Work with SSL/TLS on IBM i

This collection of topics gives instructions for individual tasks working with Transport Layer Security (TLS) in IBM MQ for IBM i.

For IBM i the TLS support is integral to the operating system. Ensure that we have installed the prerequisites listed in Hardware and software requirements on IBM i.

On IBM i, you manage keys and digital certificates with the Digital Certificate Manager (DCM) tool.

• Accessing DCM
  Follow these instructions to access the DCM interface.
• Assigning a certificate to a queue manager on IBM i
  Use DCM to assign a certificate to a queue manager.
• Set up a key repository on IBM i
  A key repository must be set up at both ends of the connection. The default certificate stores can be used or we can create your own.
• Locating the key repository for a queue manager on IBM i
  Use this procedure to obtain the location of our queue manager's certificate store.
• Change the key repository location for a queue manager on IBM i
  Change the location of our queue manager's certificate store using either CHGMQM or ALTER QMGR.
• Create a certificate authority and certificate for testing on IBM i
  Use this procedure to create a local CA certificate to sign certificate requests, and to create and install the CA certificate.
• Requesting a server certificate on IBM i
  Digital certificates protect against impersonation, certifying that a public key belongs to a specified entity. A new server certificate can be requested from a certificate authority using the Digital Certificate Manager (DCM).
• Requesting a server certificate for IBM Key Manager on IBM i
  Follow this procedure to create a certificate signed by your local certificate authority (CA), or to apply for a server certificate signed by a commercial CA for import into the IBM Key Management (iKeyman) utility.
• Adding server certificates to a key repository on IBM i
  Follow this procedure to add a requested certificate to the key repository.
• Exporting a certificate from a key repository on IBM i
  Exporting a certificate exports both the public and private key. This action should be taken with extreme caution, since passing on a private key would completely compromise your security.
• Importing a certificate into a key repository on IBM i
  Follow this procedure to import a certificate.
• Removing certificates in IBM i
  Use this procedure to remove personal certificates.
• Use the *SYSTEM certificate store for one-way authentication on IBM i
  Follow these instructions to set up one-way authentication.
• IBM MQ SSL Client utility (amqrsslc) for IBM i
  The IBM MQ SSL Client utility (amqrsslc) for IBM i is used by the IBM MQ MQI client on IBM i systems to register or unregister the client user profile, or stash the certificate store password. The utility can only be run by a user with a profile with *ALLOBJ special authority or a member of QMQMADM that has options to create or delete application registrations in the Digital Certificate Manager (DCM).
• When changes to certificates or the certificate store become effective on IBM i
  When we change the certificates in a certificate store, or the location of the certificate store, the changes take effect depending on the type of channel and how the channel is running.
• Configure cryptographic hardware on IBM i
  Use this procedure to configure the Cryptographic Coprocessor on IBM i

Parent topic: Work with SSL/TLS