Installation Guide. PathWAI Secure for WebSphere MQ. Version 300 GC January 2003

Transcription

1 Istallatio Guide PathWAI Secure for WebSphere MQ Versio 300 GC Jauary 2003 Cadle Corporatio 100 North Sepulveda Blvd. El Segudo, Califoria 90245

2 Registered trademarks ad service marks of Cadle Corporatio: AF/OPERATOR, AF/PERFORMER, AF/REMOTE, Availability Commad Ceter, Cadle, Cadle Commad Ceter, Cadle Direct logo, Cadle Electroic Customer Support, Cadle logo, Cadle Maagemet Server, Cadle Maagemet Workstatio, CadleNet Portal, Cadle Techologies, CL/CONFERENCE, CL/SUPERSESSION, CommadWatch, CadleNet Commad Ceter, CT, CT/Data Server, CT/DS, DELTAMON, eba, eba*servicemoitor, eba*servicenetwork, ebusiess Assurace, ebusiess Istitute, ETEWatch, ItelliWatch, ItelliWatch Piacle, MQSecure, MQView, OMEGACENTER, OMEGAMON, OMEGAMON/e, OMEGAMON II, OMEGAMON Moitorig Aget, OMEGAVIEW, OMEGAVIEW II, PQEdit, Solutios for Networked Applicatios, Solutios for Networked Busiesses, ad Trasplex. Trademarks ad service marks of Cadle Corporatio: Alert Adapter, Alert Adapter Plus, Alert Emitter, AMS, Amsys, AutoBridge, AUTOMATED FACILITIES, Availability Maagemet Systems, Cadle Alert, Cadle Busiess Parter Logo, Cadle Commad Ceter/SetielMaager, Cadle CommadPro, Cadle CIRCUIT, Cadle edelivery, CadleLight, CadleNet, CadleNet 2000, CadleNet ebp, CadleNet ebp Access, CadleNet ebp Admiistrator, CadleNet ebp Broker Access, CadleNet ebp Cofiguratio, CadleNet ebp Coector, CadleNet ebp File Trasfer, CadleNet ebp Host Coect, CadleNet ebp Object Access, CadleNet ebp Object Browser, CadleNet ebp Secure Access, CadleNet ebp Service Directory, CadleNet ebp Uiversal Coector, CadleNet ebp Workflow Access, CadleNet ebusiess Assurace, CadleNet ebusiess Exchage, CadleNet ebusiess Platform, CadleNet ebusiess Platform Admiistrator, CadleNet ebusiess Platform Coector, CadleNet ebusiess Platform Coectors, CadleNet ebusiess Platform Powered by Roma Techology, CadleNet ebusiess Platform Service Directory, CCC, CCP, CEBA, CECS, CICAT, CL/ENGINE, CL/GATEWAY, CL/TECHNOLOGY, CMS, CMW, Commad & Cotrol, Coect-Notes, Coect-Two, CSA ANALYZER, CT/ALS, CT/Applicatio Logic Services, CT/DCS, CT/Distributed Computig Services, CT/Egie, CT/Implemetatio Services, CT/IX, CT/Workbech, CT/Workstatio Server, CT/WS,!DB Logo,!DB/DASD,!DB/EXPLAIN,!DB/MIGRATOR,!DB/QUICKCHANGE,!DB/QUICKCOMPARE,!DB/SMU,!DB/Tools,!DB/WORKBENCH, Desig Network, DEXAN, e2e, ebaa, ebaauditor, eban, ebanetwork, ebaapractice, ebp, ebusiess Assurace Network, ebusiess at the speed of light, ebusiess at the speed of light logo, ebusiess Exchage, ebusiess Istitute, ebx, Ed-to-Ed, ENTERPRISE, Eterprise Cadle Commad Ceter, Eterprise Cadle Maagemet Workstatio, Eterprise Reporter Plus, EPILOG, ER+, ERPNet, ESRA, ETEWatch Customizer, HostBridge, IterFlow, Cadle IterFlow, Lava Cosole, MessageMate, Messagig Mastered, Milleium Maagemet Blueprit, MMNA, MQADMIN, MQEdit, MQEXPERT, MQMON, NBX, NetGlue, NetGlue Extra, NetMirror, NetScheduler, OMA, OMC Gateway, OMC Status Maager, OMEGACENTER Bridge, OMEGACENTER Gateway, OMEGACENTER Status Maager, OMEGAMON Maagemet Ceter, OSM, PC COMPANION, Performace Pac, PowerQ, PQCofiguratio, PQScope, Respose Time Network, Roma, Roma Applicatio Maager, Roma Broker, Roma BSP, Roma Coector, Roma Developer, Roma FS/A, Roma FS/Access, RomaNet, Roma Network, Roma Object Access, Roma Secure, Roma WF/Access, Roma Workflow Access, RTA, RTN, SetielMaager, Somerset, Somerset Systems, Status Moitor, The Milleium Alliace, The Milleium Alliace logo, The Milleium Maagemet Network Alliace, TMA2000, Tracer, Uified Directory Services, Volcao ad ZCopy. Trademarks ad registered trademarks of other compaies: AIX, DB2, MQSeries ad WebSphere are registered trademarks of Iteratioal Busiess Machies Corporatio. SAP is a registered trademark ad R/3 is a trademark of SAP AG. UNIX is a registered trademark i the U.S. ad other coutries, licesed exclusively through X/Ope Compay Ltd. HP-UX is a trademark of Hewlett-Packard Compay. SuOS is a trademark of Su Microsystems, Ic. All other compay ad product ames used herei are trademarks or registered trademarks of their respective compaies. CASmf is a copyright of S.W.I.F.T. 1996, all rights reserved. Copyright Jauary 2003, Cadle Corporatio, a Califoria corporatio. All rights reserved. Iteratioal rights secured. Threaded Eviromet for AS/400, Patet No. 5,504,898; Data Server with Data Probes Employig Predicate Tests i Rule Statemets (Evet Drive Samplig), Patet No. 5,615,359; MVS/ESA Message Trasport System Usig the XCF Couplig Facility, Patet No. 5,754,856; Itelliget Remote Aget for Computer Performace Moitorig, Patet No. 5,781,703; Data Server with Evet Drive Samplig, Patet No. 5,809,238; Threaded Eviromet for Computer Systems Without Native Threadig Support, Patet No. 5,835,763; Object Procedure Messagig Facility, Patet No. 5,848,234; Ed-to-Ed Respose Time Measuremet for Computer Programs, Patet No. 5,991,705; Commuicatios o a Network, Patet Pedig; Improved Message Queuig Based Network Computig Architecture, Patet Pedig; User Iterface for System Maagemet Applicatios, Patet Pedig. NOTICE: This documetatio is provided with RESTRICTED RIGHTS. Use, duplicatio, or disclosure by the Govermet is subject to restrictios set forth i the applicable licese agreemet ad/or the applicable govermet rights clause. This documetatio cotais cofidetial, proprietary iformatio of Cadle Corporatio that is licesed for your iteral use oly. Ay uauthorized use, duplicatio, or disclosure is ulawful. 2 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

3 Cotets Preface Restrictios What s New i this Release Itroductio New Product Name Third-Party Certificate Support Global Admiistrator CDROM Certificate Revocatio Lists Olie Certificate Revocatio Checkig Certificates Embedded i PathWAI Secure Messages Chapter 1. Istallatio Overview What is PathWAI Secure? How Do You Ivoke PathWAI Secure? What Type of Ecryptio Does PathWAI Secure Use? PathWAI Secure Key Pairs The Registratio Process Registerig Admiistrators Chapter 2. Prerequisites Itroductio Chapter Cotets OS/390 ad z/os Prerequisites UNIX Prerequisites Widows Prerequisites CASP Secure Coector Prerequisites Chapter 3. Istallatio Preparatio Itroductio Key Database (LDAP) Cotets 3

4 PKCS#7 ad PKCS#12 Files Site-Specific Iformatio Maiframe Defaults Prepare for Upgrade, If Necessary Eable 4758 Processig, If Necessary Chapter 4. Istallatio Steps o OS/390 ad z/os Before You Begi Summary of Steps Step 1. Migrate Versio 200 Databases, if Necessary Step 2. Trasfer the PathWAI Secure Software - Widows Procedure 44 Step 3. Trasfer the PathWAI Secure Software - UNIX Procedure Step 4. APF-Authorize PathWAI Secure Datasets Step 5. Customize the PathWAI Secure Server PROC Step 6. Customize the Cofiguratio File Step 7. Update Chael Iitiator JCL Step 8. Update SYS1.PARMLIB to Start MFSSRVR Step 9. Eable S/390 Crypto Facility Processig Step 10. Create PathWAI Secure Queues Step 11. Start the KMFADM Utility Step 12. Create a New User Key Database Step 13. Register the Global Admiistrator Step 14. Register a Local Admiistrator Step 15. Export Local Admiistrator s Public Key Step 16. Import Remote Admiistrators Public Keys Step 17. Re-Ecrypt User Key Database(s), if Necessary Step 18. Export Admiistrators Public Keys to LDAP, if Necessary.. 80 Step 19. Modify the MQSeries Chaels Step 20. Verify MQSecure Istallatio Chapter 5. Istallatio Steps o UNIX (GUI) Itroductio Before You Begi Summary of Steps Step 1. Istall PathWAI Secure Software PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

5 Step 2. Cofigure the Local PathWAI Secure Node Step 3. Cofigure OCSP Revocatio Checkig Step 4. Idetify the User Key Repository Step 5. Cofigure a Local LDAP Directory Step 6. Create PathWAI Secure Queues Step 7. Set Eviromet Variables Step 8. Add LDAP Tools to Path (LDAP Users Oly) Step 9. Register the Global Admiistrator Step 10. Register the Local Admiistrator Step 11. Re-Ecrypt User Key Database(s), if Necessary Step 12. Export Admiistrators Public Keys to File Step 13. Import the Keys File to User Key Databases Step 14. Export the Keys File to LDAP (LDAP Sites Oly) Step 15. Modify the WebSphere MQ Chaels Step 16. Verify MQSecure Istallatio Chapter 6. Istallatio Steps o Widows Itroductio Before You Begi Summary of Steps Step 1. Migrate Versio 200 Databases, if Necessary Step 2. Verify User ID Authority Step 3. Dowload the Software Step 4. Cofigure the Local PathWAI Secure Node Step 5. Idetify the User Key Repository Step 6. Cofigure a Local User Key Repository Step 7. Reboot Step 8. Migrate Versio 210 Databases, if Necessary Step 9. Re-Ecrypt Versio 210 Databases, if Necessary Step 10. Register the Global Admiistrator Step 11. Register the Local Admiistrator Step 12. Export Public Keys to File Step 13. Import Public Keys to User Key Databases Step 14. Export Keys to LDAP (LDAP Sites Oly) Step 15. Create PathWAI Secure Queues Cotets 5

6 Step 16. Eable Chael Exit Security Step 17. Verify PathWAI Secure Istallatio Appedix A. Guide to Cadle Customer Support PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

7 P Preface Purpose of this Guide This guide explais how to istall ad cofigure the PathWAI Secure for WebSphere MQ product (PathWAI Secure) o OS/390 ad z/os, Widows, ad UNIX operatig systems. The term istallatio i this guide refers to the followig tasks: Copyig the PathWAI Secure software from CDROM to disk. Istallig the PathWAI Secure software ito the correct datasets or directories. The term cofiguratio i this guide refers to the followig tasks: Editig various files to replace default or symbolic values with your site-specific values. Registerig PathWAI Secure admiistrators ad distributig admiistrators public keys. Who Should Use this Guide This guide was writte for systems, maiteace, or istallatio programmers ad for PathWAI Secure admiistrators. Although most operatig system commads ecessary to complete the tasks i this guide are provided, it is assumed that users of this guide are familiar with the operatig systems that they will istall o ad have access to system mauals. They should also have a workig kowledge of IBM s WebSphere MQ product. 7

8 How to Use this Guide If you are a ew user of PathWAI Secure, before begiig the istallatio you should familiarize yourself with the followig chapters i the PathWAI Secure for WebSphere MQ Admiistrator s Guide: Chapter 1. Itroducig PathWAI Secure for WebSphere MQ Chapter 2. Cofigurig Key ad Ecryptio Optios Chapter 3. Maagig Users ad User Keys New users of PathWAI Secure should also read Istallatio Overview o page 17 for a brief overview of the istallatio. You should the proceed to Istallatio Preparatio o page 33 ad the to the appropriate istallatio chapter. Existig customers should begi with What s New i this Release o page 13 ad the proceed to Istallatio Preparatio o page 33 ad the to the appropriate istallatio chapter. Related Documetatio For iformatio o admiisterig PathWAI Secure, cosult the PathWAI Secure for WebSphere MQ Admiistrator s Guide. For iformatio o programmig with the PathWAI Secure APIs, cosult the PathWAI Secure for WebSphere MQ Programmer s Guide. 8 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

9 Adobe Portable Documet Format Adobe Portable Documet Format Pritig this book Cadle supplies documetatio i the Adobe Portable Documet Format (PDF). The Adobe Acrobat Reader will prit PDF documets with the fots, formattig, ad graphics i the origial documet. To prit a Cadle documet, do the followig: 1. Specify the prit optios for your system. From the Acrobat Reader Meu bar, select File > Page Setup ad make your selectios. A settig of 300 dpi is highly recommeded as is duplex pritig if your priter supports this optio. 2. To start pritig, select File > Prit... o the Acrobat Reader Meu bar. 3. O the Prit pop-up, select oe of the Prit Rage optios for All Curret page Pages from: [ ] to: [ ] 4. (Optioal). Select the Shrik to Fit optio if you eed to fit oversize pages to the paper size curretly loaded o your priter. Pritig problems? The prit quality of your output is ultimately determied by your priter. Sometimes pritig problems ca occur. If you experiece pritig problems, potetial areas to check are: settigs for your priter ad priter driver. (The dpi settigs for both your driver ad priter should be the same. A settig of 300 dpi is recommeded.) the priter driver you are usig. (You may eed a differet priter driver or the Uiversal Priter driver from Adobe. This free priter driver is available at the halftoe/graphics color adjustmet for pritig color o black ad white priters (check the priter properties uder Start > Settigs > Priter). For more iformatio, see the olie help for the Acrobat Reader. the amout of available memory i your priter. (Isufficiet memory ca cause a documet or graphics to fail to prit.) For additioal iformatio o pritig problems, refer to the documetatio for your priter or cotact your priter maufacturer. 9

10 Adobe Portable Documet Format Cotactig Adobe If additioal iformatio is eeded about Adobe Acrobat Reader or pritig problems, see the Readme.pdf file that ships with Adobe Acrobat Reader or cotact Adobe at Addig aotatios to PDF files If you have purchased the Adobe Acrobat applicatio, you ca add aotatios to Cadle documetatio i.pdf format. See the Adobe product for istructios o usig the Acrobat aotatios tool ad its features. 10 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

