Setting up a key repository

An SSL connection requires a key repository at each end of the connection. Each queue manager must have access to a key repository. Use the SSLKEYR parameter on the ALTER QMGR command to associate a key repository with a queue manager. See The SSL key repository for more information.

On z/OS, digital certificates are stored in a key ring that is managed by your External Security Manager (ESM). These digital certificates have labels, which associate the certificate with a queue manager. SSL uses these certificates for authentication purposes. All the examples that follow use RACF(R) commands. Equivalent commands exist for other ESM programs.

On z/OS(R), WebSphere MQ uses the ibmWebSphereMQ prefix on a label to avoid confusion with certificates for other products. The prefix is followed by the name of the queue manager.

The key repository name for a queue manager is the name of a key ring in your RACF database. You can specify the key ring name either before or after creating the key ring.

Use the following procedure to create a new key ring for a queue manager:

  1. Ensure that you have the appropriate authority to issue the RACDCERT command (see the SecureWay(R) Security Server RACF Command Language Reference for more details).
  2. Issue the following command:
    RACDCERT ID(userid1) ADDRING(ring-name)

    where: