[AIX, Linux, Windows]

Encrypting key repository passwords on AIX, Linux, and Windows

Several IBM® MQ components need access to a key repository that contains digital certificates or symmetric keys. A key repository is secured with a password as it contains sensitive information. The key repository password must be stored in a location where IBM MQ can read it when the key repository is accessed. The password must also be encrypted to reduce the likelihood of unauthorized access to the key repository.

The following IBM MQ components and features support two different methods to store key repository passwords:
  • The queue manager TLS key repository.
  • IBM MQ MQI clients that use TLS.
  • [MQ 9.4.0 Jun 2024]The Native HA configuration in the NativeHALocalInstance stanza of the qm.ini file.
  • [MQ 9.4.0 Jun 2024]The token authentication configuration in the AuthToken stanza of the qm.ini file.
Key repository passwords for use by these components can be encrypted and stored by using one of the following methods:
The IBM MQ password protection system.

Each IBM MQ component provides a command to encrypt the key repository password. The encrypted command that the command outputs is stored in a file.

For the queue manager TLS key repository, the password is encrypted when the SSLKEYRPWD queue manager attribute is set.

The password is encrypted with the AES-128 algorithm. The details of this algorithm are publicly known and it is considered secure.

The password is stored in a proprietary format that is not understood by other software that might access the key repository.

A password that is encrypted by one IBM MQ component cannot be used by a different IBM MQ component.

A unique encryption key can be provided when the key repository password is encrypted. A unique encryption key prevents anyone who does not have access to the encryption key from being able to decrypt the password.

The plain text key repository password is needed to manage the certificates that are in the key repository. In addition to encrypting the key repository password by using the IBM MQ password protection system, you must also store the key repository password in a secure location where it can be accessed for this purpose.

For more information about the IBM MQ password protection system, see Protecting passwords in IBM MQ component configuration files.

A key repository stash file.

The runmqakm command can store the key repository password in a stash file.

The password is encrypted with a proprietary method that is specific to IBM MQ's cryptographic provider, IBM Global Security Kit (GSKit).

A unique encryption key cannot be provided.

The encrypted password is stored in a stash file in the same directory as the key repository file.

Anyone with read access to both the key repository and the stash file can access and manage the contents of the key repository.

[Deprecated][MQ 9.4.0 Jun 2024]Note: From IBM MQ 9.4.0, the use of stash files with IBM MQ Java applications is deprecated.
[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Important: From IBM MQ 9.4.0, stash files are not supported by AMQP and MQTT channels that use TLS.

Regardless of the method that you choose to encrypt the key repository password, ensure that you are aware of the limitations of encrypting stored passwords. For more information, see The limits to protection through password encryption.