11 R Restrictios This product is subject to export ad re-export restrictios ad regulatios imposed by the govermet of the Uited States ad, if applicable, the coutry to which the product is shipped, ad ay related federal, state, or local laws. As of October 19, 2000, the ew export rules for PathWAI Secure for WebSphere MQ are as follows: 1. No shipmets to or use by o-uited States Govermet Ed Users outside the Uited States are allowed without a special licese for the govermet ed user, except for Members of the Europea Uio (EU), Australia, Czech Republic, Hugary, Japa, New Zealad, Norway, Polad ad Switzerlad; 2. No shipmets may be made to ad the product may ot be used or licesed for use by ay perso or etity that is a member of, or located i, ay terrorist-supportig atios (curretly, Cuba, Ira, Iraq, Libya, North Korea, Suda, ad Syria); ad 3. The product may ot otherwise be used i violatio of ay applicable licese agreemet. Some coutries import regulatios prohibit importatio or use of ecryptio software products, ad it is the user's resposibility to comply with those regulatios. Note: A Govermet Ed User is ay foreig cetral, regioal, or local govermet departmet, agecy, or other etity performig govermetal fuctios, icludig govermetal research istitutios, govermetal corporatios or their separate busiess uits (as defied i part 772 of the EAR) which are egaged i the maufacture or distributio of items or services cotrolled o the Wasseaar Muitios List, ad iteratioal govermetal orgaizatios. The term does ot 11

12 iclude utilities (icludig telecommuicatios compaies ad Iteret service providers), baks ad fiacial istitutios, trasportatio, broadcast or etertaimet, educatioal orgaizatios, civil health ad medical orgaizatios, retail or wholesale firms, ad maufacturig or idustrial etities ot egaged i the maufacture or distributio of items or services cotrolled o the Wasseaar Muitios List. PathWAI Secure for WebSphere MQ Versio 300. Copyright , Cadle Corporatio, a Califoria corporatio. All rights reserved. Iteratioal copyright secured. This material is proprietary to Cadle Corporatio ad is ot to be reproduced, used, or disclosed except i accordace with program liceses or upo writte authorizatio of Cadle Corporatio. This product cotais BSAFE sofware, owed exclusively by RSA Data Security, Ic., ad sublicesed by Cadle Corporatio. 12 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

13 W What s New i this Release Itroductio This release of the PathWAI Secure for WebSphere MQ product (formerly called MQSecure) icludes the followig ehacemets that affect its istallatio. For additioal iformatio about ehacemets i the curret release, cosult the PathWAI Secure for WebSphere MQ Admiistrator s Guide ad the PathWAI Secure for WebSphere MQ Programmer s Guide. New Product Name This product, formerly called MQSecure, has bee reamed PathWAI Secure for WebSphere MQ. I most places, this guide abbreviates the product ame to PathWAI Secure. Be aware that you may still see the term MQSecure i some places withi istallatio/user iterfaces, file ames, ad sample data. Third-Party Certificate Support This release of PathWAI Secure icludes support for third-party geerated public/private key pairs ad supportig certificates. PathWAI Secure supports ay 3rd-party certificate that coforms to the x509 Versio 3 idustry stadard used by Verisig, Etrust, ad most Certificatio Authorities i commercial use today. Your site may use certificates ad key pairs created by ay third-party Certificatio Authority that coforms to this stadard. Your site may import keys ad certificates geerated by a third-party Certificatio Authority usig the PKCS#12 ad PKCS#7 messagig formats used by all leadig PKI vedors. PKCS#7 files are used for importig 13

14 stad-aloe verificatio certificates. PKCS#12 files are used to import public/private key pairs used to register authorized PathWAI Secure users ad the certificates used to autheticate them. The PathWAI Secure Admiistratio utilities have bee ehaced to provide import/export fuctios for PKCS#12 ad PKCS#7 files, ad the import/export fuctios are supported through API calls. Note that PathWAI Secure-geerated key pairs are still supported. Your site ca cotiue to use PathWAI Secure-geerated keys i the curret release if you site prefers to avoid the overhead associated with certificate maagemet. Global Admiistrator CDROM This release of PathWAI Secure icludes a ehaced package of admiistrative fuctios called the Global Admiistrator. The Global Admiistrator is a special class of PathWAI Secure admiistrator with the authority to establish a trust model (trust poits) withi your site s PathWAI Secure etwork. The Global Admiistrator assigs trust to imported certificates ad exports trusted certificates for distributio throughout the PathWAI Secure etwork. The Global Admiistrator is distributed o a separately licesed CDROM. The PathWAI Secure Admiistratio utilities o this CDROM have bee ehaced to provide the import ad export fuctios for trusted certificates. If your site iteds to use third-party keys, ad wats to use certificates for verificatio, you must istall the Global Admiistrator CDROM. Be aware that you must istall the Global Admiistrator CDROM first ad register the Global Admiistrator o oe ode, before istallig additioal PathWAI Secure odes. If your site does ot ited to use third-party keys ad you wat to desigate a special admiistrator oly for purposes of cetrally collectig ad exportig admiistrators PathWAI Secure-geerated public keys, you do ot eed to istall the Global Admiistrator CDROM. This documet refers to this type of admiistrator as the cetral admiistrator to distiguish it from the Global Admiistrator described above; however, be aware that i previous releases this type of admiistrator was called the global admiistrator. 14 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

15 Certificate Revocatio Lists This release of PathWAI Secure icludes support for importig Certificate Revocatio Lists (CRLs). CRLs are used to revoke ivalid or expired certificates. PathWAI Secure imports CRLs from certificate ad registratio authorities just as it does third-party keys ad certificates, usig PKCS#7 format files. CRLs are stored i local certificate databases ad exported to the PathWAI Secure LDAP repository for cetral distributio. CRLs are issued periodically by Certificatio Authorities ad they are typically updated o a 12-hour, daily, or weekly basis; however, if your site requires real-time certificatio checkig, you may wat to use olie certificatio revocatio checkig (described below) as a alterative to importig CRLs. Olie Certificate Revocatio Checkig This release of PathWAI Secure icludes support for certificate revocatio checkig i real time usig a third-party, etwork-based Olie Certificate Status Protocol (OCSP) respoder. For critical applicatios requirig virtually real-time status iformatio, or simply to offload the effort of CRL maagemet, your site may wat to take advatage of this feature. The OCSP vedor supported i the curret release is ValiCert. The PathWAI Secure istallatio/cofiguratio utilities have bee ehaced to allow you to specify iformatio about ValiCert (typically the URL ad listeig port where the respoder resides). Certificates Embedded i PathWAI Secure Messages This release of PathWAI Secure icludes support for embeddig digital certificates withi PathWAI Secure messages. Your site may wat to use embedded certificates i situatios where a applicatio caot access the PathWAI Secure key repository or there is o coveiet mechaism for distributig the public keys used for sigature verificatio. The PathWAI Secure istallatio/cofiguratio utilities have bee ehaced to allow you to specify whether or ot to embed certificates. Be aware that public keys are embedded i certificates; if you cofigure the PathWAI Secure ode to embed certificates, you are distributig public keys. 15

16 16 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

17 1 Istallatio Overview This chapter briefly itroduces you to PathWAI Secure for WebSphere MQ (PathWAI Secure) ad cotais a overview of its features ad compoets. Cadle recommeds that you familiarize yourself with the iformatio i this chapter, eve if you have istalled a previous release of PathWAI Secure, because ew PathWAI Secure features affect its istallatio ad cofiguratio. What is PathWAI Secure? PathWAI Secure provides autheticatio ad ecryptio services for WebSphere MQ messages. PathWAI Secure supplemets the user authorizatio capabilities of exteral security programs such as RACF, ACF2, ad Top Secret o OS/390, ad operatig system security tools o UNIXad Widows systems. PathWAI Secure provides the followig security services: Autheticatio Norepudiatio Itegrity Privacy Verifies the idetity of the etity sedig the message. Assures that the seder of the message caot dey havig set it. Assures that the message arrived without alteratio. Assures that the message cotets are cofidetial while travelig over the etwork. Istallatio Overview 17

18 How Do You Ivoke PathWAI Secure? How Do You Ivoke PathWAI Secure? PathWAI Secure s security services ca be ivoked i two ways: APIs (applicatio-to-applicatio) Your site ca use PathWAI Secure s APIs to provide security services o a applicatio-to-applicatio basis. Chael exits (ode-to-ode) Your site ca use WebSphere MQ s chael exits to provide security services o a ode-to-ode or chael-specific basis. The followig sectios cotai more iformatio about these methods of ivokig PathWAI Secure ad recommedatios for the best method for coditios at your site. PathWAI Secure APIs Your site ca use PathWAI Secure s APIs to provide security services o a applicatio-to-applicatio basis. PathWAI Secure provides APIs for COBOL, C/C++, ad Java applicatios. Because security is hadled by the sedig ad receivig applicatios, whe you use PathWAI Secure APIs you do ot eed to kow the route the messages travel or the idetities of the machies that hadle the messages e route. This method of securig messages is especially useful whe messages must pass through chaels which you do ot cotrol for example, whe messages travel over the Iteret. Additioal Feature Usig the APIs If you use the PathWAI Secure APIs, the followig additioal feature is available: Rage ecryptio Ecrypts selected portios of a message, leavig other portios uecrypted. Rage ecryptio is useful whe parts of a message (such as routig istructios) eed to be i the clear, while other parts (such as accout umbers) eed to be ecrypted. Note: This feature is available oly with the C/C++ ad COBOL APIs. 18 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

19 How Do You Ivoke PathWAI Secure? PathWAI Secure Chael Exit Programs Your site ca use WebSphere MQ chael exits to provide security services o a ode-to-ode or chael-specific basis. Usig chael exits, your site ca esure the idetity of commuicatig odes or idividual chael users before chaels are activated. Cadle recommeds usig chael exit security for messages beig passed etirely over chaels which your site cotrols. Additioal Features Usig Chael Exits If you use the PathWAI Secure chael exits, the followig additioal features are available: Platform mutual autheticatio Chael mutual autheticatio Chael mutual autheticatio for cluster chaels Verifies the idetity of commuicatig odes before chaels betwee them are activated. Verifies the idetity of the two commuicatig users o a idividual chael before the chael is activated. Verifies the idetity of the two commuicatig users o a idividual cluster chael before the chael is activated. Istallatio Overview 19

20 What Type of Ecryptio Does PathWAI Secure Use? What Type of Ecryptio Does PathWAI Secure Use? PathWAI Secure uses a digital sigature, based o a message digest, to provide orepudiatio, autheticatio, ad message validatio. The message digests are created with either RSA s Secure Hash Algorithm (SHA-1) or MD5. PathWAI Secure ecrypts messages usig a combiatio of public/private (asymmetric) key pairs ad symmetric keys, employig the cocept of a digital evelope. Symmetric key ecryptio ca be doe usig ay of the followig algorithms: RC2,Triple-DES, RC4, RC5, RC6, ad AES. The followig sectio cotais more iformatio about the geeratio ad maagemet of PathWAI Secure key pairs. PathWAI Secure Key Pairs Cetral to the PathWAI Secure approach to cryptography is the otio of a public/private key pair. Uder the public/private key approach, each authorized user (user ID) is assiged a pair of keys, oe private key ad oe public key. The two keys are liked by a mathematical relatioship such that either of the keys ca be derived from the other. The public key, as its ame implies, is made available to all users of the system, while the private key is available oly to its assiged user ID ad is ever shared or trasmitted. Thus, for ay user IDs to exchage secured messages, they must first exchage public keys. How Are Key Pairs Geerated? The public/private key pairs used i PathWAI Secure security operatios ca be geerated by PathWAI Secure or by a third-party certificate or registratio authority. PathWAI Secure icludes a set of admiistrative utilities for importig, geeratig, distributig, ad revokig user keys ad ay certificates ecessary for verificatio of third-party keys. 20 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

21 The Registratio Process The Registratio Process PathWAI Secure users are authorized through the process of registratio. Durig registratio, a public/private RSA key pair is associated with a PathWAI Secure user ID ad a password for private key operatios. PathWAI Secure users ad their keys are maaged by a special class of users kow as admiistrators. The first user ID ad password registered o each ode usig the PathWAI Secure admiistrative utility becomes the admiistrative ID ad password for that system. The admiistrator s ID ad password is required to: register users export ad import public keys maage the local user key database PathWAI Secure admiistrators ad regular users may hold either PathWAI Secure-geerated keys or keys geerated by a third-party certificate or registratio authority. The way i which users are autheticated depeds o the type of key (PathWAI Secure-geerated or third-party) they hold. Public/Private Keys Cetral to PathWAI Secure s cryptographic approach is the use of public/private key pairs. Crytographic keys are umbers used with ecryptio algorithms to ecrypt or decrypt iformatio. Public/private keys are pairs of keys liked by a mathematical relatioship such that either of the keys ca be derived from the other. Public key, as their ame implies, are made available to all users of the system, while the private keys are available oly to their assiged owers. Data ecrypted with a public key ca oly be decrypted by the correspodig private key. This is the way i which messages are usually ecrypted for privacy. The reverse is also true: data ecrypted with a private key ca oly be decrypted usig the correspodig public key. This later relatioship is exploited to create digital sigatures used to autheticate the idetity of message seders. To create a digital sigature, the text of a message is supplied as iput to a oe-way fuctio, or hash, which produces a uique mathematical value, called a message digest. The message digest caot be used to recreate the Istallatio Overview 21

22 The Registratio Process message, ad the smallest chage i the message results i a differet value for the digest. The message digest is the ecrypted usig the seder s private key ad attached to the message text. Sice the message digest was ecrypted usig the seder's private key, it ca oly be decrypted usig the seder s public key. To verify that the message did ideed come from the perso it appears to come from, the receiver looks up the seder's public key ad attempts to decrypt the message digest. If the decryptio is successful, it proves that the message was ideed set by the siger. User Autheticatio The way i which users are autheticated depeds o the type of key they hold. For PathWAI Secure-geerated keys, PathWAI Secure uses the sigature of the PathWAI Secure admiistrator o the ode o which the user was registered to verify the user s idetity whe the public key is first imported ito the local database. Whe local users public keys are exported for distributio to other PathWAI Secure odes, they are siged usig the admiistrator s private key. Whe these keys are imported by other odes, the admiistrator s public key is used to autheticate the sigature ad verify the idetify of the key holder. For this reaso, admiistrators keys must be exchaged before the users keys ca be exchaged. PathWAI Secure verifies third-party keys through digital certificates issued by a certificate or registratio authority. A digital certificate is a electroic documet used to idetify a idividual, a compay, a applicatio, a server, or some other etity ad to associate that idetity with a public key. Certificate ad registratio authorities are ofte mutually trusted, idepedet third parties, but orgaizatios ca also issue their ow certificates usig software such as Netscape Certificate Server or Widows Certificate Services. I additio to a public key, certificates iclude the ame of the etity they idetify, a expiratio date, the ame of the authority that issued the certificate, a serial umber, ad other iformatio. Most importatly, a certificate always icludes the digital sigature of the issuig authority. PathWAI Secure verifies the user s certificate through a chai of certificates to a certificate desigated as trusted by the site s Global Admiistrator. 22 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

23 The Registratio Process Global Admiistrators are a special class of admiistrators with the authority to desigate imported certificates as trusted ad to distribute them to other odes. Local admiistrators ca cotrol which certificates are trusted by their idividual odes by importig trusted certificates exported by the Global Admiistrator as either trusted or utrusted. (For sites usig PathWAI Secure-geerated keys ad distributig keys via a LDAP repository, Global Admiistrators act as the certifyig authority for local admiistrators.) Because admiistrators sigatures are required for the verificatio of PathWAI Secure-geerated keys, or to import trusted certificates for verificatio of third-party keys, admiistrators must be registered ad their keys (ad supportig certificates) must be distributed before secured messages ca be exchaged betwee PathWAI Secure odes. Istallatio Overview 23

