Setting up a key repository on UNIX, Linux, and Windows systems
You can set up a key repository by using the iKeyman user interface, or by using the iKeycmd or runmqakm commands.
About this task
An SSL or TLS connection requires a key repository at each end of the connection. Each IBM® WebSphere® MQ queue manager and IBM WebSphere MQ MQI client must have access to a key repository. For more information, see The SSL or TLS key repository.
On UNIX, Linux®, and Windows systems, digital certificates
are stored in a key database file that is managed by using the iKeyman user
interface, or by using the iKeycmd or runmqakm commands.
These digital certificates have labels. A specific label associates
a personal certificate with a queue manager or IBM WebSphere MQ MQI client. SSL and TLS use that certificate
for authentication purposes. On UNIX, Linux, and Windows systems, IBM WebSphere MQ uses ibmwebspheremq
as
a label prefix to avoid confusion with certificates for other products.
The prefix is followed by the name of the queue manager or IBM WebSphere MQ MQI client user logon ID, changed to lowercase.
Ensure that you specify the entire certificate label in lowercase.
The key database file name comprises a path and stem name:
On UNIX and Linux systems, the default path for a queue manager (set when you created the queue manager) is /var/mqm/qmgrs/<queue_manager_name>/ssl.
On Windows systems, the default path is MQ_INSTALLATION_PATH\Qmgrs\queue_manager_name\ssl, where MQ_INSTALLATION_PATH is the directory in which IBM WebSphere MQ is installed. For example, C:\program files\IBM\WebSphere MQ\Qmgrs\QM1\ssl.
The default stem name is key. Optionally, you can choose your own path and stem name, but the extension must be .kdb.
If you choose your own path or file name, set the permissions to the file to tightly control access to it.
For a WebSphere MQ client, there is no default path or stem name. Tightly control access to this file. The extension must be .kdb.
Do not create key repositories on a file system that does not support file level locks, for example NFS version 2 on Linux systems.
See Changing the key repository location for a queue manager on UNIX, Linux or Windows systems for information about checking and specifying the key database file name. You can specify the key database file name either before or after creating the key database file.
The user ID from which you run the iKeyman or iKeycmd commands must have write permission for the directory in which the key database file is created or updated. For a queue manager using the default ssl directory, the user ID from which you run iKeyman or iKeycmd must be a member of the mqm group. For a IBM WebSphere MQ MQI client, if you run iKeyman or iKeycmd from a user ID different from that under which the client runs, you must alter the file permissions to enable the IBM WebSphere MQ MQI client to access the key database file at run time. For more information, see Accessing and securing your key database files on Windows or Accessing and securing your key database files on UNIX and Linux systems.
In iKeyman or iKeycmd version 7.0, new key databases are automatically populated with a set of pre-defined certificate authority (CA) certificates. In iKeyman or iKeycmd version 8.0, key databases are not automatically populated, making the initial setup more secure because you include only the CA certificates that you want, in your key database file.
Procedure
Create a key database by using the command line.
Alternatively, create a key database by using the strmqikm (iKeyman) user interface.