[AIX, Linux, Windows]

Creating a key repository on AIX®, Linux, and Windows

Use this procedure to create a new key repository.

You can create a new, empty, key repository by using the runmqakm (GSKCapiCmd) command. [MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]If you use the runmqktool (keytool) command instead, the key repository is created when a command is issued to create or import a certificate.

[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Attention: On Windows and Linux® if the key repository is used with TLS AMQP channels, you must use a PKCS #12 key repository with a file suffix of .p12 or .pkcs12.

Using runmqakm

Use the runmqakm command to create a CMS or PKCS #12 key repository.

Issue the following command to create a key repository with the runmqakm command:
runmqakm -keydb -create -db filename -pw password -type type
         -stash -fips -strong
where:
-db filename
Specifies the fully qualified file name of the key repository.
-pw password
Specifies the password for the key repository.
-type type
[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Specifies the type of key repository. For a key repository that is used by IBM® MQ, the possible values are:
  • pkcs12
  • [Deprecated]cms
    Note: From IBM MQ 9.4.0, the use of CMS key repositories and stash files is deprecated for IBM MQ Java applications and is not supported for AMQP and MQTT channels that use SSL/TLS.
-stash
Optional. Specify this option to store the key repository password in a stash file. You do not need to store the password in a stash file if you encrypt the password using the IBM MQ password protection system instead.
-fips
Specifies that the command is run in FIPS mode. When in FIPS mode, the IBM Crypto for C (ICC) component uses algorithms that are FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.
-strong
Checks that the password entered satisfies the minimum requirements for password strength. The minimum requirements for a password are as follows:
  • The password must be a minimum length of 14 characters.
  • The password must contain a minimum of one lowercase character, one uppercase character, and one digit or special character. Special characters include the asterisk (*), the dollar sign ($), the number sign (#), and the percent sign (%). A space is classified as a special character.
  • Each character can occur a maximum of three times in a password.
  • A maximum of two consecutive characters in the password can be identical.
  • All characters are in the standard ASCII printable character set, within the range 0x20 - 0x7E.
For more information about these parameters and the values that can be specified, see runmqakm -keydb.
[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]

Using runmqktool

Use the runmqktool command to create a PKCS #12, JKS, or JCEKS key repository.

The runmqktool command cannot create a new, empty, key repository. A new key repository is created when the command is used to complete one of the following actions:
  • Create a certificate.
  • Add a certificate to a key repository.
  • Import a certificate to a key repository.
If the key repository that is specified on the command does not exist, it is created when the command runs.
For example, the following command creates a JKS key repository that contains a new self-signed certificate:
runmqktool -genkeypair -keystore /var/mqm/ssl/keystore.jks -storetype jks -storepass password
           -dname "CN=mycert,OU=MQ,O=IBM" -alias mycert -keyalg RSA

For more information about the runmqktool commands that create a new key repository, see Creating a self-signed personal certificate on AIX, Linux, and Windows, Adding a CA certificate, or the public part of a trusted certificate, into a key repository on AIX, Linux, and Windows, and Importing a personal certificate into a key repository on AIX, Linux, and Windows.