24 Registerig Admiistrators Registerig Admiistrators Registerig the Global Admiistrator (Third-Party Keys) If your site is usig third-party keys, you must istall the separately licesed Global Admistrator CDROM, which provides ehaced fuctios required for establishig your site s trust model. The Global Admiistrator fuctios allow you to desigate certificates as trusted by the site ad export them to other odes. Your site must istall the Global Admiistrator CDROM ad register the Global Admiistrator o the first ode i your site s PathWAI Secure etwork, before istallig additioal PathWAI Secure odes. Registerig Cetral Admiistrators (PathWAI Secure-Geerated Keys) For sites usig a LDAP repository ad PathWAI Secure-geerated keys, the cetral admiistrator is the admiistrator resposible for sigig ad exportig all other admiistrators keys to the repository. The cetral admiistrator s public key is distributed to all coectig odes through a securely trasmitted flat file ad the cetral admiistrator s sigature is used to verify the public keys of foreig admiistrators as they are imported oto the local ode. The cetral admiistrator is registered just like ay other admiistrator; it does ot required the ehaced fuctios o the Global Admiistrator CDROM. Registerig Local Admiistrators The first user ID ad password registered o each ode usig the PathWAI Secure admiistrative utility becomes the admiistrative ID ad password for that system. The admiistrator s ID ad password are required to: register other users export ad import public keys maage the local user key database verify the idetity of users registered o the local ode import certificates cosidered trusted for the local ode (if third party keys are beig used) 24 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

25 Registerig Admiistrators Durig the process of registerig a admiistrator: the local user key database is created or iitialized the admiistrator s public/private key pair is geerated or imported admiistrators public keys are distributed to a LDAP repository or aglobal admiistrator, or exchaged with all coectig odes Sice secured messages caot be exchaged betwee PathWAI Secure odes util admiistrators have bee registered, admiistrators are registered as part of PathWAI Secure istallatio. Sites usig a LDAP repository to distribute keys or usig third party keys must desigate ad register a global admiistrator before registerig local admiistrators. Istallatio Overview 25

26 Registerig Admiistrators 26 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

27 2 Prerequisites Itroductio This chapter lists software prerequisites for PathWAI Secure for WebSphere MQ (PathWAI Secure). Chapter Cotets OS/390 ad z/os Prerequisites UNIX Prerequisites Widows Prerequisites CASP Secure Coector Prerequisites Prerequisites 27

28 OS/390 ad z/os Prerequisites OS/390 ad z/os Prerequisites This sectio cotais software prerequisites for PathWAI Secure o OS/390 or z/os. Operatig system Trasport (Messagig System) Commuicatios Ru-time eviromet OS/390 Release 2.6 or z/os MQSeries for ESA Versios 2.1 or 5.2 TCP/IP (o both the maiframe ad the workstatio from which you will trasfer PathWAI Secure files) Miimum C-laguage ru-time eviromet of V2.5.0 Total Disk Space 2337 Tracks of 3390 A additioal tracks are required durig the OS/390 dataset load step of the istall process. Sufficiet space must be available for the sequetial load datasets to coexist with the product datasets util these tracks are reclaimed followig a successful istallatio. Disk Space by Dataset 1500 Tracks i TMFLOAD 020 Tracks i TMFEXECF 015 Tracks i TMFEXECV 040 Tracks i TMFLIB 150 Tracks i TMFBSAFE 012 Track i TMFSAMP 575 Tracks i TMFLINK 005 Track i TMFMENU 020 Tracks i TMFPENU 28 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

29 UNIX Prerequisites UNIX Prerequisites This sectio cotais software prerequisites for PathWAI Secure o UNIX. Operatig systems AIX Release 4.3 or higher HP-UX Release 11.x or higher Su Solaris Release 2.7 or higher Trasport (Messagig System) Disk Space WebSphere MQ Versio 5.2 ad 5.3 O AIX: 81.6 Mb (deduct 40 Mb if ot istallig LDAP) 2.6 Mb i /var/mqsecure directory O HP-UX: 82.1 Mb (deduct 47.5 Mb if ot istallig LDAP) 8.1 Mb O Solaris: 59.5 Mb (deduct 33 Mb if ot istallig LDAP 6.5 Mb i /var/secure directory Prerequisites 29

30 Widows Prerequisites Widows Prerequisites This sectio cotais software prerequisites for PathWAI Secure o Widows. Operatig systems ad trasports Disk Space With MQSeries V5.3: Widows NT 4.0 Widows 2000 Widows XP With MQSeries V5.2: Widows NT 4.0 Widows 2000 With MQSeries Cliet V5.2 or V5.3: Widows 98 Widows NT 4.0 Widows 2000 Note: support for MQSeries Lite QMaager 2.1 has bee dropped Mb total 2.4 Mb i istall directory 30 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

31 CASP Secure Coector Prerequisites CASP Secure Coector Prerequisites Supported Trasports The security facilities provided by CASP Secure Coector are idepedet of the uderlyig messagig trasport (WebSphere MQ, MSMQ, TIB/Redezvous). Operatig Systems CASP Secure Coector ca be used o Widows NT/2000, Solaris 2.7 ad above, HP-UX 11.x, ad AIX 4.3. Prerequisites 31

32 CASP Secure Coector Prerequisites 32 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

33 3 Istallatio Preparatio Itroductio I this iformatio i this chapter will help you prepare for PathWAI Secure for WebSphere MQ (PathWAI Secure) istallatio. If you are a ew user of PathWAI Secure, before begiig the istallatio you should familiarize yourself with the followig chapters i the PathWAI Secure for WebSphere MQ Admiistrator s Guide: Chapter 1. Itroducig PathWAI Secure for WebSphere MQ Chapter 2. Cofigurig Key ad Ecryptio Optios Chapter 3. Maagig Users ad User Keys Key Database (LDAP) Cadle recommeds that you istall the LDAP-type database provided o the PathWAI Secure CDROM as a key repository. Cadle recommeds that you istall the database locally wheever possible; however, i some cases you may eed to coect to a remote key database. Use the followig guidelies ad complete the Key Database (LDAP) Worksheet below, if ecessary. O Widows 98: The LDAP database supplied o the PathWAI Secure CDROM is ot supported o Widows 98. If you are istallig PathWAI Secure o a Widows 98 machie, you must cofigure the local PathWAI Secure ode to commuicate with a LDAP ruig o aother machie i your PathWAI Secure etwork. The remote database may reside o Widows NT/2000/XP, o UNIX, or o the maiframe. Complete the woksheet below idetifyig the remote LDAP. Istallatio Preparatio 33

34 PKCS#7 ad PKCS#12 Files O all other platforms: If it is ot possible to istall the database locally, you may cofigure the local PathWAI Secure ode to commuicate with a LDAP ruig o aother machie i your PathWAI Secure etwork. The remote database may reside o Widows NT/2000/XP, o UNIX, or o the maiframe. Complete the woksheet below idetifyig the remote LDAP. Host ame of the mcahie where the remote LDAP resides LDAP server s TCP/IP listeig port PKCS#7 ad PKCS#12 Files If your site is usig imported third-party key pairs, the certifyig authority issuig the keys must securely commuicate the followig to your site before the Global Admiistrator is registered: the PKCS#12 file cotaiig the Global Admiistrator s public/private key pair ad supportig certificates the password used to ecrypt the PKCS#12 file, if ay the PKCS#7 format file cotaiig the certificates that will be used to verify other user keys for the site 34 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

35 Site-Specific Iformatio Site-Specific Iformatio Durig the istallatio of PathWAI Secure o distributed platforms, you will be eed to kow whether the ode(s) o which you istall are ruig WebSphere MQ as a server (or leaf-ode) or as a cliet. If you will istall PathWAI Secure o UNIX or Widows 98/NT/2000 list the platform, ode ame, ad type of WebSphere MQ ruig (server/leaf ode or cliet) i the spaces below (use additioal paper, if eeded): Platform Node Name Type of WebSphere MQ Istallatio Preparatio 35

36 Maiframe Defaults Maiframe Defaults If your site is istallig PathWAI Secure o OS/390 or z/os, ote that the istallatio is a maual process requirig substitutio of your site-specific values for Cadle defaults or symbolic values. Refer to the table below ad list your values for each variable to save time durig istallatio. Variable Descriptio Highest-level qualifier for PathWAI Secure datasets. High-level qualifier for temporary sequetial datasets. (PathWAI Secure software is received ito these datasets, which are later deleted.) High-level qualifier for permaet PathWAI Secure datasets. A valid OS/390 user ID A dataset from which you ca execute a REXX EXEC (the KMFUTIL istallatio utility). If you allocate a ew dataset for this purpose, use these attributes: LRECL=255 RECFM=VB BLKSIZE=8900 DSORG=PO Primary tracks=7 Secodary tracks=2 Directory blocks=2 Cadle Default or Symbolic Value CANDLE CANDLE.TEMPMQS CANDLE.MQSECURE MVSID USER.EXEC Your Site-Specific Value 36 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

37 Maiframe Defaults Variable Descriptio C-laguage eviromet dataset ame WebSphere MQ authorizatio dataset ame WebSphere MQ load dataset ame WebSphere MQ atioal laguage support dataset ame User key database dataset ame Cadle Default or Symbolic Value *.*.SCEERUN *.*.SCSQAUTH *.*.SCSQLOAD *.*.SCSQANLY CANDLE.MQSECURE.qm gr_ame.users Your Site-Specific Value Istallatio Preparatio 37

38 Prepare for Upgrade, If Necessary Prepare for Upgrade, If Necessary This step esures that sites usig a earlier versio of PathWAI Secure properly prepare their system to upgrade to this versio. If you are ot curretly ruig PathWAI Secure, do ot complete this step; proceed to the appropriate istallatio chapters. I this step you will back up your existig user key database(s) ad shut dow applicatios usig PathWAI Secure. Back Up User Key Databases 1. Back up your user key database(s): O OS/ Use the IDCAMS utility to perform a REPRO fuctio, creatig a backup dataset of each CANDLE.MQSECURE.USERSx dataset. Refer to the sample programs USRREPRO ad USRRESTO i CANDLE.MQSECURE.TMFSAMP for help. O UNIX... Copy /var/mqsecure/mqss.usr to a back-up file. O Widows... Copy c:\mqsecure\mqss.usr to a back-up file. 2. Shut dow WebSphere MQ chael iitiator(s). 3. Shut dow the PathWAI Secure servers for all user key databases: O OS/ F MFSSRVR O UNIX or Widows... dbdow 4. Verify that sequetial datasets used to istall the earlier versio of PathWAI Secure o OS/390 are deleted. 5. Either: 38 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

39 Prepare for Upgrade, If Necessary or Shut dow all applicatios that referece PathWAI Secure usig PathWAI Secure Applicatio Programmig Iterfaces (APIs) ad shut dow all chaels eabled to use PathWAI Secure chael exit. Shut dow your queue maager: edmqm -i queue_maager_ame Istallatio Preparatio 39

40 Eable 4758 Processig, If Necessary Eable 4758 Processig, If Necessary I this step you will eable certai hardware fuctios of the IBM 4758 PCI Cryptographic Coprocessor so that PathWAI Secure ca execute properly. To esure that oly desigated idividuals (or programs) ca execute sesitive commads, each 4758 commad processor iterrogates oe or more cotrol poit values withi the cryptographic egie access-cotrol system for permissio to perform the request. The access-cotrol system icludes roles, each role defies the permissible cotrol poits for users associated with that role. Eable, i the active role, each of the hardware fuctios listed i the table below: Hardware Fuctio Access Cotrol Poit Code PathWAI Secure Fuctio Ecipher X 000E Symmetric ecryptio Decipher X 000F Symmetric decryptio Geerate key X 008E Radom umber geeratio Ecipher uder master key X 00C3 Symmetric ecryptio/decryptio Digital sigature geerate x 0100 Digital sigature geeratio Digital sigature verify x 0101 Digital sigature verificatio PKA key import x 0104 Digital sigature geeratio ad PKA decryptio Oe way hash x 0107 Digital sigature geeratio ad verificatio Read public access cotrol ifo x 0116 All fuctios usig the 4758 RSA Ecipher clear key data x 011E PKA ecryptio RSA Decipher clear key data x 011F PKA decryptio 40 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

41 4 Istallatio Steps o OS/390 ad z/os This chapter cotais step-by-step istructios for istallig ad cofigurig PathWAI Secure for WebSphere MQ (PathWAI Secure) o OS/390 ad z/os. This chapter cotais istructios for istallig both the basic PathWAI Secure product ad the PathWAI Secure Global Admiistrator product, if your site has licesed it. Be aware that the Global Admiistrator product is distributed o its ow CDROM; be sure that you have the correct CDROM before begiig the istallatio. If you are istallig the Global Admiistrator, keep i mid the followig: Istall oly oe Global Admiistrator for your site s PathWAI Secure etwork. Istall the Global Admiistrator first. You must register the Global Admiistrator before registerig ay additioal (local) admiistrators. Before You Begi The istallatio steps i this chapter assume that you have completed the steps i Istallatio Preparatio o page 33. Before you begi the istallatio, locate a Widows or UNIX machie from which you ca trasfer the PathWAI Secure software. PathWAI Secure is distributed oly o CDROM media; you will eed to dowload the PathWAI Secure software to a Widows or UNIX workstatio ad trasfer the software to the maiframe. This chapter cotais complete istructios. Istallatio Steps o OS/390 ad z/os 41

42 Summary of Steps Steps for istallig PathWAI Secure are summarized below. Step 1. Migrate Versio 200 Databases, if Necessary Step 2. Trasfer the MQSecure Software - Widows Procedure Step 3. Trasfer the MQSecure Software - UNIX Procedure Step 4. APF-Authorize MQSecure Datasets Step 5. Customize the MQSecure Server PROC Step 6. Customize the Cofiguratio File Step 7. Update Chael Iitiator JCL Step 8. Update SYS1.PARMLIB to Start MFSSRVR Step 9. Eable S/390 Crypto Facility Processig Step 10. Create MQSecure Queues Step 11. Start the KMFADM Utility Step 12. Create a New User Key Database Step 13. Register the Global Admiistrator Step 14. Register a Local Admiistrator Step 15. Export Local Admiistrator s Public Key Step 16. Import Remote Admiistrators Public Keys Step 17. Re-Ecrypt User Key Database(s), if Necessary Step 18. Export Admiistrators Public Keys to LDAP, if Necessary Step 19. Modify the MQSeries Chaels Step 20. Verify MQSecure Istallatio PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

43 Step 1. Migrate Versio 200 Databases, if Necessary Step 1. Migrate Versio 200 Databases, if Necessary Complete this step oly if your site is curretly ruig MQSecure Versio 200. If your site is ruig MQSecure Versio 210 or istallig PathWAI Secure V300 for the first time, skip this step ad tur to Step 2. Trasfer the PathWAI Secure Software - Widows Procedure o page 44. If your site is ruig MQSecure Versio 200, you must ru the Versio 210 KMFCONV coversio utility to covert your existig user key databases to Versio 210 format. (You will subsequetly upgrade Versio 210 to Versio 300. Do ot attempt to covert a Versio 200 database directly to Versio 300; you must complete two upgrade procedures.) Be sure to ru Versio 210 KMFCONV o all user key databases, icludig those you may have backed up i Versio 200 format. Follow these steps: 1. Edit this JCL: CANDLE.MQSECURE.TMFSAMP(KMFCONV) 2. Modify the JCL accordig to istructios i the JCL. 3. Submit the JCL. Note: To use the ew database, esure that its ame is poited to by the USERS DD i MFSSRVR ad specified i KMFADM. (You may wat to reame the old database prior to ruig the job ad esure that the ew database has the same ame as the database it replaces.) Istallatio Steps o OS/390 ad z/os 43

