An SSL connection requires a key repository at each end of the connection. Each WebSphere(R) MQ queue manager and WebSphere MQ client must have access to a key repository. See The SSL key repository for more information.
On UNIX(R) and Windows(R) systems, digital certificates are stored in a key database file that is managed with iKeyman or iKeycmd. These digital certificates have labels. A specific label associates a personal certificate with a queue manager or WebSphere MQ client. SSL uses that certificate for authentication purposes. On UNIX and Windows systems, WebSphere MQ uses the ibmwebspheremq prefix on a label to avoid confusion with certificates for other products. The prefix is followed by the name of the queue manager or WebSphere MQ client user logon ID, changed to lower case. Ensure that you specify the entire certificate label in lower case.
The key database file name comprises a path and stem name:
On Windows, the default path is install_directory\Qmgrs\<queue_manager_name>\ssl, where install_directory is the directory in which WebSphere MQ is installed. For example, C:\Program Files\IBM\WebSphere MQ\Qmgrs\<queue_manager_name>\ssl .
The default stem name is key. Optionally, you can choose your own path and stem name, but the extension must be .kdb.
Note that key repositories should not be created on a file system that does not support file level locks, for example NFS version 2 on Linux(R).
Working with a key repository tells you about checking and specifying the key database file name. You can specify the key database file name either before or after creating the key database file.
The user ID from which you run iKeyman or iKeycmd must have write permission for the directory in which the key database file is created or updated. For a queue manager using the default SSL directory, the user ID from which you run iKeyman or iKeycmd must be a member of the mqm group. For a WebSphere MQ client, if you run iKeyman or iKeycmd from a user ID different from that under which the client runs, you must alter the file permissions to enable the WebSphere MQ client to access the key database file at run time. For more information, refer to Accessing your key database file.
Use the following procedure to create a new key database file for either a queue manager or a WebSphere MQ client:
Use the following commands to create a new CMS key database file using iKeycmd:
gsk7cmd -keydb -create -db filename -pw password -type cms -expire days -stash
runmqckm -keydb -create -db filename -pw password -type cms -expire days -stash
where:
-db filename | is the fully qualified file name of a CMS key database, and must have a file extension of .kdb. |
-pw password | is the password for the CMS key database (for WebSphere MQ, this must be cms. |
-type cms | is the type of database. |
-expire days | is the expiration time in days of the database password. The default is 60 days for a database password. |
-stash | tells iKeycmd to stash the key database password to a file. |
For more information about CA certificates, refer to Digital certificates.
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
c00stsu1 |