Keystore configuration

An integration server can use a keystore for encrypting and decrypting data. The keystore must be a password-protected keystore in a JKS, PKCS12, or RDB format.

In an IBM® App Connect Enterprise on-premises system, the keystore is a file that the integration server references, and it is set either by the mqsichangeproperties command or by using configuration in the server.conf.yaml file.

To use the keystore in an integration server in a containerized environment, you need to use a Keystore configuration type. The keystore file in the Keystore configuration type will be placed unchanged in the directory /home/aceuser/keystores in the integration server containers, with the same name as its configuration object name. For example, if you called the configuration my-keystore.jks, the keystore will be copied to /home/aceuser/keystores/keystore.jks. This path can then be referenced from the server.conf.yaml file that is also provided as a configuration object, or from other configuration files like odbc.ini.

For IBM MQ key repositories, several files are required for a key repository: an RDB, a KDB, and an STH file. Create these files as separate keystore configurations with the same name but different extensions, and apply each of them to the integration server. For example, create my-mqcerts.kdb, my-mqcerts.rdb, and my-mqcerts.slt, and then reference these files from the server.conf.yaml file by using /home/aceuser/keystores/my-mqcerts.

The password is not set on this configuration object, so instead use the setdbparms.txt configuration type to define security identities that contain the password, and then use those identities to supply the password to configuration files like server.conf.yaml.

The name of the configuration object is used as the file name of the keystore inside the integration server, so you must provide a name that is suffixed with a supported file extension; for example, name.jks. If a file extension is not included as part of the configuration name, the integration server will not recognize this configuration, and error messages will be generated during the deployment.

  • If you are creating the configuration object by using the Red Hat® OpenShift® web console or CLI, you will need to run a Base64 encoder against your keystore file and use the output as the value of the spec.data parameter in the configuration custom resource. For more information, see Creating a configuration object.
  • If you are using the App Connect Dashboard, you can create the configuration object from the Configuration page or while creating the integration server, as described in Configuration types for integration servers and integration runtimes.

For more information about this configuration type, see Keystore type.