44 Step 2. Trasfer the PathWAI Secure Software - Widows Procedure Step 2. Trasfer the PathWAI Secure Software - Widows Procedure If you are usig a UNIX workstatio for this procedure, skip this sectio ad tur to Step 3. Trasfer the PathWAI Secure Software - UNIX Procedure o page 53. This sectio cotais istructios for dowloadig the PathWAI Secure CDROM to a Widows workstatio ad trasferrig the PathWAI Secure software from Widows to the maiframe. These steps are summarized below. Dowload the File Trasfer Utilities Customize the File Trasfer Utilities Trasfer the KFMUTIL Utility Allocate Receivig Datasets Trasfer the PathWAI Secure Software Create Partitioed Datasets Delete Sequetial Datasets PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

45 Step 2. Trasfer the PathWAI Secure Software - Widows Procedure Dowload the File Trasfer Utilities I this step you will dowload the KMFMVSI1 ad KMFMVSI2 file trasfer utilities from the PathWAI Secure CDROM to your workstatio hard drive. Follow these steps: 1. Log oto Widows ad create a local workig directory for the PathWAI Secure files. For example: Program Files\Cadle\PathWAI\Secure\Trasfer 2. Isert the PathWAI Secure CDROM ito your CDROM drive ad ad go to this directory: MVS 3. Copy the followig files to your local directory: KMFMVSI1.FIL KMFMVSI2.FIL Istallatio Steps o OS/390 ad z/os 45

46 Step 2. Trasfer the PathWAI Secure Software - Widows Procedure Customize the File Trasfer Utilities I this step you will customize the KMFMVSI1 ad KMFMVSI2 file trasfer utilities for your site, replacig defaults with values appropriate for your site. Follow these steps: 1. Edit KMFMVSI1.FIL, replacig defaults as follows: Chage... To... MVSID E:\MVS\EXEC USER.EXEC A valid maiframe user ID cdrom_drive\mvs\exec High-level qualifier for a dataset from which you ca execute a REXX EXEC (the KMFUTIL istallatio utility) 2. Edit KMFMVSI2.FIL, replacig defaults as follows: Chage... To... MVSID CANDLE E:\MVS\BIN E:\MVS\LIB E:\MVS\EXEC E:\MVS\ISPF E:\MVS\SAMP A valid maiframe user ID Highest-level qualifier for PathWAI Secure datasets. cdrom_drive:\mvs\bin cdrom_drive:\mvs\lib cdrom_drive:\mvs\exec cdrom_drive:\mvs\ispf cdrom_drive:\mvs\samp 46 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

47 Step 2. Trasfer the PathWAI Secure Software - Widows Procedure Trasfer the KFMUTIL Utility I this step you will execute ftp with the kmfmvsi1 file to trasfer the istallatio utility KMFUTIL from the PathWAI Secure CDROM to the target maiframe system. Follow these steps: 1. From a DOS prompt, ru the followig ftp commad: ftp - -v mvs_ip_address <c:\directory\kmfmvsi1.fil where: mvs_ip_address is the IP address of the target maiframe machie. directory is the directory where kmfmvsi1.fil resides. 2. Whe prompted, eter your maiframe logo password. Istallatio Steps o OS/390 ad z/os 47

48 Step 2. Trasfer the PathWAI Secure Software - Widows Procedure Allocate Receivig Datasets I this step you will execute the KMFUTIL utility to allocate a set of sequetial datasets which will receive the MQSecure software trasferred from the CDROM. Follow these steps: 1. Log oto the maiframe. 2. Execute the followig TSO commad: EX CANDLE.USER.EXEC(KMFUTIL) The MQSecure Utility Fuctios mai meu is displayed: KMFUTIL: MQSecure Utility Fuctios - Choose Oe. 1 -Allocate MQSecure receivig sequetial datasets. 2 -Create MQSecure executable partitioed datasets from the receivig sequetial datasets. 3 -Delete MQSecure receivig datasets. H -Help iformatio for MVS ad OS/2. Q -Exit. 3. Select: l Whe prompted, eter your values for the followig: High-level-ame volume-id DASD-type The high-level qualifier for temporary sequetial datasets. For example: CANDLE.TEMPMQS The VOLSER where the sequetial datasets will reside. Note that if your site uses SMS, this volume must be uder the cotrol of SMS. For example: TEST01 The type of storage device. For example: PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

49 Step 2. Trasfer the PathWAI Secure Software - Widows Procedure Trasfer the PathWAI Secure Software I this step you will execute ftp with the kmfmvsi2 file to trasfer the PathWAI Secure software from the PathWAI Secure CDROM to the receivig datasets you allocated i the previous step. Follow these steps: 1. Retur to your Widows workstatio. 2. Ru the followig ftp commad: ftp - -v mvs_ip_address <e:\directory\kmfmvsi2.fil where: mvs_ip_address is the IP address of the target maiframe machie directory is the workig directory where kmfmvsi2.fil resides. 3. Whe prompted, eter your maiframe logo password. Istallatio Steps o OS/390 ad z/os 49

50 Step 2. Trasfer the PathWAI Secure Software - Widows Procedure Create Partitioed Datasets I this step you will execute KMFUTIL to build a set of partioed datasets ad copy the MQSecure software from the receivig sequetial datasets to the partitioed datasets. Follow these steps: 1. From a TSO sessio: EX CANDLE.USER.EXEC(KMFUTIL) The MQSecure Utility Fuctios mai meu is displayed: KMFUTIL: MQSecure Utility Fuctios - Choose Oe. 1 -Allocate MQSecure receivig sequetial datasets. 2 -Create MQSecure executable partitioed datasets from the receivig sequetial datasets. 3 -Delete MQSecure receivig datasets. H -Help iformatio for MVS ad OS/2. Q -Exit. 2. Select: 2 3. Whe prompted, eter the high-level qualifier you used for the temporary sequetial datasets you created i the previous step. 4. Whe prompted, eter a high-level qualifier for the MQSecure partitioed datasets that you wat to create. The remaiig istallatio steps i this guide assume the followig high-level qualifier for MQSecure datasets: CANDLE.MQSECURE If you use a differet ame, make a ote of it here for your referece: MQSecure high-level qualifier: 5. Press ENTER to start the dataset build job. 50 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

51 Step 2. Trasfer the PathWAI Secure Software - Widows Procedure Whe the build job completes, you will have the followig library of MQSecure datasets: CANDLE.MQSECURE.TMFBSAFE CANDLE.MQSECURE.TMFEXECF CANDLE.MQSECURE.TMFEXECV CANDLE.MQSECURE.TMFLIB CANDLE.MQSECURE.TMFLINK CANDLE.MQSECURE.TMFLOAD CANDLE.MQSECURE.TMFMENU CANDLE.MQSECURE.TMFPENU CANDLE.MQSECURE.TMFSAMP Istallatio Steps o OS/390 ad z/os 51

52 Step 2. Trasfer the PathWAI Secure Software - Widows Procedure Delete Sequetial Datasets I this step you will execute KMFUTIL to delete the receivig sequetial datasets, which you o loger eed. Follow these steps: 1. From a TSO sessio: EX CANDLE.USER.EXEC(KMFUTIL) The MQSecure Utility Fuctios mai meu is displayed: KMFUTIL: MQSecure Utility Fuctios - Choose Oe. 1 -Allocate MQSecure receivig sequetial datasets. 2 -Create MQSecure executable partitioed datasets from the receivig sequetial datasets. 3 -Delete MQSecure receivig datasets. H -Help iformatio for MVS ad OS/2. Q -Exit. 2. Select: 3 3. Whe prompted, eter the high-level qualifier you used for the sequetial datasets (for example: CANDLE.TEMPMQS). A list of target datasets is displayed. 4. Eter Y to cofirm the delete request. The datasets are deleted. 5. Eter Q to quit KMFUTIL. 52 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

53 Step 3. Trasfer the PathWAI Secure Software - UNIX Procedure Step 3. Trasfer the PathWAI Secure Software - UNIX Procedure If you are usig a Widows workstatio for this procedure, tur to Step 2. Trasfer the PathWAI Secure Software - Widows Procedure o page 44. This sectio cotais istructios for dowloadig the PathWAI Secure CDROM to a UNIX workstatio ad trasferrig the PathWAI Secure software from UNIX to the maiframe. These steps are summarized below. Dowload the File Trasfer Utilities Customize the File Trasfer Utilities Trasfer the KFMUTIL Utility Allocate Receivig Datasets Trasfer PathWAI Secure Software Create Partitioed Datasets Delete Sequetial Datasets Istallatio Steps o OS/390 ad z/os 53

54 Step 3. Trasfer the PathWAI Secure Software - UNIX Procedure Dowload the File Trasfer Utilities I this step you will dowload the kmfmvsu1 ad kmfmvsu2 file trasfer utilities from the PathWAI Secure CDROM to your workstatio hard drive. Follow these steps: 1. Log oto UNIX ad create a local workig directory for the PathWAI Secure files. For example: Cadle/PathWAI/Secure/Trasfer 2. Isert the PathWAI Secure CDROM ito the CDROM drive ad eter a commad similar to the oe below. mout device mout_poit where: device is the device driver for the CDROM mout_poit is the directory where the device will be mouted (Note that the PathWAI Secure CDROM coforms to ISO 9660 stadards. The mout commad may require additioal optios depedig upo the UNIX platform you are ruig. If ecessary, cosult the ma pages.) 3. Go to this CDROM directory: MVS 4. Copy the followig files to your local directory: kmfmvsu1.fil kmfmvsu2.fil 54 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

55 Step 3. Trasfer the PathWAI Secure Software - UNIX Procedure Customize the File Trasfer Utilities I this step you will customize the kmfmvsu1 ad kmfmvsu2 file trasfer utilities for your site, replacig defaults with values appropriate for your site. Follow these steps: 1. Edit the kmfmvsu1.fil file, replacig defaults as follows: Chage... To... MVSID E:\MVS\EXEC USER.EXEC A valid maiframe user ID mout_poit/mvs/exec 2. Edit kmfmvsu2.fil, replacig defaults as follows: High-level qualifier for a dataset from which you ca execute a REXX EXEC (the KMFUTIL istallatio utility) Chage... To... MVSID CANDLE E:\MVS\xxxx A valid maiframe user ID Highest-level qualifier for PathWAI Secure datasets. mout_poit/mvs/xxxx where xxxx must be BIN, EXEC, ISPF, LIB ad SAMP. Istallatio Steps o OS/390 ad z/os 55

56 Step 3. Trasfer the PathWAI Secure Software - UNIX Procedure Trasfer the KFMUTIL Utility I this step you will execute ftp with the the kmfmvsu1 file to trasfer the istallatio utility KMFUTIL from the PathWAI Secure CDROM to the target maiframe system. Follow these steps: 1. From UNIX, ru the followig ftp commad: ftp - -v mvs_ip_address </work_dir/kmfmvsu1.fil where: mvs_ip_address is the IP address of the target maiframe machie. work_dir is the workig directory where you copied kmfmvsu1.fil. 2. Whe prompted, eter your maiframe logo password. 56 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

57 Step 3. Trasfer the PathWAI Secure Software - UNIX Procedure Allocate Receivig Datasets I this step you will execute the KMFUTIL utility to allocate a set of sequetial datasets which will receive the MQSecure software trasferred from the CDROM. Follow these steps: 1. Log oto the maiframe. 2. Execute the followig TSO commad: EX CANDLE.USER.EXEC(KMFUTIL) The MQSecure Utility Fuctios mai meu is displayed: KMFUTIL: MQSecure Utility Fuctios - Choose Oe. 1 -Allocate MQSecure receivig sequetial datasets. 2 -Create MQSecure executable partitioed datasets from the receivig sequetial datasets. 3 -Delete MQSecure receivig datasets. H -Help iformatio for MVS ad OS/2. Q -Exit. 3. Select: l Whe prompted, eter your values for the followig: High-level-ame volume-id DASD-type The high-level qualifier for temporary sequetial datasets. For example: CANDLE.TEMPMQS The VOLSER where the sequetial datasets will reside. Note that if your site uses SMS, this volume must be uder the cotrol of SMS. For example: TEST01 The type of storage device. For example: 3390 Istallatio Steps o OS/390 ad z/os 57

58 Step 3. Trasfer the PathWAI Secure Software - UNIX Procedure Trasfer PathWAI Secure Software I this step you will execute ftp with the kmfmvsu2 file to trasfer the PathWAI Secure software from the PathWAI Secure CDROM to the receivig datasets you allocated i the previous step. Follow these steps: 1. Retur to your UNIX workstatio. 2. Ru the followig ftp commad: ftp - -v mvs_ip_address <e:\work_dir\kmfmvsu2.fil where: mvs_ip_address is the IP address of the target maiframe machie work_dir is the workig directory where you copied kmfmvsu2.fil 3. Whe prompted, eter your maiframe logo password. 58 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

59 Step 3. Trasfer the PathWAI Secure Software - UNIX Procedure Create Partitioed Datasets I this step you will execute KMFUTIL to build a set of partioed datasets ad copy the MQSecure software from the receivig sequetial datasets to the partitioed datasets. Follow these steps: 1. From a TSO sessio: EX CANDLE.USER.EXEC(KMFUTIL) The MQSecure Utility Fuctios mai meu is displayed: KMFUTIL: MQSecure Utility Fuctios - Choose Oe. 1 -Allocate MQSecure receivig sequetial datasets. 2 -Create MQSecure executable partitioed datasets from the receivig sequetial datasets. 3 -Delete MQSecure receivig datasets. H -Help iformatio for MVS ad OS/2. Q -Exit. 2. Select: 2 3. Whe prompted, eter the high-level qualifier you used for the temporary sequetial datasets you created i the previous step. 4. Whe prompted, eter a high-level qualifier for the MQSecure partitioed datasets that you wat to create. The remaiig istallatio steps i this guide assume the followig high-level qualifier for MQSecure datasets: CANDLE.MQSECURE If you use a differet ame, make a ote of it here for your referece: MQSecure high-level qualifier: 5. Press ENTER to start the dataset build job. Istallatio Steps o OS/390 ad z/os 59

60 Step 3. Trasfer the PathWAI Secure Software - UNIX Procedure Whe the build job completes, you will have the followig library of MQSecure datasets: CANDLE.MQSECURE.TMFBSAFE CANDLE.MQSECURE.TMFEXECF CANDLE.MQSECURE.TMFEXECV CANDLE.MQSECURE.TMFLIB CANDLE.MQSECURE.TMFLINK CANDLE.MQSECURE.TMFLOAD CANDLE.MQSECURE.TMFMENU CANDLE.MQSECURE.TMFPENU CANDLE.MQSECURE.TMFSAMP 60 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

