keybackup

Back up the queue manager key repository to a file.

Purpose

You can use the keybackup command to write a copy of the queue manager key repository to a file. You can then copy the file to another system, and restore it when required.

The command creates a compressed archive (.tar.gz) of the key repository files. This includes the .kdb and .rdb files, and the crl file, if present. It does not include the password stash file. At completion the name of the archive file, and the password that was stored in the password stash file is displayed. The password is needed to restore the key repository.

You can specify the name of the file that the backup is made to. You can specify a password to restore the file, or allow the command to generate a password and inform you what it is. You can also specify a password through an interactive prompt. You require the password when you restore the backed up file.

Syntax

Read syntax diagramSkip visual syntax diagram keybackup -m QMgrName -force-fileFileName-passwordUserSpecifiedPassword

Parameters

-m QMgrName
Specifies the name of the queue manager for which the key repository is backed up.
The queue manager must exist.
-force
Forces the back up, without displaying a warning about the security issues raised by backing up the key repository.
-file FileName
Optionally specifies the name of the file to which the key repository is backed up. The backup is created in mqbackup:. The value for the -file parameter can optionally include the URI prefix, only the mqbackup: URI prefix is accepted.

If you do not specify a file name, one is created for you and reported to you when the backup completes.

-password UserSpecifiedPassword
Optionally specifies the password to use when the key repository is restored. The command does not echo the password back to you. The supplied password can be between 14 and 128 characters in length.

If you do not specify a password, one is created for you and reported to you when the backup completes.

-prompt
Optionally specify the password to use when the key repository is restored when prompted,. The password is never displayed. The password can be between 14 and 128 characters in length.

Usage notes

  • This command must be run from the IBM® MQ administration mode. If the system is in the IBM MQ administration mode the prompt includes mq. To enter the IBM MQ administration mode, enter mqcli on the command line. To exit the IBM MQ administration mode, enter exit on the command line.
  • The operation could be regarded as insecure as it places a copy of the queue manager Key Repository into the user accessible file area on the appliance. Unless you specify the -force parameter, the appliance prompts you to confirm that you want to continue with the back up: 
    This operation will generate a copy of your queue manager key  repository,
    which may include private keys.  Although encrypted, you  should take appropriate security
    precautions in handling this file.  The  password required if you ever need to modify or
    restore this file will  be displayed after the copy has been created.  Do you wish to continue?
    [Y/N]
  • The operation could be regarded as insecure as it places a copy of the queue manager Key Repository into the user accessible file area on the appliance. Unless you specify the -force parameter, the appliance prompts you to confirm that you want to continue with the back up: 
    This operation will generate a copy of your queue manager key repository, which may include private keys. Although encrypted, you should take appropriate security precautions in handling this file.
Do you wish to continue? [Y/N]

Examples

  • The following command backs up the key repository for the queue manager QM1: 
    keybackup -m QM1
  • The following command backs up the key repository for the queue manager QM1: 
    keybackup -m QM1
    The response is similar to:
    5724-H72 (C) Copyright IBM Corp. 1994, 2025.
This operation will generate a copy of your queue manager key repository, which may include private keys. Although encrypted, you should take appropriate security precautions in handling this file.
Do you wish to continue? [Y/N]
y
Key repository has been backed up to 'mqbackup:///QM1_keyrepos.tar.gz'.
Password for key repository is:
gXAO#+%m9O|m]\
  • The following command backs up the key repository for the queue manager QM1, and specifies a file name and a password:
    keybackup -m QM1 -file qm1keybackup -password Example_passphrase_f0r_doc
    The response is:
    5724-H72 (C) Copyright IBM Corp. 1994, 2025.
This operation will generate a copy of your queue manager key repository, which may include private keys. Although encrypted, you should take appropriate security precautions in handling this file.
Do you wish to continue? [Y/N]
y
Key repository has been backed up to 'mqbackup:///qm1keybackup'.
  • The following command backs up the key repository for the queue manager QM1, but requests to be prompted for a password:
    keybackup -m QM1 -prompt
    The response is:
    5724-H72 (C) Copyright IBM Corp. 1994, 2025.

Enter password:
*********************

Confirm password:
*********************
This operation will generate a copy of your queue manager key repository, which may include private keys. Although encrypted, you should take appropriate security precautions in handling this file.
Do you wish to continue? [Y/N]
y
Key repository has been backed up to 'mqbackup:///QM1_keyrepos.tar.gz'.

Related commands