Creating a key repository on AIX®, Linux, and Windows
Use this procedure to create a new key repository.
You can create a new, empty, key repository by using the runmqakm (GSKCapiCmd) command. If you use the runmqktool (keytool) command instead, the key repository is created when a command is issued to create or import a certificate.
Using runmqakm
Use the runmqakm command to create a CMS or PKCS #12 key repository.
runmqakm -keydb -create -db filename -pw password -type type
-stash -fips -strong
where: - -db filename
- Specifies the fully qualified file name of the key repository.
- -pw password
- Specifies the password for the key repository.
- -type type
- Specifies the type of key repository. For a key repository that is
used by IBM® MQ, the possible values are:
- pkcs12
- cmsNote: From IBM MQ 9.4.0, the use of CMS key repositories and stash files is deprecated for IBM MQ Java applications and is not supported for AMQP and MQTT channels that use SSL/TLS.
- -stash
- Optional. Specify this option to store the key repository password in a stash file. You do not need to store the password in a stash file if you encrypt the password using the IBM MQ password protection system instead.
- -fips
- Specifies that the command is run in FIPS mode. When in FIPS mode, the IBM Crypto for C (ICC) component uses algorithms that are FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.
- -strong
- Checks that the password entered satisfies the minimum requirements for password strength. The
minimum requirements for a password are as follows:
- The password must be a minimum length of 14 characters.
- The password must contain a minimum of one lowercase character, one uppercase character, and one digit or special character. Special characters include the asterisk (*), the dollar sign ($), the number sign (#), and the percent sign (%). A space is classified as a special character.
- Each character can occur a maximum of three times in a password.
- A maximum of two consecutive characters in the password can be identical.
- All characters are in the standard ASCII printable character set, within the range 0x20 - 0x7E.
Using runmqktool
Use the runmqktool command to create a PKCS #12, JKS, or JCEKS key repository.
- Create a certificate.
- Add a certificate to a key repository.
- Import a certificate to a key repository.
runmqktool -genkeypair -keystore /var/mqm/ssl/keystore.jks -storetype jks -storepass password
-dname "CN=mycert,OU=MQ,O=IBM" -alias mycert -keyalg RSA
For more information about the runmqktool commands that create a new key repository, see Creating a self-signed personal certificate on AIX, Linux, and Windows, Adding a CA certificate, or the public part of a trusted certificate, into a key repository on AIX, Linux, and Windows, and Importing a personal certificate into a key repository on AIX, Linux, and Windows.