61 Step 3. Trasfer the PathWAI Secure Software - UNIX Procedure Delete Sequetial Datasets I this step you will execute KMFUTIL to delete the receivig sequetial datasets, which you o loger eed. Follow these steps: 1. From a TSO sessio: EX CANDLE.USER.EXEC(KMFUTIL) The MQSecure Utility Fuctios mai meu is displayed: KMFUTIL: MQSecure Utility Fuctios - Choose Oe. 1 -Allocate MQSecure receivig sequetial datasets. 2 -Create MQSecure executable partitioed datasets from the receivig sequetial datasets. 3 -Delete MQSecure receivig datasets. H -Help iformatio for MVS ad OS/2. Q -Exit. 2. Select: 3 3. Whe prompted, eter the high-level qualifier you used for the sequetial datasets (for example: CANDLE.TEMPMQS). A list of target datasets is displayed. 4. Eter Y to cofirm the delete request. The datasets are deleted. 5. Eter Q to quit KMFUTIL. Istallatio Steps o OS/390 ad z/os 61

62 Step 4. APF-Authorize PathWAI Secure Datasets Step 4. APF-Authorize PathWAI Secure Datasets I this step you will APF-authorize the PathWAI Secure load library. Do either of the followig: APF-authorize CANDLE.MQSECURE.TMFLOAD. Copy the MQS@SRVR load module from CANDLE.MQSECURE.TMFLOAD to aother APF-authorized dataset. 62 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

63 Step 5. Customize the PathWAI Secure Server PROC Step 5. Customize the PathWAI Secure Server PROC Your site may ru oe or more PathWAI Secure servers, each oe servicig a particular user key database. Each PathWAI Secure cliet process or applicatio will commuicate with oe of these servers. I this step you will customize the PathWAI Secure server PROC MFSSRVR for your site ad copy the procedure for multiple servers, if ecessary. Note: Alteratively, existig customers may update their curret MFSSRVR JCL by addig the followig DD statemet: //MQSCONF DD DISP=SHR,DSN=&CONF This statemet poits to the ew cofiguratio file. Follow these steps: 1. Copy CANDLE.MQSECURE.TMFSAMP(MFSSRVR) to a istallatio procedure library. 2. Locate the //MFSSRVR PROC statemet ad customize it as follows: For LOAD=, eter the ame of the dataset cotaiig the MQS@SRVR load module (either CANDLE.MQSECURE.TMFLOAD or the other APF-authorized dataset where you copied MQS@SRVR). For CLOAD=, eter the laguage eviromet ru-time load library. For CDPGLIB=, eter the MQSeries APF-authorized load library. For USERS= eter the ame of the dataset where the user key database will reside. For CONF= eter the ame of the dataset where your cofiguratio settigs for this PathWAI Secure server will reside. 3. Locate the //MQSSUSRx DD statemet ad do oe of the followig: If your site will ru just oe PathWAI Secure server (servicig oe user key database) delete the followig DD statemet: //MQSSUSRx DD DUMMY (The iteral default is oe server.) If your site will ru more tha oe server, chage x to a alphaumeric character that idetifies this particular server. For example: Istallatio Steps o OS/390 ad z/os 63

64 Step 5. Customize the PathWAI Secure Server PROC //MQSSUSR1 DD DUMMY Each applicatio or process that is a cliet of this server will referece it through this DD statemet. 4. If your site will ru more tha oe server, make a copy of MFSSRVR for each server. Edit each copy ad chage USERS= to the ame of the dataset where the user key database coected to this server will reside. Also, chage the //MQSSUSRx DD statemet to reflect this istace. For example: //MQSSUSR2 DD DUMMY 64 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

65 Step 6. Customize the Cofiguratio File Step 6. Customize the Cofiguratio File I this step you will customize the PathWAI Secure cofiguratio file KMFCONF for your site. Follow these steps: 1. Edit the cofiguratio file: CANDLE.MQSECURE.TMFSAMP(KMFCONF) 2. If your site will use a LDAP as a repository for PathWAI Secure admiistrators public keys, eter the hostame or IP address of the machie where the LDAP resides o the followig statemet: MQSECURE_LDAP_SERVER_ADDRESS= Also, eter the listeig port umber of your LDAP server o the followig statemet: MQSECURE_LDAP_SERVER_PORT= 3. If your site will ot use a LDAP (o ay platform), eter oe o the MQSECURE_LDAP_SERVER_ADDRESS= statemet, as follows: MQSECURE_LDAP_SERVER_ADDRESS=oe Also, eter oe o the MQSECURE_LDAP_SERVER_PORT= statemet, as follows: MQSECURE_LDAP_SERVER_PORT=oe 4. If you pla to use the S/390 Crypto Facility to improve the performace of cryptographic operatios, eter S390 o the MQSECURE_HARDWARE_ENABLED= statemet, as follows: MQSECURE_HARDWARE_ENABLED=S If you pla to use the Triple Data Ecryptio Stadard (TDES), eter TDES o the MQSECURE_SYM_ENCRYPT= statemet, as follows: MQSECURE_SYM_ENCRYPT=TDES Note: You must use TDES if you pla to use the S/390 Crypto Facility or if you pla to commuicate with other odes that will be usig some type of hardware ecryptio. You may also use TDES with a software ecryptio implemetatio; however, this may adversely affect performace. Istallatio Steps o OS/390 ad z/os 65

66 Step 6. Customize the Cofiguratio File 6. If your site will ru more tha oe PathWAI Secure server, copy the PathWAI Secure cofiguratio file for each server ad modify it accordigly. 66 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

67 Step 7. Update Chael Iitiator JCL Step 7. Update Chael Iitiator JCL I this step you will update your site s WebSphere MQ chael iitiator JCL to referece PathWAI Secure. Follow these steps: 1. Edit the chael iitiator address space started task JCL, ad add the followig DD statemets: //CSQXLIB DD DSN=CANDLE.MQSECURE.TMFLOAD,DISP=SHR //MQSSUSRx DD DUMMY //MQSLOG DD SYSOUT=* where x is the alphaumeric character that idetifies the PathWAI Secure server. 2. If you are usig the S/390 Crypto Facility, iclude a STEPLIB statemet referecig the PathWAI Secure load library: CANDLE.MQSECURE.TMFLOAD 3. Repeat this procedure for each istace of WebSphere MQ chael iitiator address space started task JCL. Istallatio Steps o OS/390 ad z/os 67

68 Step 8. Update SYS1.PARMLIB to Start MFSSRVR Step 8. Update SYS1.PARMLIB to Start MFSSRVR I this step you will update SYS1.PARMLIB with start commad(s) for the PathWAI Secure server, as follows: Edit SYS1.PARMLIB, ad place start commads for each MFSSRVR started task i the appropriate COMMANDxx members. This esures that cached keys are available for the etire sessio. These chages will take effect o the ext IPL (a IPL is ot ecessary ow). 68 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

69 Step 9. Eable S/390 Crypto Facility Processig Step 9. Eable S/390 Crypto Facility Processig This step is required oly if your site is usig the S/390 Crypto Facility. Follow these steps: 1. Perform a prelik ad likedit of the two ICSF object files PathWAI Secure eeds to iterface to the S/390 Crypto Facility by executig the followig JCL: CANDLE.MQSECURE.TMPSAMP(KMFCSLK) This job creates two members i the PathWAI Secure product load lobrary: KMFQC390 ad LMFQM Verify that your RACF admiistrator has grated permissio to the followig CCA Services required by PathWAI Secure: RACF Service Name CSFCKM CSFDEC CSFDSG CSFDSV CSFENC CSFOWH CSFPKD CSFPKE CSFPKI CSFRNG Fuctio Multiple Clear Key Import Decipher callable service Digital sigature geerate callable service Digital sigature verify callable service Ecipher callable service Oe-way hash geerate callable service PKA decrypt callable service PKA ecrypt callable service PKA key import callable service Padom umber geerate callable service Both the Chael Iitiator started task ad the PathWAI Secure admiistrator must be authorized to use these services. All the services listed must be authorized, eve if you do ot aticipate usig all of them. 3. Whe applicatio-to-applicatio security is used ad hardware is eabled, all applicatios usig the PathWAI Secure direct ad idirect APIs will use the facility. Therefore, ay job or started task which uses APIs must: Have RACF authorizatio to use the services above Istallatio Steps o OS/390 ad z/os 69

70 Step 9. Eable S/390 Crypto Facility Processig Be able to LOAD PathWAI Secure load library members KMFQC390 ad KMFQM390. To facilitate the LOAD, these two members must reside i at least oe of the followig: A load library which is allocated to the job via JOBLIB or STEPLIB DD statemets The lik library (defied durig system geeratio by the LNKLSTxx member of SYS1.PARMLIB The system s lik pack area (defied durig system geeratio) 70 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

71 Step 10. Create PathWAI Secure Queues Step 10. Create PathWAI Secure Queues I this step you will use the MQSeries utility CSQUTIL to create two special MQSeries queues required by PathWAI Secure for distributig user keys ad holdig problem messages. If you are ot familiar with CSQUTIL, ask your site s MQSeries admiistrator for help. Sample queue defiitios are provided i this file: CANDLE.MQSECURE.TMFSAMP(KMFQDEFS) Follow these steps: 1. Defie the followig queues, usig the sample KMFQDEFS defiitios: SYSTEM.MQSECURE.PROBLEMS SYSTEM.MQSECURE.COMMANDS 2. Esure that the SYSTEM.MQSECURE.COMMANDS queue is sufficietly secured. This is especially importat i cliet/server cofiguratios, where each PathWAI Secure cliet ca be a PathWAI Secure admiistrator. Ask your site s MQSeries admiistrator for help, if ecessary. Istallatio Steps o OS/390 ad z/os 71

72 Step 11. Start the KMFADM Utility Step 11. Start the KMFADM Utility I this step you will update your logo procedure to make the PathWAI Secure Admiistratio utility KMFADM available through a ISPF sessio ad the start KMFADM. You will use KMFADM i subsequet steps to complete the cofiguratio process. Follow these steps: 1. Delete ay existig MQSSPROF/MQSXPROF from your ISPPROF dataset. 2. Add the CANDLE.MQSECURE.TMFEXECF (fixed-block) or CANDLE.MQSECURE.TMFEXECV (variable-block) ISPF dataset to your SYSEXEC DD statemet (usually i the LOGON PROC). 3. From a ISPF sessio, start the KMFADM utility as follows: KMFADM The PathWAI Secure Admiistratio mai meu is displayed: ============================================== KMFPADM0 PathWAI Secure Admiistratio User : MQSADMIN1 Select Admiistratio Fuctio Date: 2002/06/29 Termial: 3278 UserData: CANDLE.PWSECURE.DATABASE ============================================== Create/Specify user key database Maage User Keys Maage User Key Database Maage Certificates Maage LDAP Repository ============================================== Select fuctio usig / ad press ENTER Press END to exit. COMMAND ===> 72 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

73 Step 12. Create a New User Key Database Step 12. Create a New User Key Database I this step you will cofigure a maiframe database that will be used as a user key repository. If you ited to use third-party keys, you must create a ew user key database. Do ot attempt to import third-party keys ito a exisitig (Versio 210) database. Follow these steps: 1. From the PathWAI Secure Admiistratio mai meu, select: Create/Specify user key database 2. Eter the followig iformatio: At Eter user key database:, specify the fully-qualified dataset ame for your user key database (for example: CANDLE.MQSECURE.qmgr_ame.USERS). At Volume:, replace VOLSER with the volume that the user key database will reside o. At Number of user key records:, specify the maximum umber of records that the database will cotai (or retai the default of 100). You will eed a miimum of oe record per PathWAI Secure ode plus two for iteral PathWAI Secure use. At Uit:, specify the disk pack type (or retai the default of SYSDA). 3. Press Eter to create ad iitialize the ew database. Istallatio Steps o OS/390 ad z/os 73

74 Step 13. Register the Global Admiistrator Step 13. Register the Global Admiistrator If you did ot istall the Global Admiistrator, skip this step ad tur to Step 14. Register a Local Admiistrator o page 76. I this step you will register the Global Admiistrator for your PathWAI Secure etwork by importig a PKCS#12 file file cotaiig key pair ad user certificate iformatio. Your site must register the Global Admiistrator before registerig ay local admiistrators. Follow these steps: 1. From the PathWAI Secure Admiistratio mai meu, select: Maage Certificates 2. Select: Register Admiistrator usig third party geerated keys 3. Set the Global Admiistrator s password as follows: Admi. Password Cofirm Password Specify the password you wat to assig to the Global Admiistrator. This value may be ay valid maiframe password. Cofirm the above password. 4. Eter the followig: RSA Modulus Size Specify the modulus size i bits, usig ay ujmber betwee 768 ad 2048, divisable by 8. If this value is ot divisible by 8, the cryptographic services will roud the value up to oe that is divisible by 8. Server User Suffix If your site is ruig multiple PathWAI Secure servers: Specify the alphaumeric character that idetifies the PathWAI Secure server ad its user key database. This character must match the oe o the MQSSUSRx ddame i the MFSSRVR JCL that rus this istace of PathWAI Secure. If your site is ruig oly oe PathWAI Secure server: leave this field blak. 74 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

75 Step 13. Register the Global Admiistrator User Data QMGR Code Page ID Leave this field blak (it is ot curretly used). Replace 500, if ecessary, with the code page used by this system. 5. Idetify the PKCS#12 file ad specify iformatio about your PathWAI Secure eviromet, as follows: PKCS12 Dataset PKCS12 Password LDAP Server i use Cofiguratio file The dataset ame of the PKCS#12 file. The password for the above file. Set this field to YES. Eter the dataset ame of the PathWAI Secure cofiguratio file that you customized i Step 6. Customize the Cofiguratio File o page Whe you have completed the pael, press Eter. Istallatio Steps o OS/390 ad z/os 75

76 Step 14. Register a Local Admiistrator Step 14. Register a Local Admiistrator Cautio: This step overwrites ay existig user key databases. If you are upgradig from a previous versio of PathWAI Secure ad wish to use your existig user key database(s), do ot complete this step. If you are upgradig from a previous versio of PathWAI Secure ad wish to geerate ew user key database(s), you should complete this step. Follow these steps: 1. From the PathWAI Secure Admiistratio mai meu, select: Maage User Keys 2. Eter the followig iformatio: At Admi ID:, defie a user ID for this admiistrator. The user ID may be ay valid maiframe user ID that is meaigful for you ad uique system-wide. Cadle recommeds a ID that is role-based or group-based, rather tha oe that is associated with a idividual. It may be the ame of a applicatio or a ame that represets a group of users (each user eed ot be associated with the ame). It may also be the ame of a role (for example: telemarketig represetatives). PathWAI Secure uses the user ID to locate keys i the user key database. At Password:, defie a password for this user ID. The password may be ay valid maiframe password. At Cofirm Password:, specify the password agai to cofirm. At Server user suffix:, specify the alphaumeric character that idetifies the PathWAI Secure server ad its user key database. This character must match the oe o the MQSSUSRx ddame i the MFSSRVR JCL that rus this istace of PathWAI Secure. If your site is usig oly oe server, press TAB to bypass this field. At User data QMGR:, press TAB to bypass this variable (it is ot curretly used). At Code Page ID:, replace 500, if ecessary, with the code page used by this system. Whe you are fiished specifyig the above iformatio, press Eter. 76 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

77 Step 15. Export Local Admiistrator s Public Key Step 15. Export Local Admiistrator s Public Key Follow these steps: 1. From the PathWAI Secure Admiistratio mai meu, select: Maage User Keys 2. Select Export admi/users. 3. Eter the fully-qualified ame of a partitioed or sequetial dataset to which the admiistrator s public key will be exported (do ot use quotes) If a PDS, the the member must also be specified (for example: CANDLE.MQSECURE.EXPRTKEY(ADMIN1). The press Eter. The system respods with messages as it exports the admiistrator s public key to the file you defied. Look for a message that the Admi ID successfully exported to the file you defied. 4. Use FTP or aother file trasfer utility to perform a biary trasfer of the export file to each coectig ode or to the global admiistrator ode, if your site is usig a LDAP. Istallatio Steps o OS/390 ad z/os 77

