Setting up a key repository on z/OS
Set up a key repository at both ends of the connection. Associate each key repository with its queue manager.
A TLS connection requires a key repository at each end of the connection. Each queue manager must have access to a key repository. Use the SSLKEYR parameter on the ALTER QMGR command to associate a key repository with a queue manager. See The SSL/TLS key repository for more information.
On z/OS®, digital certificates are stored in a key ring that is managed by your External Security Manager (ESM) . These digital certificates have labels, which associate the certificate with a queue manager. TLS uses these certificates for authentication purposes. All the examples that follow use RACF® commands. Equivalent commands exist for other ESM programs.
On z/OS, IBM® MQ uses either the value of the CERTLABL
attribute, if it is set, or the default ibmWebSphereMQ
with the name of the queue
manager appended. See Digital certificate labels for
details.
The key repository name for a queue manager is the name of a key ring in your RACF database. You can specify the key ring name either before or after creating the key ring.
- Ensure that you have the appropriate authority to issue the RACDCERT command (see the SecureWay Security Server RACF Command Language Reference for more details).
- Issue the following command:
RACDCERT ID( userid1 ) ADDRING( ring-name )
where:- userid1 is the user ID of the channel initiator address space, or the user ID that is going to own the key ring (if the key ring is shared).
- ring-name is the name you want to give to your key ring. The length of this name can be up to 237 characters. This name is case-sensitive. Specify ring-name in uppercase characters to avoid problems.