Setting up a key repository

An SSL connection requires a key repository at each end of the connection. Each WebSphere(R) MQ queue manager and WebSphere MQ client must have access to a key repository. See The SSL key repository for more information.

On UNIX(R) and Windows(R) systems, digital certificates are stored in a key database file that is managed with iKeyman or iKeycmd. These digital certificates have labels. A specific label associates a personal certificate with a queue manager or WebSphere MQ client. SSL uses that certificate for authentication purposes. On UNIX and Windows systems, WebSphere MQ uses the ibmwebspheremq prefix on a label to avoid confusion with certificates for other products. The prefix is followed by the name of the queue manager or WebSphere MQ client user logon ID, changed to lower case. Ensure that you specify the entire certificate label in lower case.

The key database file name comprises a path and stem name:

Note that key repositories should not be created on a file system that does not support file level locks, for example NFS version 2 on Linux(R).

Working with a key repository tells you about checking and specifying the key database file name. You can specify the key database file name either before or after creating the key database file.

The user ID from which you run iKeyman or iKeycmd must have write permission for the directory in which the key database file is created or updated. For a queue manager using the default SSL directory, the user ID from which you run iKeyman or iKeycmd must be a member of the mqm group. For a WebSphere MQ client, if you run iKeyman or iKeycmd from a user ID different from that under which the client runs, you must alter the file permissions to enable the WebSphere MQ client to access the key database file at run time. For more information, refer to Accessing your key database file.

Use the following procedure to create a new key database file for either a queue manager or a WebSphere MQ client:

  1. Start the iKeyman GUI (using the gsk7ikm command on UNIX, or the strmqikm command on Windows).
  2. From the Key Database File menu, click New. The New window is displayed.
  3. Click Key database type and select CMS (Certificate Management System).
  4. In the File Name field, type a file name. This field already contains the text key.kdb. If your stem name is key, leave this field unchanged. If you have specified a different stem name, replace key with your stem name but you must not change the .kdb.
  5. In the Location field, type the path, for example:
  6. Click Open. The Password Prompt window displays.
  7. Type a password in the Password field, and type it again in the Confirm Password field.
  8. Select the Stash the password to a file check box.
    Note:
    If you do not stash the password, attempts to start SSL channels fail because they cannot obtain the password required to access the key database file.
  9. Click OK. A window is displayed, confirming that the password is in file key.sth (unless you specified a different stem name).
  10. Click OK. The Signer Certificates window is displayed, containing a list of the CA certificates that are provided with iKeyman and pre-installed in the key database.
  11. Set the access permissions, as described in Accessing your key database file.

Use the following commands to create a new CMS key database file using iKeycmd:

where:

-db filename is the fully qualified file name of a CMS key database, and must have a file extension of .kdb.
-pw password is the password for the CMS key database (for WebSphere MQ, this must be cms.
-type cms is the type of database.
-expire days is the expiration time in days of the database password. The default is 60 days for a database password.
-stash tells iKeycmd to stash the key database password to a file.

For more information about CA certificates, refer to Digital certificates.