78 Step 16. Import Remote Admiistrators Public Keys Step 16. Import Remote Admiistrators Public Keys Follow these steps: 1. Allocate a import dataset. Allocate either a sequetial or partitioed dataset (PDS) with the followig DCB attributes: RECFM=VB LRECL=255 BLKSIZE=4000 ad the copy the export file(s) there that you wish to import. 2. From the PathWAI Secure Admiistratio mai meu, select: Maage User Keys 3. Select Import users, the press Eter. 4. Specify the fully-qualified ame of a partitioed or sequetial dataset from which the remote admiistrator s public key will be imported (do ot use quotes) If a PDS, the the member must also be specified (for example: CANDLE.MQSECURE.IMPRTKEY(ADMIN1). The press Eter. 78 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

79 Step 17. Re-Ecrypt User Key Database(s), if Necessary Step 17. Re-Ecrypt User Key Database(s), if Necessary This step re-ecrypts your user key database(s) with a ew uique RC2 key. This step should be performed by sites that are upgradig from a previous versio of PathWAI Secure ad are usig their existig user key databases. It should be doe at your site s earliest coveiece ad may be doe i a staged maer. If you are a ew PathWAI Secure customer, or a existig customer who chose to create ew user key databases, skip to Step 20. Verify MQSecure Istallatio o page 83. Follow these steps: 1. From the PathWAI Secure Admiistratio mai meu, select: Maage User Key Database 2. Select Re-ecrypt user key database, the press Eter. 3. The Re-ecrypt User Key Database pael displays. 4. Press Eter. 5. Look for the followig message: Re-ecrypt Database successfully completed Your user key database is re-ecrypted with a ew uique key. You may eed to exchage keys with other odes or the Global Admiistrator if you have added ew odes or if some odes have iitialized their user key databases. Istallatio Steps o OS/390 ad z/os 79

80 Step 18. Export Admiistrators Public Keys to LDAP, if Necessary Step 18. Export Admiistrators Public Keys to LDAP, if Necessary This step exports admiistrators public keys to the LDAP key repository. Follow these steps: 1. From the PathWAI Secure Admiistratio mai meu, select: Maage LDAP Repository 2. Select Export Local Public Keys to LDAP Repository, the press Eter. The User List pael displays. 3. Select the users that you wish to export to the LDAP ad press Eter. 80 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

81 Step 19. Modify the MQSeries Chaels Step 19. Modify the MQSeries Chaels I this step you will modify the MQSeries chaels as required by PathWAI Secure. Follow these steps: 1. Start the PathWAI Secure server (MFSSRVR). 2. Start the MQSeries queue maager. 3. Recycle the Chael Iitiator address space for the MQSeries queue maager. 4. Shut dow the seder chaels o the commuicatig odes. 5. Modify the chael exits as follows: If you wat to use oly chael autheticatio, modify the MSGEXIT ad MSGDATA attributes for both eds of the chael (seder ad receiver) as follows: ALTER CHANNEL(chame) CHLTYPE(chtype) MSGEXIT(MQSSEXIT) MSGDATA(A) Note: For SRVCONN chaels, use the sed ad receive exits istead of the message exit: ALTER CHANNEL(chame) CHLTYPE(SRVCONN) SENDEXIT(SENDEXIT) SENDDATA(A) RCVEXIT(RECEXIT) RCVDATA(A) If you wat to use ecryptio, specify the SCYEXIT attribute ad modify the MSGDATA attribute for both eds of the chael (seder ad receiver) as follows: ALTER CHANNEL(chame) CHLTYPE(chtype) SCYEXIT(SECEXIT) MSGEXIT(MQSSEXIT) MSGDATA(AE) Note: For SRVCONN chaels, use the sed ad receive exits istead of the message exit: ALTER CHANNEL(chame) CHLTYPE(SRVCONN) SCYEXIT(SECEXIT) SENDEXIT(SENDEXIT) SENDDATA(E) RCVEXIT(RECEXIT) RCVDATA(E) 6. Brig up the seder chaels. 7. Traffic betwee the two odes is ow secured o the cofigured chaels. The sedig ode sigs ad/or ecrypts all messages destied for the receivig ode. The receivig ode verifies the sigature ad/or decrypts the message. Istallatio Steps o OS/390 ad z/os 81

82 Step 19. Modify the MQSeries Chaels If verificatio or decryptio fails, the message is placed i the SYSTEM.MQSECURE.PROBLEMS queue. To avoid misleadig the applicatio sedig a message, Cofirmatio Of Arrival flags (COA, COA_WITH_DATA, COA_WITH_FULL_DATA) ad Cofirmatio Of Delivery flags (COD, COD_WITH_DATA, COD_WITH_FULL_DATA) i the Message Descriptor Report field are switched off. This esures a sedig applicatio is ot icorrectly otified a message arrived o the iteded target queue, or was delivered to the target applicatio whe i fact PathWAI Secure security processiq diverted the message to the SYSTEM.MQSECURE.PROBLEMS queue. 82 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

83 Step 20. Verify MQSecure Istallatio Step 20. Verify MQSecure Istallatio I this step you will execute the test program MQDIRECT to verify that your istallatio ad cofiguratio of PathWAI Secure are successful. MQDIRECT uses a direct API to implemet PathWAI Secure. Two procedures are give: Procedure (Sigle Node) is a quick test for a sigle ode usig a direct API to implemet PathWAI Secure. Procedure (Two Nodes) tests ode-to-ode chael exits as well as the idirect API. The secod ode used i this procedure may or may ot be o the maiframe. Procedure (Sigle Node) Follow these steps: 1. Execute a batch program ivokig MQDIRECT with the -x optio. 2. Execute a batch program ivokig MQDIRECT with the -t2 optio. 3. Verify that a message arrived itact. Procedure (Two Nodes) Follow these steps (usig a chael where you have cofigured chael exits): 1. Be sure that the the PathWAI Secure servers (MFSSRVR) are ruig o both odes. If the secod ode is o the maiframe, start the PathWAI Secure server o that ode also. 2. Be sure that the MQSeries queue maagers are ruig o both odes. 3. Execute a batch program ivokig MQS@OP with the -x optio. 4. Execute MQS@OP (mqs_op if o-os/390) with the -t2 optio o the other ode. Verify that the message arrived itact. Istallatio Steps o OS/390 ad z/os 83

84 Step 20. Verify MQSecure Istallatio 84 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

85 5 Istallatio Steps o UNIX (GUI) Itroductio This chapter cotais step-by-step istructios for istallig ad cofigurig PathWAI Secure for WebSphere MQ (PathWAI Secure) o UNIX usig the Graphical User Iterface (GUI). This chapter cotais istructios for istallig both the basic PathWAI Secure product ad the PathWAI Secure Global Admiistrator product, if your site has licesed it. Be aware that the Global Admiistrator product is distributed o its ow CDROM; be sure that you have the correct CDROM before begiig the istallatio. If you are istallig the Global Admiistrator, keep i mid the followig: Istall oly oe Global Admiistrator for your site s PathWAI Secure etwork. Istall the Global Admiistrator first. You must register the Global Admiistrator before registerig ay additioal (local) admiistrators. Before You Begi The istallatio steps i this chapter assume that you have completed the steps described i Istallatio Preparatio o page 33. Istallatio Steps o UNIX (GUI) 85

86 Summary of Steps Summary of Steps The istallatio steps are summarized below. Step 1. Istall MQSecure Software Step 2. Cofigure the Local MQSecure Node Step 3. Cofigure OCSP Revocatio Checkig Step 4. Idetify the User Key Repository Step 5. Cofigure a Local LDAP Directory Step 6. Create MQSecure Queues Step 7. Set Eviromet Variables Step 8. Add LDAP Tools to Path (LDAP Users Oly) Step 9. Register the Global Admiistrator Step 10. Register the Local Admiistrator Step 11. Re-Ecrypt User Key Database(s), if Necessary Step 12. Export Admiistrators Public Keys to File Step 13. Import the Keys File to User Key Databases Step 14. Export the Keys File to LDAP (LDAP Sites Oly) Step 15. Modify the WebSphere MQ Chaels Step 16. Verify MQSecure Istallatio PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

87 Step 1. Istall PathWAI Secure Software Step 1. Istall PathWAI Secure Software I this step you will execute the istall.sh script to copy the PathWAI Secure software from the PathWAI Secure CD-ROM to disk. Follow these steps: 1. Log i to UNIX with a user ID that has system admiistrator authority. 2. Create a PathWAI Secure admiistrator accout (user ID) called pwsecure with the followig home directory: /home/pwsecure 3. Set the permissios ad owership as follows: chmod 750 /home/pwsecure chow pwsecure:mqm /home/pwsecure 4. Create the /var/pwsecure directory as follows: mkdir -m 770 -p /var/pwsecure 5. Trasfer owership of the directory to the pwsecure user ID, as follows: chow pwsecure:mqm /var/pwsecure 6. Isert the PathWAI Secure CD-ROM ito the CD-ROM drive ad eter a commad similar to the oe below. mout device mout_poit where: device is the device driver for the CD-ROM mout_poit is the directory where the device will be mouted Note that the PathWAI Secure CDROM coforms to ISO 9660 stadards. The mout commad may require additioal optios depedig upo the UNIX platform you are ruig. If ecessary, cosult the ma pages. 7. Log off, the log back i uder the ew pwsecure user ID to cotiue the istallatio. Istallatio Steps o UNIX (GUI) 87

88 Step 1. Istall PathWAI Secure Software 8. Cadle recommeds that you istall PathWAI Secure usig a Kor shell; if ecessary, chage to a Kor shell ow: ksh 9. If ecessary, set the DISPLAY eviromet variable: export DISPLAY=ipaddress:0.0 where ipaddress is the IP address of the local machie. 10. Execute the istallatio script: where: istall.sh -h cadlehome cadlehome is the target directory where you wat to istall PathWAI Secure (for example: /home/pwsecure). If you omit this flag, istall.sh uses the value assiged to the CANDLEHOME eviromet variable. If /home/pwsecure already exists, this prompt is displayed: CANDLEHOME directory "/home/pwsecure" already exists. OK to use it [ y or ; "y" is default ]? Eter Y or press Eter to use the existig directory or eter N to specify a ew directory. If /home/pwsecure does ot exist, this prompt is displayed: CANDLEHOME directory "/home/pwsecure" does ot exist. Try to create it [ y or ; "y" is default ]? Eter Y or press Eter to create the directory. The followig meu is displayed: 88 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

89 Step 1. Istall PathWAI Secure Software 11. Eter: 1 The Cadle Istallatio for UNIX GUI starts. 12. Click Agree to accept the licesig agreemet. 13. Click INSTALL from the welcome scree: 14. Click INSTALL from the selectio bar displayed: Istallatio Steps o UNIX (GUI) 89

90 Step 1. Istall PathWAI Secure Software 15. The Select Products to Istall dialog opes. Note that the PathWAI Secure software compoet is either MQSecure or MQSecure Global Admiistrator, depedig o the CDROM you are istallig. For example: 16. Select (check) the MQSecure compoet. 17. If you wat to istall a local user key database, select (check) CadleNet ebp Directory. Cadle recommeds that you istall a local user key database if possible. 18. Click Istall to cotiue. The PathWAI Secure software is dowloaded to your machie. This may take several miutes. 90 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

91 Step 2. Cofigure the Local PathWAI Secure Node Step 2. Cofigure the Local PathWAI Secure Node I this step you will cofigure optios for the local PathWAI Secure ode. Be aware that you ca recofigure these parameters at ay time; if you are usure of the appropriate value, accept the default show. The Cofigure MQSecure Node dialog is displayed. For example: Istallatio Steps o UNIX (GUI) 91

92 Step 2. Cofigure the Local PathWAI Secure Node 1. Uder Optios, specify the followig Hardware Eabled Symmetric Ecryptio If the local machie is cofigured to use hardware ecryptio, select ADAPTER1 from the pull-dow; if hardware ecryptio is ot available, use optio oe. Use the pull-dow to select the type of ecryptio: AES128, AES192, AES256: AES (RijDael) is a block cipher that operates o 16-byte blocks. It was selected as the ew Advaced Ecryptio Stadard (AES) algorithm to replace DES. Select the appropriate key legth (128-bit, 192-bit, or 256-bit). RC2: 128-bit RC2. RC4128, RC4192, RC4256: RC4 is a stream cipher that operates o bit or byte streams. Its executio speed is cosidered very fast, but the ecryptio key ca oly be used oce. Select the appropriate key legth (128-bit, 192-bit, or 256-bit). RC5128, RC5192, RC5256: RC5 is a block cipher that operates o 8-byte blocks. It is a successor to the RC2 algorithm ad offers higher executio speed ad comparable stregth of security at similar key legths. Select the appropriate key legth (128-bit, 192-bit, or 256-bit). RC6128, RC6192, RC6256: RC6 is a block cipher that operates o 16-byte blocks. It is a successor to the RC5 algorithm ad was a fial cadidate for the ew Advaced Ecryptio Stadard (AES) algorithm to replace DES. Select the appropriate key legth (128-bit, 192-bit, or 256-bit). TDES: Triple-DES. 92 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

93 Step 2. Cofigure the Local PathWAI Secure Node Default RSA Modulus Size Sigature Algorithm The default modulus size ( key legth ). You may specify ay size from 768 to 2048 bits; however, if you wat to commuicate with a ode ruig Versio 200 of MQSecure, you must use a modulus size of 800. Expaded key legths were ot supported i Versio 200. Be aware that you ca override the default modulus size whe you geerate ew admiistrator or user keys usig the mqs_adm utility. Use the pull-dow to select the hashig algorithm for sigig ad autheticatig: RSAMD5 (RSA MD5) or RSASHA1 (RSA SHA-1). SHA-1 is cosidered more secure; use SHA-1 where compatibility with existig applicatios is ot a issue. 2. Specify the followig if you wat to embed certificates withi PathWAI Secure messages: Embed Public Key Certificate Embed Certificate Chai Set this optio as follows: YES eables certificate embeddig. AS AVAILABLE embeds certificates oly whe available. ALWAYS always embed certificates. If o certificate is available, the operatio fails. Set this optio as follows: ONE embeds oly the siger s public key certificate. TRUSTED embeds a chai of verificatio certificates up to the first certificate desigated as trusted. ROOT embeds a chai of certificates up to a root (self-siged) certificate. 3. For istallatio testig, leave the MultiPrime field set to NO ad the Chael Security field set to NONE. You ca recofigure the local PathWAI Secure ode later to eable these features. 4. Do ot click OK yet; you have additioal cofiguratio tasks i this dialog. Istallatio Steps o UNIX (GUI) 93

94 Step 3. Cofigure OCSP Revocatio Checkig Step 3. Cofigure OCSP Revocatio Checkig If your site does ot ited to use a OCSP respoder for revocatio checkig, skip this step. I this step you will eable OCSP revocatio checkig, specify the locatio of the OCSP respoder, ad cofigure some additioal OCSP-related parameters. Follow these steps: 1. I the Cofigure MQSecure Node dialog, set the Revocatio Checkig field to VALICERT. 2. Click OK. The OCSP Commuicatio Optios dialog opes: 3. Set OCSP Scope as follows: GLOBAL eables revocatio checkig for all chaels o this ode. CHANNEL eables revocatio checkig oly o those chaels which have bee cofigured with a V i the MSGDATA parameter. 94 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

