Setting up a key repository on IBM i
A key repository must be set up at both ends of the connection. The default certificate stores can be used or you can create your own.
- Execute authority for the directory containing the key repository
- Read authority for the file containing the key repository
On IBM i, digital certificates are stored in a certificate store that is managed with DCM. These digital certificates have labels, which associate a certificate with a queue manager or an IBM MQ MQI client. TLS uses the certificates for authentication purposes.
The label is either the value of the CERTLABL attribute, if it is set, or the default ibmwebspheremq
with the name of the queue manager or IBM MQ MQI client user logon ID appended, all in lowercase. See Digital certificate labels for details.
The queue manager or IBM MQ MQI client certificate store name comprises a path and stem name. The default path is /QIBM/UserData/ICSS/Cert/Server/ and the default stem name is Default
. On IBM i, the default certificate store, /QIBM/UserData/ICSS/Cert/Server/Default.kdb, is also known as *SYSTEM
. Optionally, you can define your own path and stem name.
If you define your own path or file name, set the permissions to the file to tightly control access to it.
Changing the key repository location for a queue manager on IBM i tells you about specifying the certificate store name. You can specify the certificate store name either before or after creating the certificate store.