The SSL or TLS key repository

A mutually authenticated SSL or TLS connection requires a key repository (which can be known by different names on different platforms) at each end of the connection. The key repository includes digital certificates and private keys.

This information uses the general term key repository to describe the store for digital certificates and their associated private keys. The specific store names used on the platforms and environments that support SSL and TLS are:
For more information, refer to Digital certificates and Secure Sockets Layer (SSL) and Transport Layer Security (TLS) concepts.
A mutually authenticated SSL or TLS connection requires a key repository at each end of the connection. The key repository may contain:
  • A number of CA certificates from various Certification Authorities that allow the queue manager or client to verify certificates that it receives from its partner at the remote end of the connection. Individual certificates might be in a certificate chain.
  • One or more personal certificates received from a Certification Authority. You associate a separate personal certificate with each queue manager or WebSphere® MQ MQI client. Personal certificates are essential on an SSL or TLS client if mutual authentication is required. If mutual authentication is not required, personal certificates are not needed on the client. The key repository might also contain the private key corresponding to each personal certificate.
  • Certificate requests which are waiting to be signed by a trusted CA certificate.

For more information about protecting your key repository, see Protecting IBM WebSphere MQ key repositories.

The location of the key repository depends on the platform you are using:
WindowsLinuxUNIX Windows, UNIX and Linux systems
WindowsLinuxUNIXOn Windows, UNIX and Linux systems the key repository is a key database file. The name of the key database file must have a file extension of .kdb. For example, on UNIX and Linux, the default key database file for queue manager QM1 is /var/mqm/qmgrs/QM1/ssl/key.kdb . If IBM WebSphere MQ is installed in the default location, the equivalent path on Windows is C:\Program Files\IBM\WebSphere MQ\Qmgrs\QM1\ssl\key.kdb.

On Windows , UNIX and Linux systems, each key database file has an associated password stash file. This file holds encoded passwords that allow programs to access the key database. The password stash file must be in the same directory and have the same file stem as the key database, and must end with the suffix .sth , for example /var/mqm/qmgrs/QM1/ssl/key.sth

Note: On Windows, UNIX and Linux systems, PKCS #11 cryptographic hardware cards can contain the certificates and keys that are otherwise held in a key database file. When certificates and keys are held on PKCS #11 cards, WebSphere MQ still requires access to both a key database file and a password stash file.

On Windows and UNIX systems, the key database also contains the private key for the personal certificate associated with the queue manager or WebSphere MQ MQI client.