95 Step 3. Cofigure OCSP Revocatio Checkig 4. Specify the followig: OCSP Requestor Cert OCSP Respose Cert OCSP Trasport Destiatios OCSP Trasport Proxies OCSP Cache Retetio Eter the distiguished ame o the certificate of the MQSecure user who will sig requests to the OCSP respoder from this ode. Eter the distiguished ame o the trusted certificate of the key holder who will sig resposes to status requests. Eter the URL of the repoder to which the status request will be set. You ca specify multiple URLs, separated by a comma. Eter the URL for the respoder proxy, if ay. You ca specify multiple URLs, separated by a comma. Eter the amout of time (i secods) status iformatio will be kept i i-memory cache. 5. Do ot click OK yet; you have additioal cofiguratio tasks i this dialog. Istallatio Steps o UNIX (GUI) 95

96 Step 4. Idetify the User Key Repository Step 4. Idetify the User Key Repository I this step you will specify the locatio of the database ( LDAP ) used as a user key repository ad specify the listeig port of its server so that the local PathWAI Secure ode ca commuicate with it. The user key repository may be o the local machie, if you are istallig it ow, or it may reside o a remote machie i your site s PathWAI Secure etwork. Follow these steps: 1. Uder LDAP Coectio, be sure that the Use Coectio box is checked. 2. Specify the followig: LDAP Server Address LDAP Server Port The hostame or TCP/IP address of the machie where the LDAP resides. If you are cofigurig a local LDAP ow, this is the local hostame. If you ited to coect the local ode to a remote LDAP, this is the hostame or TCP/IP address of the remote machie. This field sets eviromet variable MQSECURE_LDAP_SERVER_ADDRESS. The LDAP Directory server s TCP/IP listeig port. This field sets eviromet variable MQSECURE_LDAP_SERVER_PORT. 3. Click OK to cotiue. 96 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

97 Step 5. Cofigure a Local LDAP Directory Step 5. Cofigure a Local LDAP Directory If you did ot istall the CadleNet ebp Directory compoet of PathWAI Secure, skip this step. I this step you will cofigure a local LDAP Directory. Complete this step if you selected Cadle ebp Directory from the PathWAI Secure compoet dialog. Istallatio Steps o UNIX (GUI) 97

98 Step 5. Cofigure a Local LDAP Directory The Cofigure LDAP dialog opes. For example: Follow these steps: 1. Verify that the LDAP port umber is correct. 2. Click Local Host ad verify that the hostame of the machie is correct, the click OK. 98 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

99 Step 5. Cofigure a Local LDAP Directory 3. If you wish, eter a ew LDAP User ID ad password by writig over the default values. 4. Click OK. The LDAP is cofigured ad seeded (iitialized with sample data). 5. Wait for this message: The seedig operatio is complete. Do you wish to view the output? 6. Click Yes to display the results of the seedig operatio. You may optioally prit or save to disk the results. 7. Click Close to cotiue. The Maage Cadle Services dialog opes. 8. Right-click o CadleNet ebp Directory ad select Start Service from the drop-dow meu. 9. Verify that the Directory server is Started. 10. Select File > Exit to close the Maage Cadle Services dialog. 11. Click EXIT to exit the welcome scree. Istallatio Steps o UNIX (GUI) 99

100 Step 6. Create PathWAI Secure Queues Step 6. Create PathWAI Secure Queues I this step you will use the MQSeries utility rumqsc to create two special MQSeries queues required by MQSecure for distributig user keys ad holdig problem messages. If you are ot familiar with rumqsc, ask your site s MQSeries admiistrator for help. Sample queue defiitios are provided i this file: /home/mqsecure/samp/kmfqdefs.txt Follow these steps: 1. Defie the followig queues, usig the sample kmfqdefs.txt defiitios: SYSTEM.MQSECURE.PROBLEMS SYSTEM.MQSECURE.COMMANDS 2. Esure that the SYSTEM.MQSECURE.COMMANDS queue is sufficietly secured. This is especially importat i cliet/server cofiguratios, where each MQSecure cliet ca be a MQSecure admiistrator. Ask your site s MQSeries admiistrator for help, if ecessary. 100 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

101 Step 7. Set Eviromet Variables Step 7. Set Eviromet Variables This step esures that your path is properly set to execute PathWAI Secure. This step applies to both ew customers ad customers istallig over versio V110, eve if istallig ito the same CANDLEHOME. Follow these steps: 1. Set the followig eviromet variables i your.profile,.cshrc, or.logi file: PATH=$PATH:/usr:/usr/bi:cadlehome/platform/mf/bi LIBPATH=$LIBPATH:/lib:/usr/lib:cadlehome/platform/mf/lib (AIX oly) SHLIB_PATH=$SHLIB_PATH:/lib:/usr/lib:cadlehome/platform/mf/lib (HP-UX oly) LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib:/usr/lib:cadlehome/platfor m/mf/lib (Su Solaris oly) MQSECURE_LDAP_SERVER_ADDRESS=ldap_address (oly eeded if usig LDAP) MQSECURE_LDAP_SERVER_PORT=ldap_port# (oly eeded if usig LDAP) MQSECURE_HARDWARE_ENABLED=ADAPTER1 (oly eeded if usig 4758 cryptographic coprocessor) MQSECURE_SYM_ENCRYPT=TDES (oly eeded if ot usig the default RC2 for symmetric ecryptio) where: cadlehome is your PathWAI Secure home directory (for example: /home/pwsecure). platform is the platform you istalled for (for example: aix42) ldap_address is the IP address of hostame of your LDAP server ldap_port# is the listeig port umber of your LDAP server; Cadle recommeds that you use Export each of the eviromet variables you set above: export PATH export LIBPATH (AIX oly) Istallatio Steps o UNIX (GUI) 101

102 Step 7. Set Eviromet Variables export SHLIB_PATH (HP-UX oly) export LD_LIBRARY_PATH (Su Solaris oly) export MQSECURE_LDAP_SERVER_ADDRESS (oly if usig LDAP) export MQSECURE_LDAP_SERVER_PORT (oly if usig LDAP) export MQSECURE_HARDWARE_ENABLED (oly if usig 4758 cryptographic coprocessor) export MQSECURE_SYM_ENCRYPT (oly eeded if ot usig the default RC2 for symmetric ecryptio) 102 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

103 Step 8. Add LDAP Tools to Path (LDAP Users Oly) Step 8. Add LDAP Tools to Path (LDAP Users Oly) This step applies oly to sites that will use a LDAP. If your site is ot usig a LDAP, skip to Step 10. Register the Local Admiistrator o page 105. This step adds tools to your path, eablig you to perform LDAP admiistratio, icludig stoppig ad startig the LDAP. For more iformatio o admiisterig the LDAP, cosult the PathWAI Secure for WebSphere MQ Admiistrator s Guide. Follow these steps: To add LDAP tools to your path, execute the followig shell script: CANDLEHOME/roma/platform/roma.ksh where: platform is the platform you istalled for (for example: aix42) ksh is your user s shell (i.e. csh or sh) Istallatio Steps o UNIX (GUI) 103

104 Step 9. Register the Global Admiistrator Step 9. Register the Global Admiistrator If you did ot istall the Global Admiistrator locally, skip this step ad tur to Step 10. Register the Local Admiistrator o page 105. I this step you will register the Global Admiistrator for your PathWAI Secure etwork by importig a PKCS#12 file ad a PKCS#7 file cotaiig key pair ad user certificate iformatio. Your site must register the Global Admiistrator before registerig ay local admiistrators. Follow these steps: 1. Be sure that the LDAP directory server (service CadleNet ebp Directory) is cofigured ad ruig ad that you are coected to it. 2. Execute the mqs_adm utility as follows: mqs_adm -s -f pkcs12file where pkcs12file is the ame of your PKCS#12 file. 3. Whe prompted, eter the ecryptio password for the PKCS#12 file. 4. Whe prompted, eter the ID you wat to assig to the Global Admiistrator. You must eter the user ID prefixed by c=. For example: LDAP Update User ID: c=maager 5. Whe prompted, eter the password you wat to assig to the Global Admiistrator. 6. Execute the mqs_adm utility as follows: For trusted certificates: mqs_adm -i -c - f pkcs7file -t where pkcs7file is the ame of your PKCS#7 file. Certificates imported by the Global Admiistrator as trusted are automatically exported to the user key repository ad copied to local trusted certificate databases the first time they are eeded to verify a sigature. For utrusted certificates: mqs_adm -i -c - f pkcs7file where pkcs7file is the ame of your PKCS#7 file. 104 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

105 Step 10. Register the Local Admiistrator Step 10. Register the Local Admiistrator Cautio: This step overwrites ay existig user key databases. If you are upgradig from a previous versio of PathWAI Secure ad wish to use your existig user key database(s), do ot complete this step. Skip to Step 11. Re-Ecrypt User Key Database(s), if Necessary o page 107. If you are upgradig from a previous versio of PathWAI Secure ad wish to geerate ew user key database(s), you should complete this step. This step iitializes the PathWAI Secure admiistrative eviromet by: Emptyig the existig user key database, if ay. Establishig a PathWAI Secure admiistrator user ID ad password. Creatig a public/private key pair for the admiistrator ad storig it i the user key database (by default, MQSS.USR). Oce this step is completed, all further admiistrative sessios are validated agaist the admiistrator s user ID ad password. Follow these steps: 1. Log i to a ode o which you istalled MQSecure. 2. From a UNIX prompt, do oe of the followig If this is a WebSphere MQ server ode, eter this commad: mqs_adm -s If this is a WebSphere MQ cliet ode, eter this commad: mqs_admc -s 3. Eter a user ID for this admiistrator (it must be uique across this PathWAI Secure etwork) usig the followig format: c=<ldap root d User ID> For example: LDAP Update User ID: c=maager 4. Eter the password. Istallatio Steps o UNIX (GUI) 105

106 Step 10. Register the Local Admiistrator Repeat the above steps o every ode where you istalled PathWAI Secure. 106 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

107 Step 11. Re-Ecrypt User Key Database(s), if Necessary Step 11. Re-Ecrypt User Key Database(s), if Necessary To esure the itegrity of the database, this step re-geerates a uique database ecryptio key ad re-ecrypts the database usig the ew key. This step should be performed by sites that are upgradig from a previous versio of PathWAI Secure ad are usig their existig user key databases. It should be doe at your site s earliest coveiece ad may be doe i a staged maer. If you are a ew PathWAI Secure customer, or a existig customer who chose to create ew user key databases, skip to Step 12. Export Admiistrators Public Keys to File o page 108. Follow these steps: 1. Log o to a ode where you istalled PathWAI Secure. 2. From a UNIX prompt: mqs_adm -k The system respods by promptig you for the global admiistrator s user ID. 3. Eter the admiistrator s user ID. The system respods by promptig you for the global admiistrator s password. 4. Eter the global admiistrator s password. 5. The system respods by promptig you for the user ID to be exported. 6. Eter the user ID to be exported. Repeat the above steps o every ode where you istalled PathWAI Secure. Istallatio Steps o UNIX (GUI) 107

108 Step 12. Export Admiistrators Public Keys to File Step 12. Export Admiistrators Public Keys to File I this step you will export PathWAI Secure admiistrators public keys to a file which will be imported (i the subsequet step) to either: The user key database of the Global Admiistrator (if your site will use the Roma LDAP) The user key database at each coectig ode Cadle recommeds that you use a secured file trasport method. Follow these steps: 1. Log o to ay ode except the Global Admiistrator ode where you have istalled PathWAI Secure ad registered a admiistrator. 2. Export the keys to a file as follows: If this is a WebSphere MQ server ode, eter this commad: mqs_adm -a -f fileame If this is a WebSphere MQ cliet ode, eter this commad: mqs_admc -a -f fileame where fileame is the uique full pathame of the file to which the keys for this admiistrator are beig exported. 3. Eter the admiistrator s user ID ad password. Repeat the above steps for each PathWAI Secure ode i this etwork. 4. Log o to the Global Admiistrator ode. 5. Repeat steps 2 ad 3 above to write the Global Admiistrator s public keys to a separate export file. 108 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

109 Step 13. Import the Keys File to User Key Databases Step 13. Import the Keys File to User Key Databases I this step you will import the files you created i the previous step to either: The user key database of the Global Admiistrator (if your site is usig the Roma LDAP) The user key database at each coectig ode Follow these steps: 1. Trasfer the file securely to either the Global Admiistrator ode (if your site is usig the Roma LDAP) or to ay other coectig ode. 2. Import the keys file as follows: If this is a WebSphere MQ server ode, eter this commad: mqs_adm -i -f fileame If this is a WebSphere MQ cliet ode, eter this commad: mqs_admc -i -f fileame where fileame is the full pathame of the export file you created above. The system respods by promptig you for the local admiistrator s user ID (if you are a LDAP site, this will be the Global Admiistrator s user ID) ad the password. 3. Eter the admiistrator s user ID ad password. Repeat the above steps for each export file. If yours is a o-ldap site, repeat the above steps for every pair of coectig odes. Istallatio Steps o UNIX (GUI) 109

110 Step 14. Export the Keys File to LDAP (LDAP Sites Oly) Step 14. Export the Keys File to LDAP (LDAP Sites Oly) This step is required by sites that have istalled the Roma LDAP to use as their key repository. If your site is ot usig the Roma LDAP, istallatio ad cofiguratio is complete. I this step you will export all PathWAI Secure admiistrators public keys from the Global Admiistrator to the LDAP. This step applies oly to the Global Admiistrator ode. The admiistrator keys from all the other odes must have bee imported before this step is executed. Follow these steps: 1. Log o to the Global Admiistrator ode. 2. Export the keys as follows: If this is a WebSphere MQ server ode, eter this commad: mqs_adm -e -r If this is a WebSphere MQ cliet ode, eter this commad: mqs_admc -e -r The system respods by promptig you for the admiistrator s user ID ad password. 3. Eter the Global Admiistrator s user ID ad password. 110 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

111 Step 15. Modify the WebSphere MQ Chaels Step 15. Modify the WebSphere MQ Chaels I this step you will modify the MQSeries chaels as required by MQSecure. Follow these steps: 1. Start the MQSeries queue maager. 2. Recycle the Chael Iitiator address space for the MQSeries queue maager. 3. Shut dow the seder chaels o the commuicatig odes. 4. Modify the chael exits as follows: If you wat to use oly chael autheticatio, modify the MSGEXIT ad MSGDATA attributes for both eds of the chael (seder ad receiver) as follows: ALTER CHANNEL(chame) CHLTYPE(chtype) MSGEXIT( mqs_exit(mqs_exit) ) MSGDATA(A) Note: For CLNTCONN/SVRCONN chaels, use the sed ad receive exits istead of the message exit, ad o the cliet side, use mqsexitc istead of mqs_exit: ALTER CHANNEL(chame) CHLTYPE(CLNTCONN) SENDEXIT('mqsexitc(Sed_Exit)') SENDDATA(A) RCVEXIT('mqsexitc(Rec_Exit)') RCVDATA(A) ALTER CHANNEL(chame) CHLTYPE(SVRCONN) SENDEXIT('mqs_exit(Sed_Exit)') SENDDATA(A) RCVEXIT('mqs_exit(Rec_Exit)') RCVDATA(A) If you wat to use ecryptio, specify the SCYEXIT attribute ad modify the MSGDATA attribute for both eds of the chael (seder ad receiver) as follows: ALTER CHANNEL(chame) CHLTYPE(chtype) SCYEXIT( mqs_exit(sec_exit) ) MSGEXIT( mqs_exit(mqs_exit) ) MSGDATA(AE) Note: for CLNTCONN/SVRCONN chaels, use the sed ad receive exits istead of the message exit, ad o the cliet side, use mqsexitc istead of mqs_exit: Istallatio Steps o UNIX (GUI) 111

