Set up a key repository on IBM i
A key repository must be set up at both ends of the connection. The default certificate stores can be used or we can create your own.
A TLS connection requires a key repository at each end of the connection. Each queue manager and IBM MQ MQI client must have access to a key repository. To access the key repository using a file name and password (that is, not using the *SYSTEM option) ensure that the QMQM user profile has the following authorities:
- Execute authority for the directory containing the key repository
- Read authority for the file containing the key repository
See The SSL/TLS key repository for more information. Note that channel CERTLABL attributes are not used if we use the *SYSTEM certificate store.
On IBM i, digital certificates are stored in a certificate store that is managed with DCM. These digital certificates have labels, which associate a certificate with a queue manager or an IBM MQ MQI client. TLS uses the certificates for authentication purposes.
The label is either the value of the CERTLABL attribute, if it is set, or the default ibmwebspheremq with the name of the queue manager or IBM MQ MQI client user logon ID appended, all in lowercase. See Digital certificate labels for details.
The queue manager or IBM MQ MQI client certificate store name comprises a path and stem name. The default path is /QIBM/UserData/ICSS/Cert/Server/ and the default stem name is Default. On IBM i, the default certificate store, /QIBM/UserData/ICSS/Cert/Server/Default.kdb, is also known as *SYSTEM. Optionally, we can define your own path and stem name.
If you define your own path or file name, set the permissions to the file to tightly control access to it.
Change the key repository location for a queue manager on IBM i tells you about specifying the certificate store name. We can specify the certificate store name either before or after creating the certificate store.
Note: The operations we can perform with DCM might be limited by the authority of our user profile. For example, you require *ALLOBJ and *SECADM authorities to create a CA certificate.
- Create a certificate store on IBM i
If we do not want to use the default certificate store, follow this procedure to create your own.- Stashing the certificate store password on IBM i systems
Stash the certificate store password by using CL commands.Parent topic: Work with SSL/TLS on IBM i