Setting up a key repository on IBM i

A key repository must be set up at both ends of the connection. The default certificate stores can be used or you can create your own.

A TLS connection requires a key repository at each end of the connection. Each queue manager and IBM® MQ MQI client must have access to a key repository. If you want to access the key repository using a file name and password (that is, not using the *SYSTEM option) ensure that the QMQM user profile has the following authorities:
  • Execute authority for the directory containing the key repository
  • Read authority for the file containing the key repository
See The SSL/TLS key repository for more information. Note that channel CERTLABL attributes are not used if you use the *SYSTEM certificate store.

On IBM i, digital certificates are stored in a certificate store that is managed with DCM. These digital certificates have labels, which associate a certificate with a queue manager or an IBM MQ MQI client. TLS uses the certificates for authentication purposes.

The label is either the value of the CERTLABL attribute, if it is set, or the default ibmwebspheremq with the name of the queue manager or IBM MQ MQI client user logon ID appended, all in lowercase. See Digital certificate labels for details.

The queue manager or IBM MQ MQI client certificate store name comprises a path and stem name. The default path is /QIBM/UserData/ICSS/Cert/Server/ and the default stem name is Default. On IBM i, the default certificate store, /QIBM/UserData/ICSS/Cert/Server/Default.kdb, is also known as *SYSTEM. Optionally, you can define your own path and stem name.

If you define your own path or file name, set the permissions to the file to tightly control access to it.

Changing the key repository location for a queue manager on IBM i tells you about specifying the certificate store name. You can specify the certificate store name either before or after creating the certificate store.

Note: The operations you can perform with DCM might be limited by the authority of your user profile. For example, you require *ALLOBJ and *SECADM authorities to create a CA certificate.