112 Step 15. Modify the WebSphere MQ Chaels ALTER CHANNEL(chame) CHLTYPE(CLNTCONN) SCYEXIT( mqsexitc(sec_exit) ) SENDEXIT('mqsexitc(Sed_Exit)') SENDDATA(E) RCVEXIT('mqsexitc(Rec_Exit)') RCVDATA(E) ALTER CHANNEL(chame) CHLTYPE(SVRCONN) SCYEXIT( mqs_exit(sec_exit) ) SENDEXIT('mqs_exit(Sed_Exit)') SENDDATA(E) RCVEXIT('mqs_exit(Rec_Exit)') RCVDATA(E) 5. Brig up the seder chaels. 6. Traffic betwee the two odes is ow secured o the cofigured chaels. The sedig ode sigs ad/or ecrypts all messages destied for the receivig ode. The receivig ode verifies the sigature ad/or decrypts the message. If verificatio fails, the message is placed i the SYSTEM.MQSECURE.PROBLEMS queue. 112 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

113 Step 16. Verify MQSecure Istallatio Step 16. Verify MQSecure Istallatio I this step you will execute the test program MQDIRECT to verify that your istallatio ad cofiguratio of PathWAI Secure are successful. MQDIRECT uses a direct API to implemet PathWAI Secure. Two procedures are give: Procedure (Sigle Node) is a quick test for a sigle ode usig a direct API to implemet PathWAI Secure. Procedure (Two Nodes) tests ode-to-ode chael exits as well as the idirect API. Procedure (Sigle Node) Follow these steps: 1. Execute MQDIRECT with the -w t2 optios. 2. Execute MQDIRECT with the -w -t2 optios. 3. Verify that message arrived itact. Procedure (Two Nodes) Follow these steps (usig a chael where you have cofigured chael exits): 1. Be sure that the WebSphere MQ queue maagers are ruig o both odes. 2. Execute MQS_OP with the -w t2 optios. 3. Execute MQS_OP with the -w -t2 optios o the other ode. Verify that the message arrived itact. Istallatio Steps o UNIX (GUI) 113

114 Step 16. Verify MQSecure Istallatio 114 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

115 7 Istallatio Steps o Widows Itroductio This chapter cotais step-by-step istructios for istallig ad cofigurig PathWAI Secure for WebSphere MQ (PathWAI Secure) o Widows. This chapter cotais istructios for istallig both the basic PathWAI Secure product ad the PathWAI Secure Global Admiistrator product, if your site has licesed it. Be aware that the Global Admiistrator product is distributed o its ow CDROM; be sure that you have the correct CDROM before begiig the istallatio. If you are istallig the Global Admiistrator, keep i mid the followig: Istall oly oe Global Admiistrator for your site s PathWAI Secure etwork. Istall the Global Admiistrator first. You must register the Global Admiistrator before registerig ay additioal admiistrators. Before You Begi The istallatio steps i this chapter assume that you have completed the steps described i Istallatio Preparatio o page 33. Istallatio Steps o Widows 115

116 Summary of Steps Steps for istallig PathWAI Secure are summarized below. Step 1. Migrate Versio 200 Databases, if Necessary Step 2. Verify User ID Authority Step 3. Dowload the Software Step 4. Cofigure the Local PathWAI Secure Node Step 5. Idetify the User Key Repository Step 6. Cofigure a Local User Key Repository Step 7. Reboot Step 8. Migrate Versio 210 Databases, if Necessary Step 9. Re-Ecrypt Versio 210 Databases, if Necessary Step 10. Register the Global Admiistrator Step 11. Register the Local Admiistrator Step 12. Export Public Keys to File Step 13. Import Public Keys to User Key Databases Step 14. Export Keys to LDAP (LDAP Sites Oly) Step 15. Create PathWAI Secure Queues Step 16. Eable Chael Exit Security Step 17. Verify PathWAI Secure Istallatio PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

117 Step 1. Migrate Versio 200 Databases, if Necessary Step 1. Migrate Versio 200 Databases, if Necessary Complete this step oly if your site is curretly ruig MQSecure Versio 200. If your site is ruig MQSecure Versio 210 or istallig PathWAI Secure V300 for the first time, skip this step ad tur to Step 2. Verify User ID Authority o page 118. If your site is ruig MQSecure Versio 200, you must ru the Versio 210 kmfcov coversio utility to covert your existig user key databases to Versio 210 format. (You will subsequetly upgrade Versio 210 to Versio 300. Do ot attempt to covert a Versio 200 database directly to Versio 300; you must complete two upgrade procedures.) Be sure to ru Versio 210 kmfcov o all user key databases, icludig those you may have backed up i Versio 200 format. Follow these steps: 1. Back up the user key database. 2. Esure that the database to be coverted has the ame MQSS.USR ad is located i the MQSSDIR directory. 3. Shut dow all MQSecure applicatios (icludig WebSphere MQ chaels cotaiig MQSecure exits), as follows: dbdow 4. Execute the Versio 210 kmfcov program as follows: kmfcov [admi_id] [admi_pwd] where admi_id is the user ID of the admiistrator of the database ad admi_pwd is the associated password. Istallatio Steps o Widows 117

118 Step 2. Verify User ID Authority Step 2. Verify User ID Authority If you are istallig o Widows 98, skip this step. I this step you will verify that you have the proper authority to ru the setup istallatio program. Your Widows user ID must have admiistrator authority. Follow these steps: 1. From the Start butto, select: Programs => Admiistrative Tools => User Maager The User Maager widow opes. 2. Locate your user ID (uder Userame) i the top widow ad double-click o it. The User Properties widow opes. 3. Click o the Groups butto i the lower left corer. The Group Memberships widow opes. 4. Look uder Member of: ad be sure that Admiistrators is listed. Have your site s admiistrator add it, if ecessary. 5. Select OK. 6. Close the User Maager widows. 118 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

119 Step 3. Dowload the Software Step 3. Dowload the Software I this step you will ru the setup istallatio utility to dowload the PathWAI Secure CDROM software from the distributio CDROM to disk. Follow these steps: 1. Log oto Widows ad close ay ruig applicatios. 2. Isert the PathWAI Secure CDROM ito your CDROM drive. Istallatio begis automatically. If the istaller does ot start, select the Start butto, the Ru. Eter: d:\widows\setup.exe where d: is your CDROM drive. Note: If the istaller iitializatio fails, be sure you have eough disk space (at least 2 Mb) i the locatio refereced by your TEMP system variable. 3. Click Next at the Welcome scree. 4. Click Yes to accept the Software Licese Agreemet. 5. At the Choose Destiatio Locatio pael, do oe of the followig: If you wish to istall ito the default directory show, click Next to cotiue. If you wish to istall ito a differet directory, click Browse ad specify the directory o the Choose Folder popup pael, the click OK. Click Next to cotiue. The default PathWAI Secure directory show is: Program Files\Cadle\PathWAI\Secure for WMQ All subsequet istallatio steps assume that you are usig the default directory ame. If you chage the directory ame, make a ote of it here for your referece: PathWAI Secure Directory: Istallatio Steps o Widows 119

120 Step 3. Dowload the Software The Select Compoets dialog opes: 6. Select (check) PathWAI Secure for WebSphere MQ. 7. If you wat to istall a local user key database, select (check) Busiess Directory Server. Cadle recommeds that you istall a local user key database uless the local machie is ruig Widows 98 (Widows 98 does ot support this feature). 8. Click Next to cotiue. 9. At the Start Copyig Files pael, review your settigs ad click Next to cotiue. (If you wish to chage ay settigs, click Back.) Previous users: If you are istallig over a previous release of PathWAI Secure, this message is displayed: Setup may update some of the PathWAI Secure files already o disk. Do you wish to cotiue? 120 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

121 Step 3. Dowload the Software Click Yes. The PathWAI Secure software dowload process begis. The Choose Exits Locatio dialog opes: 10. Check the WebSphere MQ directory ame show ad chage it, if ecessary. Note that if you are usig WebSphere MQ Versio 5.x, the default directory is Program Files\MQSeries. This is the target directory where setup will copy the WebSphere MQ chael exits. 11. Click Next to cotiue. This message is displayed: I the followig scree, please eter values for PathWAI Secure. The, press OK i that scree. 12. Click OK to cotiue. Istallatio Steps o Widows 121

122 Step 4. Cofigure the Local PathWAI Secure Node Step 4. Cofigure the Local PathWAI Secure Node I this step you will cofigure optios for the local PathWAI Secure ode. You will: Cofigure ecryptio optios Eable OCSP revocatio checkig ad idetify the OCSP respoder Tell the local ode to use a LDAP database (directory ad server) as a user key repository Be aware that you ca recofigure these parameters at ay time; if you are usure of the appropriate value, accept the default show. 122 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

123 Step 4. Cofigure the Local PathWAI Secure Node The Cofigure PathWAI Secure for WebSphere MQ Node dialog is displayed: Istallatio Steps o Widows 123

124 Step 4. Cofigure the Local PathWAI Secure Node 1. Uder Optios, specify the followig Hardware Eabled Symmetric Ecryptio If the local machie is cofigured to use hardware ecryptio, select ADAPTER1 from the pull-dow; if hardware ecryptio is ot available, use optio oe. Use the pull-dow to select the type of ecryptio: AES128, AES192, AES256: AES (RijDael) is a block cipher that operates o 16-byte blocks. It was selected as the ew Advaced Ecryptio Stadard (AES) algorithm to replace DES. Select the appropriate key legth (128-bit, 192-bit, or 256-bit). RC2: 128-bit RC2. RC4128, RC4192, RC4256: RC4 is a stream cipher that operates o bit or byte streams. Its executio speed is cosidered very fast, but the ecryptio key ca oly be used oce. Select the appropriate key legth (128-bit, 192-bit, or 256-bit). RC5128, RC5192, RC5256: RC5 is a block cipher that operates o 8-byte blocks. It is a successor to the RC2 algorithm ad offers higher executio speed ad comparable stregth of security at similar key legths. Select the appropriate key legth (128-bit, 192-bit, or 256-bit). RC6128, RC6192, RC6256: RC6 is a block cipher that operates o 16-byte blocks. It is a successor to the RC5 algorithm ad was a fial cadidate for the ew Advaced Ecryptio Stadard (AES) algorithm to replace DES. Select the appropriate key legth (128-bit, 192-bit, or 256-bit). TDES: Triple-DES. 124 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

125 Step 4. Cofigure the Local PathWAI Secure Node Default RSA Modulus Size Sigature Algorithm The default modulus size ( key legth ). You may specify ay size from 768 to 2048 bits; however, if you wat to commuicate with a ode ruig Versio 200 of MQSecure, you must use a modulus size of 800. Expaded key legths were ot supported i previous releases. Be aware that you ca override the default modulus size whe you geerate ew admiistrator or user keys usig the mqs_adm utility. Use the pull-dow to select the hashig algorithm for sigig ad autheticatig: RSAMD5 (RSA MD5) or RSASHA1 (RSA SHA-1). SHA-1 is cosidered more secure; use SHA-1 where compatibility with existig applicatios is ot a issue. 2. To eable revocatio checkig, set the OCSP Revocatio Checkig field to VALICERT. The OCSP cofiguratio fields are activated. 3. Specify the followig as required by your OCSP respoder: OCSP Scope OCSP Requestor Cert OCSP Respose Cert OCSP Trasport Destiatios Set this optio as follows: GLOBAL eables revocatio checkig for all chaels o this ode. CHANNEL eables revocatio checkig oly o those chaels which have bee cofigured with a V i the MSGDATA parameter. Eter the distiguished ame o the certificate of the MQSecure user who will sig requests to the OCSP respoder from this ode. Eter the distiguished ame o the trusted certificate of the key holder who will sig resposes to status requests. Eter the URL of the repoder to which the status request will be set. You ca specify multiple URLs, separated by a comma. Istallatio Steps o Widows 125

126 Step 4. Cofigure the Local PathWAI Secure Node OCSP Trasport Proxies OCSP Cache Retetio Eter the URL for the respoder proxy, if ay. You ca specify multiple URLs, separated by a comma. Eter the amout of time (i secods) status iformatio will be kept i i-memory cache. 4. Specify the followig for 3rd-party certificate checkig: Embed Public Key Certificate Embed Certificate Chai Set this optio as follows: YES eables certificate embeddig. AS AVAILABLE embeds certificates oly whe available. ALWAYS always embed certificates. If o certificate is available, the operatio fails. Set this optio as follows: ONE embeds oly the siger s public key certificate. TRUSTED embeds a chai of verificatio certificates up to the first certificate desigated as trusted. ROOT embeds a chai of certificates up to a root (self-siged) certificate. 5. For istallatio testig, leave the MultiPrime field set to NO ad the Chael Security field set to NONE. You ca recofigure the local PathWAI Secure ode later to eable these features. 6. Do ot click OK yet; you have additioal cofiguratio tasks i this dialog. 126 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300

127 Step 5. Idetify the User Key Repository Step 5. Idetify the User Key Repository I this step you will specify the locatio of the database ( LDAP ) used as a user key repository ad specify the listeig port of its server so that the local PathWAI Secure ode ca commuicate with it. The user key repository may be o the local machie, or it may reside o a remote machie i your site s PathWAI Secure etwork. Follow these steps: 1. Uder LDAP Coectio, be sure that the Use Coectio box is checked. 2. Specify the followig: LDAP Server Address LDAP Server Port The hostame or TCP/IP address of the machie where the LDAP resides. If you are cofigurig a local LDAP ow, this is the local hostame. If you ited to coect the local ode to a remote LDAP (if, for example, the local ode is ruig Widows 98), this is the hostame or TCP/IP address of the remote machie. This field sets eviromet variable MQSECURE_LDAP_SERVER_ADDRESS. The LDAP Directory server s TCP/IP listeig port. This field sets eviromet variable MQSECURE_LDAP_SERVER_PORT. 3. Click OK to cotiue. Istallatio Steps o Widows 127

128 Step 6. Cofigure a Local User Key Repository Step 6. Cofigure a Local User Key Repository If the local machie is ruig Widows 98, skip this step ad tur to Step 7. Reboot o page 130. I this step you will cofigure a local database ad server ( LDAP ) that will be used as a user key repository. The cofiguratio dialog i this step is displayed oly if you selected the Busiess Directory Server compoet i Step 3. Dowload the Software o page 119. This message is displayed: Would you like to cofigure the LDAP at this time? Follow these steps: 1. Click OK to cotiue. A iformatio pael displays the default User ID (maager)ad password (secret) for the LDAP admiistrator. You will have the opportuity to chage these defaults o the ext pael. 2. Click OK. The Cofigure Stad-Aloe LDAP dialog opes: 3. Verify that the port umber show is correct. 4. Click Local Host ad verify that the hostame of the machie is correct. 5. You may eter a ew LDAP User ID ad password by writig over the default values show. 128 PathWAI Secure for WebSphere MQ Istallatio Guide, Versio 300