Troubleshooting
Problem
A JKS keystore is created using Java Keytool but it can NOT be accessed through MQ Explorer.
Possible error code returned is AMQ4598.
In earlier versions of JDK, the Java Keytool default to create a keystore of type JKS. From JDK version 9 and higher, the default keystore type is PKCS12.
https://blogs.oracle.com/jtc/jdk9-keytool-transitions-default-keystore-to-pkcs12
https://blogs.oracle.com/jtc/jdk9-keytool-transitions-default-keystore-to-pkcs12
For demonstration purposes, we use (a)the Keytool command to create a JKS keystore and (b)display its content using the runmqckm command:
(a)- keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore sotre1.jks -dname "CN= store1,OU=1, O=ORG, L=Durham, ST=NC, C=US"
(b)- runmqckm -cert -list -db store1.jks -type JKS -pw password
An IO Exception has occurred:
Invalid keystore format
An IO Exception has occurred:
Invalid keystore format
Explanation:
From version JDK9 and higher, the default keystore type generated when using Keytool is set to PKCS12.
MQ Explorer is a java application that understands and can decrypt JKS keystore type only.
Diagnosing The Problem
Verify what JDK release version you are using to determine if Keytool would default to create a PKCS12 keystore.
Resolving The Problem
To override the PKCS12 default keystore used by Keytool, provide the -storetype JKS flag.
Keytool provides an option to specify the type of keystore to generate:
https://docs.oracle.com/en/java/javase/12/tools/keytool.html
For demonstration purposes, we run the same Keytool command above, but this time with the -storetype flag:
(a)- keytool -genkey -alias server -keyalg RSA -keysize 2048 -storetype JKS -keystore store2.jks -dname "CN= store2,OU=1, O=ORG, L=Durham, ST=NC, C=US"
(b)- runmqckm -cert -list -db store2.jks -type JKS -pw password
Certificates in database /home/mqm/test2.jks:
server
Certificates in database /home/mqm/test2.jks:
server
* This time, we do not get the Exception of Invalid keystore format.
Note:
Our recommendation is to use IBM Key Management to create keystores to prevent compatibility issues.
Our recommendation is to use IBM Key Management to create keystores to prevent compatibility issues.
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
28 February 2020
UID
ibm15124675