[UNIX, Linux, Windows]

Using runmqckm, runmqakm, and strmqikm to manage digital certificates

On UNIX, Linux®, and Windows systems, manage keys and digital certificates with the strmqikm (iKeyman) GUI, or from the command line using runmqckm (iKeycmd) or runmqakm (GSKCapiCmd).

[V9.0.2 Mar 2017]
Attention: Both the runmqckm and strmqikm commands rely on the IBM® MQ Java Runtime Environment (JRE). As of IBM MQ 9.0.2, if the JRE is not installed, you receive message AMQ9183.
  • For UNIX and Linux systems:
    • Use the strmqikm (iKeyman) command to start the iKeyman GUI.
    • Use the runmqckm (iKeycmd) command to perform tasks with the iKeycmd command line interface.
    • Use the runmqakm (GSKCapiCmd) command to perform tasks with the runmqakm command line interface. The command syntax for runmqakm is the same as the syntax for runmqckm.

      If you need to manage TLS certificates in a way that is FIPS compliant, use the runmqakm command instead of the runmqckm or strmqikm commands.

    See Managing keys and certificates for a full description of the command line interfaces for the runmqckm and runmqakm commands.

    If you are using certificates or keys stored on PKCS #11 cryptographic hardware, note that iKeycmd and iKeyman are 64-bit programs. External modules required for PKCS #11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS #11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the iKeyman and iKeycmd programs are 32-bit on those platforms.

    See GSKit: PKCS#11 and IBM MQ JRE addressing mode for further information.

    Before you run the strmqikm command to start the iKeyman GUI, ensure you are working on a machine that is able to run the X Window System and that you do the following:
    • Set the DISPLAY environment variable, for example: 
      
export DISPLAY=mypc:0
    • Ensure that your PATH environment variable contains /usr/bin and /bin. This is also required for the runmqckm and runmqakm commands. For example: 
      
export PATH=$PATH:/usr/bin:/bin
  • For Windows systems:
    • Use the strmqikm command to start the iKeyman GUI.
    • Use the runmqckm command to perform tasks with the iKeycmd command line interface.

      If you need to manage TLS certificates in a way that is FIPS compliant, use the runmqakm command instead of the runmqckm or strmqikm commands.

    • Use the runmqakm -keydb command with the stashpw or stash option.
      When using the runmqakm -keydb command in this way, for example:
      runmqakm -keydb -create -db key.kdb -pw secretpwd -stash
      the resultant .sth file does not have read permission enabled for the mqm group.

      Only the creator can read the file. After creating a stash file using the runmqakm command, check the file permissions, and grant permission to the service account running the queue manager, or to a group such as local mqm.

To request TLS tracing on UNIX, Linux or Windows systems, see strmqtrc.