The SSL or TLS key repository
A mutually authenticated SSL or TLS connection requires a key repository (which can be known by different names on different platforms) at each end of the connection. The key repository includes digital certificates and private keys.
Java and JMS | keystore and trust store |
Windows , UNIX and Linux® systems | key database file |
- A number of CA certificates from various Certification Authorities that allow the queue manager or client to verify certificates that it receives from its partner at the remote end of the connection. Individual certificates might be in a certificate chain.
- One or more personal certificates received from a Certification Authority. You associate a separate personal certificate with each queue manager or WebSphere® MQ MQI client. Personal certificates are essential on an SSL or TLS client if mutual authentication is required. If mutual authentication is not required, personal certificates are not needed on the client. The key repository might also contain the private key corresponding to each personal certificate.
- Certificate requests which are waiting to be signed by a trusted CA certificate.
For more information about protecting your key repository, see Protecting IBM WebSphere MQ key repositories.
- Windows, UNIX and Linux systems
- On Windows, UNIX and Linux systems the
key repository is a key database file. The name of the key database
file must have a file extension of
.kdb
. For example, on UNIX and Linux, the default key database file for queue managerQM1
is/var/mqm/qmgrs/QM1/ssl/key.kdb
. If IBM WebSphere MQ is installed in the default location, the equivalent path on Windows isC:\Program Files\IBM\WebSphere MQ\Qmgrs\QM1\ssl\key.kdb
.On Windows , UNIX and Linux systems, each key database file has an associated password stash file. This file holds encoded passwords that allow programs to access the key database. The password stash file must be in the same directory and have the same file stem as the key database, and must end with the suffix
.sth
, for example/var/mqm/qmgrs/QM1/ssl/key.sth
Note: On Windows, UNIX and Linux systems, PKCS #11 cryptographic hardware cards can contain the certificates and keys that are otherwise held in a key database file. When certificates and keys are held on PKCS #11 cards, WebSphere MQ still requires access to both a key database file and a password stash file.On Windows and UNIX systems, the key database also contains the private key for the personal certificate associated with the queue manager or WebSphere MQ MQI client.