Stashing the certificate store password on IBM i systems

Stash the certificate store password by using CL commands.

The following instructions apply to stashing the certificate store password on IBM® i for a queue manager. Alternatively, for an IBM MQ MQI client, if you are not using the *SYSTEM certificate store (that is, the MQSSLKEYR environment is set to a value other than *SYSTEM), follow the procedure described in the Stash the certificate store password section of IBM MQ SSL Client utility (amqrsslc) for IBM i.

If you have specified that the *SYSTEM certificate store is to be used (by changing the value of the SSLKEYR attribute of the queue manager to *SYSTEM) you must not follow these steps.

When you have created the certificate store using DCM, use the following commands to stash the password: 
STRMQM MQMNAME('queue_manager_name')
CHGMQM MQMNAME('queue_manager_name') SSLKEYRPWD('password')
The password is case sensitive. It must be entered in single quotation marks exactly as you entered it in step 6 of Creating a certificate store on IBM i.
Note: If you are not using the default system certificate store, and you do not stash the password, attempts to start TLS channels fail because they cannot obtain the password required to access the certificate store.
[MQ 9.3.0 Jun 2022]

Password protection

When a key repository password is specified, IBM MQ encrypts the password using the IBM MQ Password Protection system. To encrypt the password an initial key is used; if this is not supplied to the queue manager, a default key is used instead.

Prior to supplying the key repository password, you should set a unique initial key for the queue manager. You can do this by using the INITKEY attribute of the ALTER QMGR MQSC command:
ALTER QMGR INITKEY('value')