Accessing your key database file

Accessing your key database file on Windows

On Windows(R), the key database file (.kdb) is created with read permission for all user IDs, so it is not necessary to change the access permissions. When you migrate your digital certificates from the certificate store on WebSphere(R) MQ for Windows V5.3 or V5.3.1 to a GSKit key repository, the .kdb file is created as part of the certificate transfer (using AMQTCERT), and the required access permissions must already be set for this to succeed.

Accessing your key database file on UNIX

On UNIX(R), the key database file must be created using iKeyman or iKeycmd. When you create your key database file using iKeyman or iKeycmd, the access permissions for the key database file are set to give access only to the user ID from which you used iKeyman or iKeycmd.

The key database file is accessed by an MCA, so ensure that the user ID under which the MCA runs has permission to read both the key database file and the password stash file. MCAs usually run under the mqm user ID, which is in the mqm group. After you have created your queue manager key database file, work with the same user ID to add read permission for the mqm group, using the UNIX chmod command. For example:

chmod g+r /var/mqm/qmgrs/QM1/ssl/key.kdb

chmod g+r /var/mqm/qmgrs/QM1/ssl/key.sth

When you set up the key database file for a WebSphere MQ client, consider working with the user ID under which you run the WebSphere MQ client. This allows you to restrict access to that single user ID. If you need to grant access to a user ID in the same group, use the UNIX chmod command. For example:

chmod g+r /var/mqm/ssl/key.kdb

chmod g+r /var/mqm/ssl/key.sth

Avoid giving permission to user IDs that are in different groups. For more information, refer to Protecting WebSphere MQ client key repositories.