Using keystores and certificates

To provide transparent cryptographic protection to IBM® MQ applications, IBM MQ Advanced Message Security uses the keystore file, where public key certificates and a private key are stored. On z/OS®, a SAF key ring is used instead of a keystore file.

In IBM MQ Advanced Message Security, users and applications are represented by public key infrastructure (PKI) identities. This type of identity is used to sign and encrypt messages. The PKI identity is represented by the subject's distinguished name (DN) field in a certificate that is associated with signed and encrypted messages. For a user or application to encrypt their messages they require access to the keystore file where certificates and associated private and public keys are stored.

On Windows and UNIX the location of the keystore is provided in the keystore configuration file, which is keystore.conf by default. Each IBM MQ Advanced Message Security user must have the keystore configuration file that points to a keystore file. IBM MQ Advanced Message Security accepts the following format of keystore files: .kdb, .jceks, .jks.

The default location of the keystore.conf file is:
  • On UNIX platforms and IBM i: $HOME/.mqs/keystore.conf
  • On Windows platforms: %HOMEDRIVE%%HOMEPATH%\.mqs\keystore.conf
If you are using a specified keystore filename and location, you should use the following commands
  • For Java: java -DMQS_KEYSTORE_CONF=path/filename app_name
  • For C Client and Server:
    • On UNIX and Linux®: export MQS_KEYSTORE_CONF=path/filename
    • On Windows: set MQS_KEYSTORE_CONF=path\filename
      Note: The path on Windows can, and should, specify the drive letter if more than one drive letter is available.