Assigning a certificate to a queue manager on IBM i

Use DCM to assign a certificate to a queue manager.

Use traditional IBM i digital certificate management to assign a certificate to a queue manager. This means that we can specify that a queue manager uses the system certificate store, and that the queue manager is registered for use as an application with Digital Certificate Manager. To do this, change the value of the queue manager SSLKEYR attribute to *SYSTEM.

When the SSLKEYR parameter is changed to *SYSTEM, IBM MQ registers the queue manager as a server application with a unique application label of QIBM_WEBSPHERE_MQ_QMGRNAME and a label with a description of Qmgrname (WMQ). Note that channel CERTLABL attributes are not used if we use the *SYSTEM certificate store. The queue manager then appears as a server application in Digital Certificate Manager, and we can assign to this application any server or client certificate in the system store.

Because the queue manager is registered as an application, advanced features of DCM such as defining CA trust lists can be carried out.

If the SSLKEYR parameter is changed to a value other than *SYSTEM, IBM MQ deregisters the queue manager as an application with Digital Certificate Manager. If a queue manager is deleted, it is also deregistered from DCM. A user with sufficient *SECADM authority can also manually add or remove applications from DCM.

Parent topic: Work with SSL/TLS on IBM i