Create and initialize the integration node keystore and truststore (z/OS®)

Create a keystore and import your personal certificate and signer certificates.

Before you begin

Note: Due to export restrictions, the IBM® JDKs ship with a set of restricted policy files that limit the size of the cryptographic keys that are supported. To overcome these restrictions, use the unrestricted policy files in the $JAVA_HOME/lib/security directory:
  • local_policy.jar
  • US_export_policy.jar

The unrestricted policy files are the same for the IBM JDK 1.4.2, IBM JDK 5, and IBM JDK 6.  These files are in the JAVA_HOME/demo/jce/policy-files/unrestricted directory.

About this task

This topic describes how to use the same file as keystore and truststore. To specify different files, complete the process twice:
  • Do not import signer certificates into the keystore.
  • Do not import personal certificates into the truststore.

The tasks use keytool to create the keystore. An alternative is the ikeyman graphical tool, which requires an X Window System.

The following are the steps required to create and initialize the integration node keystore:
  1. Create the keystore. keytool requires a dummy key to be created to force the creation of the keystore file. The dummy key is deleted after the keystore is created.
  2. Import the CA signer certificate or certificates. These are certificates that have signed certificates of client applications that connect to the IBM Integration Bus and that are accepted as trusted applications.
Example commands for each step are as follows:

Procedure

  1. Create the JKS keystore.
    For example: 
    /usr/lpp/java/J6.0/bin/keytool -genkey   
     -alias DUMMY
     -keystore  /u/CSQPBRK/ssl/csqpbrkKeystore.jks 
     -storetype jks 
     -dname  "CN=DUMMY,OU=BROKER,O=IBM,L=Hursley,C=GB"
     -storepass changeit 
     -keypass changeit
  2. Delete the dummy key.
    For example: 
    /usr/lpp/java/J6.0/bin/keytool -delete  
     -alias DUMMY
     -keystore  /u/CSQPBRK/ssl/csqpbrkKeystore.jks
     -storepass changeit
  3. Optional: Import the CA signer certificates.
    Omit this step if you require separate files for a keystore and truststore, and are creating a keystore.
    For example: 
    /usr/lpp/java/J6.0/bin/keytool -import  
     -keystore /u/CSQPBRK/ssl/csqpbrkKeystore.jks 
     -storepass changeit 
     -alias RACFCA
     -file /u/CSQPBRK/ssl/csqpbrk.ca.der -v
  4. Optional: Import the integration node personal certificate.
    Omit this step if you require separate files for a keystore and truststore, and are creating a truststore.
    For example: 
    /usr/lpp/java/J6.0/bin/keytool -import  
  -keystore /u/CSQPBRK/ssl/csqbrkKeystore.jks
  -storepass changeit
  -alias CSQPBRK
  -file /u/CSQPBRK/ssl/csqpbrk.pers.p12 
  -v 
  -pkcs12
  -keypass changeit 
  -noprompt
    If you are going to use the keystore with inbound https connections, then ensure that you always specify a keypass and that it matches the storepass.
  5. List the contents of the integration node keystore.
    For example: 
    /usr/lpp/java/J6.0/bin/keytool -list  
   -keystore /u/CSQPBRK/ssl/csqbrkKeystore.jks
   -storepass changeit

What to do next

What to do next: Configure IBM Integration Bus on z/OS for SSL.