You can manage digital certificates on cryptographic hardware
that supports the PKCS #11 interface.
About this task
You must create a key database to prepare the IBM® WebSphere® MQ environment, even if you do not intend to store certificate authority (CA) certificates in it,
but will store all your certificates on your cryptographic hardware. A key database is necessary for
the queue manager to reference in its SSLKEYR field, or for the client application to reference in
the MQSSLKEYR environment variable. This key database is also required if you are creating a
certificate request.
You create the key database either by using the command line, or by using the
strmqikm (iKeyman) user interface.
Procedure
Create a key database by using the command line.
- Run either of the following commands:
where:
- -db filename
- Specifies the fully qualified file name of a CMS key database, and must have a file extension of
.kdb
.
- -pw password
- Specifies the password for the CMS key database.
- -type cms
- Specifies the type of database. (For IBM WebSphere MQ,
it must be
cms
.)
- -stash
- Saves the key database password to a file.
- -fips
- Disables the use of the BSafe cryptographic library. Only the ICC component is used and this
component must be successfully initialized in FIPS mode. When in FIPS mode, the ICC component uses
algorithms that are FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the
runmqakm command fails.
- -strong
- Checks that the password entered satisfies the minimum requirements for password strength. The
minimum requirements for a password are as follows:
- The password must be a minimum length of 14 characters.
- The password must contain a minimum of one lowercase character, one uppercase character, and one
digit or special character. Special characters include the asterisk (*), the dollar sign ($), the
number sign (#), and the percent sign (%). A space is classified as a special character.
- Each character can occur a maximum of three times in a password.
- A maximum of two consecutive characters in the password can be identical.
- All characters are in the standard ASCII printable character set within the range 0x20 -
0x7E.
Alternatively, create a key database by using the strmqikm (iKeyman)
user interface.
- On UNIX and Linux systems,
log in as the root user. On Windows systems,
log in as Administrator or as a member of the MQM group.
- Start the iKeyman user interface by running the strmqikm command.
- Click .
- Click Key database
type and select PKCS11Direct.
- In the File Name field, type
the name of the module for managing your cryptographic hardware; for
example, PKCS11_API.so.
If you are using certificates or keys stored on PKCS #11 cryptographic
hardware, note that iKeycmd and iKeyman are 64-bit programs. External modules required for PKCS #11
support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS #11 library
installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit
platforms are the only exceptions, as the iKeyman and iKeycmd programs are 32-bit on those
platforms.
- In the Location field, enter
the path:
- On UNIX and Linux systems, this might
be /usr/lib/pksc11, for example.
- On Windows systems, you can type
the library name; for example, cryptoki.
Click OK. The Open
Cryptographic Token window opens.
- In the Cryptographic Token Password field,
type the password that you set when you configured the cryptographic
hardware.
- If your cryptographic hardware has the
capacity to hold the signer certificates required to receive or import
a personal certificate, clear both secondary key database check boxes
and continue from step 13.
If you require a secondary CMS key database to hold the signer
certificates, select either Open existing secondary key
database file or Create new secondary key database
file.
- In the File Name field, type
a file name. This field already contains the text
key.kdb
.
If your stem name is key
, leave this field unchanged.
If you specified a different stem name, replace key
with
your stem name. You must not change the .kdb
suffix.
- In the Location field, type the
path, for example:
- For a queue manager: /var/mqm/qmgrs/QM1/ssl
- For an IBM WebSphere MQ MQI client: /var/mqm/ssl
Click OK. The Password
Prompt window opens.
- Enter a password.
If you selected Open existing secondary key database file in step 9, type a password in the
Password field.
If you selected Create new secondary key database file in step 9, complete the following sub steps:
- Type a password in the Password field, and type it again in the
Confirm Password field.
- Select Stash the password to a file. Note that if you do not
stash the password, attempts to start SSL channels fail because they cannot obtain the password
required to access the key database file.
- Click OK. A window opens, confirming that the password is in
file
key.sth
(unless you specified a different stem name).
- Click OK. The
Key database content frame displays.