Viewing and setting keystore and truststore runtime properties at integration node level

Configure the integration node to refer to a keystore, a truststore, or both, before deploying any message flows that require policy set or bindings for signature, encryption, or X.509 Authentication.

About this task

Keystores and truststores are both keystores. They differ only in the way they are used.

Put all private keys and public key certificates (PKC) in the keystore.
Put all trusted root certificate authority (CA) certificates in the truststore. These certificates are used to establish the trust of any inbound public key certificates.

The only supported type of store is Java™ keystore (JKS).

Each instance of an integration node can be configured to refer to one keystore and one truststore.

The following properties of the integration node registry component must be defined correctly for policy sets and bindings:

brokerKeystoreFile: The directory and file location of the keystore.
brokerTruststoreFile: The directory and file location of the truststore.

If you want to check what security properties you have set for an integration node, use the mqsireportdbparms command.

Listing existing integration node registry entries

About this task

To display all integration node registry values, run the command:

mqsireportproperties integrationNodeName -o BrokerRegistry -a

This returns entries like these:

BrokerRegistry=''
  uuid='BrokerRegistry'
  brokerKeystoreType='JKS'
  brokerKeystoreFile=''
  brokerKeystorePass='brokerKeystore::password'
  brokerTruststoreType='JKS'
  brokerTruststoreFile=''
  brokerTruststorePass='brokerTruststore::password'
  httpConnectorPortRange=''
  httpsConnectorPortRange=''

Updating the integration node reference to a keystore

About this task

To update the integration node reference to a keystore, use the following command:

mqsichangeproperties integrationNodeName -o BrokerRegistry 
  -n  brokerKeystoreFile 
  -v c:\keystore\server.keystore

Where c:\keystore\server.keystore is the keystore to be referenced.

Updating the integration node reference to a truststore

About this task

To update the integration node reference to a truststore, use the following command:

mqsichangeproperties integrationNodeName -o BrokerRegistry 
  -n  brokerTruststoreFile 
  -v c:\truststore\server.truststore

Where c:\truststore\server.truststore is the truststore to be referenced.

Updating the integration node with the keystore password

About this task

Keystores and truststores normally require passwords for access. Use the mqsisetdbparms command to add these passwords to the IBM® Integration Bus runtime component. If you want to check a password that you have set, use the mqsireportdbparms command.

mqsisetdbparms integrationNodeName 
  -n brokerKeystore::password 
  -u temp -p pa55word

The user ID, which can be any value, is not required to access the keystore.

Updating the integration node with the truststore password

About this task

To update the integration node with the truststore password, use the following command:

mqsisetdbparms integrationNodeName 
  -n brokerTruststore::password 
  -u temp -p pa55word

The user ID, which can be any value, is not required to access the keystore.

Updating the integration node with a private key password

About this task

Private keys in the keystore might have their own individual passwords. These can be configured based on the alias name that is specified for the key in the Policy sets and bindings editor. If a key password based on the alias is not found, the keystore password is used. The following command updates the integration node with the private key password for the key whose alias is encKey.

mqsisetdbparms integrationNodeName 
  -n brokerTruststore::keypass::encKey 
  -u temp -p pa55word

The user ID, which can be any value, is not required to access the keystore.