Changing Message Queue

Communication Settings
ltima actualizacin: February 4, 2014

Contents

Change the Message Queue Administrator Password

Change the Message Queue Server Certificate

Change the Password for the Message Queue SSL Keystore

Change the Message Queue URL

You can change the following Message Queue communication settings:

The password for the Message Queue administrator

The Message Queue server certificate

The Message Queue URL

The password for the Message Queue SSL keystore

The password that endpoints use to connect to the Message Queue

Note: Endpoints use the +reportagent service account to connect to the Message
Queue.

The password that CA ControlMinder Enterprise Management and the DMS use to
connect to the Message Queue

Note: CA ControlMinder Enterprise Management and the DMS use the reportserver
service account to connect to the Message Queue.

Change the Message Queue Administrator

Password
The Message Queue administrator account is named admin and lets you perform administrative
tasks in the Message Queue.
You may need to regularly change the admin password to comply with your organization's
security and password policies.

Before you change the Message Queue administrator password, note the following:

The default password for this account is the communication password that you specify
when you install CA ControlMinder Enterprise Management.

The password has the following limitations:

o Must be 1-240 characters long

o Must not contain high ASCII characters

o Must not contain double quotes ( " )

o Must not contain @ and $ signs

The password is stored in the Message Queue.

Important! If you have more than one Distribution Server in your enterprise, first change the
password on the Distribution Server installed on the Enterprise Management Server, then change
the password on the other Distribution Servers in your enterprise. The Message Queue is part of
the Distribution Server.

To change the Message Queue administrator password, set the Message Queue password for the
admin user.

Example: Set the Message Queue Password For the admin User

This Tibco EMS Administration Tool command sets the Message Queue password for the admin
user. The password is "secret", and must be in clear text and enclosed in double quotes:

ssl://localhost:7243> set password admin "secret"

Password of user 'admin' has been modified
ssl://localhost:7243>

Change the Message Queue Server Certificate

The Message Queue uses the server certificate for SSL communication between the Message
Queue and its clients. The Message Queue clients are CA ControlMinder endpoints and CA
ControlMinder Enterprise Management.

To change the Message Queue server certificate

1. Stop the CA ControlMinder Message Queue.

 2. Create an X.509 server certificate.
We recommend that you create a .p12 format certificate.

3. Navigate to the following directory, where DistServer is the directory in which you
installed the Distribution Server:

4. DistServer/MessageQueue/tibco/bin/ems

5. Enter the following command:

6. tibemsadmin -mangle password

7.

o password
Specifies the password for the server certificate.

The password for the server certificate is encrypted.

8. Open the tibemsd.conf file in a text-based editor. The file is located in the following
directory:

9. DistServer/MessageQueue/tibco/bin/ems

10. Change the value of the following parameters:

o ssl_server_identity
Specifies the full path to the server certificate.

o ssl_server_key
Specifies the full path to the server certificate key.
Note: Leave this parameter blank if you use a .p12 certificate.

o ssl_password
Specifies the encrypted password for the server certificate.

11. Save and close the file.

The Message Queue server certificate is changed.

12. Restart the CA ControlMinder Message Queue.

Example: The tibemsd.conf file

The following is an example of the Message Queue server parameters in the tibemds.conf file for
a .p12 server certificate. The password has been encrypted and is }>8:Jt^+%INK&i^v, and the
ssl_server_key parameter has no value:

ssl_server_identity = "C:\Program
Files\CA\AccessControlServer\MessageQueue\conf\keystore.p12"
ssl_server_key =
ssl_password = }>8:Jt^+%INK&i^v

Change the Password for the Message Queue

SSL Keystore
The Message Queue SSL keystore stores the server certificates that the Message Queue uses for
SSL communication. When you change the password for the Message Queue SSL keystore, you
update the public/private key pair that signs the server certificates.

You may need to regularly change the password for the Message Queue SSL keystore to comply
with your organization's security and password policies.

Before you change the password for the Message Queue SSL keystore, note the following:

The default password is the communication password that you specify when you install
CA ControlMinder Enterprise Management.

The password has the following limitations:

o Must be 6-50 characters long

o Must not contain high ASCII characters

o Must not contain double quotes ( " )

The password is stored in the following file, where ACServer is the directory in which you
installed CA ControlMinder Enterprise Management:

ACServer/MessageQueue/conf/keystore.p12

Important! If you have more than one Distribution Server in your enterprise, first change the
password on the Distribution Server installed on the Enterprise Management Server, then change
the password on the other Distribution Servers in your enterprise. The Message Queue is part of
the Distribution Server.

To change the password for the Message Queue SSL keystore

1. Stop the CA ControlMinder Message Queue service.

2. Open a command prompt window and navigate to the following directory, where JDK is
the directory in which you installed the Java Development Kit:

3. JDK/bin

4. Run the following command:

5. keytool -genkey -keyalg RSA -keysize 1024 -keystore "keystore.p12" -storetype

PKCS12 -dname "cn=acmq" -alias acmq -storepass "password" -keypass
"password"
6.

o -genkey
Specifies that the command creates a key pair (public and private keys).

o -keyalg RSA
Specifies to use the RSA algorithm to generate the key pair.

o -keysize 1024
Specifies that the size of the generated key is 1024 bits.

o -storetype PKCS12
Specifies that the generated key is in the PKCS12 file format.

o -dname "cn=acmq"
Specifies that X.500 distinguished name for the generated certificate is acmq.
This name is used in the issuer and subject fields of the certificate.

o -alias acmq
Specifies to update the keystore entry names acmq.

o -storepass "password"
Specifies the password that protects the Message Queue SSL keystore. The
password must be identical to the password that you specify for the -keypass
parameter.

o -keypass "password"
Specifies the password that protects the private key of the new key pair. The
password must be identical to the password that you specify for the -storepass
parameter.

The keytool utility changes the password for the Message Queue SSL keystore.
 7. Navigate to the following directory, where DistServer is the directory in which you
installed the Distribution Server:

8. DistServer/MessageQueue/tibco/bin/ems

9. Run the following command:

10. tibemsadmin -mangle password

The password for the SSL keystore is encrypted.

Change the Message Queue URL

The Message Queue uses the localhost as the URL.You can modify the URL to use the fully
qualified distinguished name (FQDN) of the host by modifying the tibco-jms-ds.xml file.

The URL information is stored in the Message Queue in the following XML file,
where JBoss_HOME is the directory where you installed JBoss:

JBoss_home/server/default/deploy/jms/tibco-jms-ds.xml

Follow these steps:

1. Stop the JBoss Application Server, the CA ControlMinder Message Queue service and all
the CA ControlMinder services.

2. Back up the tibco-jms-ds.xml file that is placed at the following location:

3. JBoss_home\server\default\deploy\jms

4. Open the tibco-jms-ds.xml file and perform the following steps:

a. Locate localhost.

b. Replace localhost with FQDN.

c. Perform steps a and b for every instance of localhost.

d. Save and close the file.

5. Browse to the following location to modify the communication key:

6. HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Common\
commmunication
7. Locate the key value Distribution_Server.
The default value is ssl://localhost:7243.

8. Replace the ssl://localhost:7243 value with ssl://<FQDN>:7243.

9. Start all CA ControlMinder services, including the CA ControlMinder Message Queue

service.

10. Start the JBoss service.

The CA ControlMinder Message Queue URL is changed.