Viewing and setting keystore and truststore runtime properties at integration node level

Configure the integration node to refer to a keystore, a truststore, or both, before you deploy any message flows that require policy set or bindings for signature, encryption, or X.509 Authentication.

About this task

Keystores and truststores are both keystores. They differ only in how they are used.
  • Put all private keys and public key certificates in the keystore.
  • Put all trusted root certificate authority (CA) certificates in the truststore. These certificates are used to establish the trust of any inbound public key certificates.
IBM® App Connect Enterprise supports the following types of store:
  • PKCS12 keystores
  • Java™ keystore (JKS).
Each instance of an integration node can be configured to refer to one keystore and one truststore.

The following properties of the integration node registry component must be defined correctly for policy sets and bindings:

brokerKeystoreFile
The directory and file location of the keystore.
brokerTruststoreFile
The directory and file location of the truststore.

To check what security properties you set for an integration node, use the mqsireportdbparms command.

Listing existing integration node registry entries

About this task

To display all integration node registry values, run the following command:

mqsireportproperties integrationNodeName -o BrokerRegistry -a

This command returns entries like these:

BrokerRegistry=''
  uuid='BrokerRegistry'
  brokerKeystoreType='JKS'
  brokerKeystoreFile=''
  brokerKeystorePass='brokerKeystore::password'
  brokerTruststoreType='JKS'
  brokerTruststoreFile=''
  brokerTruststorePass='brokerTruststore::password'
  httpConnectorPortRange=''
  httpsConnectorPortRange=''

Updating the integration node reference to a keystore

About this task

To update the integration node reference to a keystore, use the following command: 
mqsichangeproperties integrationNodeName -o BrokerRegistry 
  -n  brokerKeystoreFile 
  -v c:\keystore\server.keystore
Where c:\keystore\server.keystore is the keystore to be referenced.

Updating the integration node reference to a truststore

About this task

To update the integration node reference to a truststore, use the following command: 
mqsichangeproperties integrationNodeName -o BrokerRegistry 
  -n  brokerTruststoreFile 
  -v c:\truststore\server.truststore
Where c:\truststore\server.truststore is the truststore to be referenced.

Updating the integration node with the keystore password

About this task

Keystores and truststores normally require passwords for access. Use the mqsisetdbparms command to add these passwords to the IBM App Connect Enterprise runtime component. To check a password that you set, use the mqsireportdbparms command.
mqsireportdbparms integrationNodeName 
  -n brokerKeystore::password 
  -u temp -p pa55word
The user ID, which can be any value, is not required to access the keystore.

Updating the integration node with the truststore password

About this task

To update the integration node with the truststore password, use the following command: 
mqsisetdbparms integrationNodeName 
  -n brokerTruststore::password 
  -u temp -p pa55word
The user ID, which can be any value, is not required to access the keystore.

Updating the integration node with a private key password

About this task

Private keys in the keystore might have their own individual passwords. These passwords can be configured based on the alias name that is specified for the key in the Policy sets and bindings editor. If a key password that is based on the alias is not found, the keystore password is used. The following command updates the integration node with the private key password for the key whose alias is encKey.
mqsisetdbparms integrationNodeName 
  -n brokerTruststore::KeyPassword::encKey 
  -u temp -p pa55word
The user ID, which can be any value, is not required to access the keystore.