Managing certificates on PKCS #11 hardware
This section tells you about managing digital certificates on cryptographic
hardware that supports the PKCS #11 interface. Note that you still need a
key database file, even when you store all your certificates on your cryptographic
hardware.
Perform the following steps to work with your cryptographic hardware:
- On UNIX(R), login as the root user. On Windows(R),
login as Administrator or a member of the MQM group.
- Execute the gsk7ikm command to start the iKeyman GUI.
- From the Key Database File menu, click Open. The Open window displays.
- Click Key database type and select Cryptographic token.
- In the File Name field, type the name of the module
for managing your cryptographic hardware, for example PKCS11_API.so
- In the Location field, type the path, for
example /usr/lib/pksc11 (on UNIX). On Windows,
you can type the library name, for example cryptoki.
- Click OK. The Open Cryptographic Token window displays.
- In the Cryptographic Token Password field, type
the password that you set when you configured the cryptographic hardware.
-
If your cryptographic hardware has the capacity to hold
the signer certificates required to receive or import a personal certificate,
clear both secondary key database check boxes and continue from step 17.
If you require a secondary CMS key database
to hold the signer certificates, select either the Open existing
secondary key database file check box or the Create
new secondary key database file check box.
- In the File Name field, type a file name. This field
already contains the text key.kdb. If your stem name is key, leave this field unchanged. If you have specified a different stem
name, replace key with your stem name but you must not change the .kdb
- In the Location field, type the path, for example:
- For a queue manager: /var/mqm/qmgrs/QM1/ssl
- For a WebSphere MQ client: /var/mqm/ssl
- Click OK. The Password Prompt window displays.
- If you selected the Open existing secondary key database
file check box in step 9, type
a password in the Password field, and continue from
step 17.
- If you selected the Create new secondary key database
file check box in step 9, type
a password in the Password field, and type it again
in the Confirm Password field.
- Select the Stash the password to a file check box.
Note that if you do not stash the password, attempts to start SSL channels
fail because they cannot obtain the password required to access the key database
file.
- Click OK. A window displays, confirming that the
password is in file key.sth (unless you specified a different stem
name).
-
Click OK. The Key database content
frame displays.
Requesting a personal certificate for your PKCS #11 hardware
Use the following procedure for either a queue manager or a WebSphere MQ client to request
a personal certificate for your cryptographic hardware:
- Perform the steps to work with your cryptographic hardware.
- From the Create menu, click New
Certificate Request. The Create New Key and Certificate Request window
displays.
- In the Key Label field, type:
- For a queue manager, ibmwebspheremq followed by the name of
your queue manager folded to lower case. For example, for QM1, ibmwebspheremqqm1, or
- For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID
folded to lower case, for example ibmwebspheremqmyuserid.
- Type a Common Name and Organization, and select a Country. For the remaining optional
fields, either accept the default values, or type or select new values. Note
that you can supply only one name in the Organizational Unit field. For more information about these fields, refer to Distinguished Names.
-
In the Enter the name of a file in
which to store the certificate request field, either accept the default certreq.arm, or type a new value with a full path.
- Click OK. A confirmation window displays.
- Click OK. The Personal Certificate
Requests list shows the label of the new personal certificate
request you created. The certificate request is stored in the file you chose
in step 5.
- Request the new personal certificate either by sending the file to a Certification
Authority (CA), or by copying the file into the request form on the Web site
for the CA.
Importing a personal certificate to your PKCS #11 hardware
Use the following procedure for either a queue manager or a WebSphere MQ client to import
a personal certificate to your cryptographic hardware:
- Perform the steps to work with your cryptographic hardware.
- Click Receive. The Receive Certificate from a File
window displays.
- Select the Data type of the new personal certificate,
for example Base64-encoded ASCII data for a file
with the .arm extension.
- Type the certificate file name and location for the new personal certificate,
or click Browse to select the name and location.
- Click OK. If you already have a personal certificate
in your key database, a window appears, asking if you want to set the key
you are adding as the default key in the database.
- Click Yes or No. The Enter
a Label window displays.
- Type a label, for example the label you used when you requested the personal
certificate. Note that the label must be in the correct WebSphere MQ format:
- For a queue manager, ibmwebspheremq followed by the name of
your queue manager folded to lower case. For example, for QM1, ibmwebspheremqqm1, or,
- For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID
folded to lower case, for example ibmwebspheremqmyuserid.
- Click OK. The Personal Certificates list shows the label of the new personal certificate
you added. This label is formed by adding the cryptographic token
label before the label you supplied.