat|sh} mqeconfig.props renewcert server