Structure of the keystore configuration file (keystore.conf) for AMS

The keystore configuration file (keystore.conf) points Advanced Message Security to the location of the appropriate keystore.

Each of the following configuration file types has a prefix:
CMS
Certificate Management System, configuration entries are prefixed with: cms.
PKCS#11
Public Key Cryptography Standard #11, configuration entries are prefixed with: pkcs11.
[IBMi]PEM
Privacy Enhanced Mail format, configuration entries are prefixed with: pem.
JKS
Java KeyStore, configuration entries are prefixed with: jks.
JCEKS
Java Cryptographic Encryption KeyStore, configuration entries are prefixed with: jceks.

Example structures for keystores:

CMS 

cms.keystore = /dir/keystore_file
cms.certificate = certificate_label
PKCS#11 

pkcs11.library = dir\cryptoki.dll
pkcs11.certificate = certificatelabel
pkcs11.token = tokenlabel
pkcs11.token_pin = tokenpin
pkcs11.secondary_keystore = dir\signers
[IBMi]PEM 

pem.private = /dir/keystore_file_private_key
pem.public = /dir/keystore_file_public_keys
pem.password = password
Java JKS 

jks.keystore = dir/Keystore
jks.certificate = certificate_label
jks.encrypted = no
jks.keystore_pass = password
jks.key_pass = password
jks.provider = IBMJCE
Java JCEKS 

jceks.keystore = dir/Keystore
jceks.certificate = certificate_label
jceks.encrypted = no
jceks.keystore_pass = password
jceks.key_pass = password
jceks.provider = IBMJCE
Table 1. Summary of parameters needed for each configuration file type
Parameters Configuration file type
Java (JKS and JCEKS) [IBMi]PEM PKCS#11 CMS
keystore X     X
[IBMi]private   [IBMi]X    
[IBMi]public   [IBMi]X    
[IBMi]password   [IBMi]X    
library     X  
certificate X   X X
token     X  
token_pin     X  
secondary_keystore     X  
encrypted X      
keystore_pass X      
provider X      
Configuration file parameters are defined as follows:
keystore
CMS and Java configuration only. Path to the keystore file for CMS, JKS, and JCEKS configuration.
Important:
  • The path to the keystore file must not include the file extension.
[IBMi]private
PEM configuration only. File name of a file that contains private key and certificate in PEM format.
[IBMi]public
PEM configuration only. File name of a file that contains trusted public certificates in PEM format.
[IBMi]password
PEM configuration only. Password that is used to decrypt an encrypted private key.
library
PKCS#11 only. Path name of the PKCS#11 library.
certificate
CMS, PKCS#11 and Java configuration only. Certificate label.
token
PKCS#11 only. Token label.
token_pin
PKCS#11 only. PIN to unlock the token.
secondary_keystore
PKCS#11 only. Path name of the CMS keystore, provided without the .kdb extension, that contains anchor certificates (root certificates) required by certificates stored on the PKCS #11 token. The secondary keystore can also contain certificates that are intermediate in the trust chain, as well as recipient certificates that are defined in the privacy security policy. This CMS keystore must be accompanied by a stash file which must be located in the same directory as the secondary keystore.
encrypted
Java configuration only. Status of the password.
keystore_pass
Java configuration only. Password for the keystore file.
Note:
  • For the CMS keystore, AMS relies on the stash files (.sth), whereas JKS and JCEKS might require a password for both the certificate and the user's private key.
  • Important: Storing passwords in plain text form is a security risk.
key_pass
Java configuration only. Password for the user's private key.
Important: Storing passwords in plain text form is a security risk.
provider
Java configuration only. The Java security provider that implements cryptographic algorithms required by the keystore certificate.
Important: Information that is stored in the keystore is crucial for the secure flow of data that is sent by using IBM® MQ. Security administrators must pay particular attention when they are assigning file permissions to these files.

Example of the keystore.conf file: 

cms.keystore = c:\Documents and Settings\Alice\AliceKeystore
cms.certificate = AliceCert

jceks.keystore = c:/Documents and Settings/Alice/AliceKeystore
jceks.certificate = AliceCert
jceks.encrypted = no
jceks.keystore_pass = passw0rd
jceks.key_pass = passw0rd
jceks.provider = IBMJCE