IBM MQ SSL Client utility (amqrsslc) for IBM i

The IBM MQ SSL Client utility (amqrsslc) for IBM i is used by the IBM MQ MQI client on IBM i systems to register or unregister the client user profile, or stash the certificate store password. The utility can only be run by a user with a profile with *ALLOBJ special authority or a member of QMQMADM that has options to create or delete application registrations in the Digital Certificate Manager (DCM).


Syntax diagram

amqrsslc -sPathOfKeyDatabase-rcurrent userUserProfile-ucurrent userUserProfile


Register the client user profile

If the IBM MQ MQI client is using the *SYSTEM certificate store, we must register the client user profile (logon user) for use as an application with Digital Certificate Manager (DCM).

To register the client user profile, run the amqrsslc program with the -r option with UserProfile. The user profile used when calling amqrsslc must have *USE authority. Providing UserProfile with the -r option registers the UserProfile as a server application with a unique application label of QIBM_WEBSPHERE_MQ_UserProfile and a label with a description of UserProfile (WMQ). This server application then is displayed in the DCM, and we can assign to this application any server or client certificate in the system store. Note: If a user profile is not specified with -r option, then the user profile of the user running the amqrsslc tool is registered. The following code uses amqrsslc to register a user profile. In the first example, the specified user profile is registered; in the second it is the profile of the logged in user: 
CALL PGM(QMQM/AMQRSSLC) PARM('-r' UserProfile)
CALL PGM(QMQM/AMQRSSLC) PARM('-r')


Unregister the client user profile

To unregister the client profile, run the amqrsslc program with the -u option with UserProfile. The user profile used when calling amqrsslc must have *USE authority. Providing the UserProfile with the -u option unregisters UserProfile with label QIBM_WEBSPHERE_MQ_UserProfile from the DCM.

Note: If a user profile is not specified with -u option, then the user profile of the user running the amqrsslc tool is unregistered. The following code uses amqrsslc to unregister a user profile. In the first example, the specified user profile is unregistered; in the second it is the profile of the logged in user: 
CALL PGM(QMQM/AMQRSSLC) PARM('-u' UserProfile)
CALL PGM(QMQM/AMQRSSLC) PARM('-u')


Stash the certificate store password

If the IBM MQ MQI client is not using the *SYSTEM certificate store and using another certificate store (that is, MQSSLKEYR is set to value other than *SYSTEM), then the password of the key database must be stashed. Use -s option for stashing the password of key database.

In the following code, the fully qualified file name of the certificate store is /Path/Of/KeyDatabase/MyKey.kdb: 
CALL PGM(QMQM/AMQRSSLC) PARM('-s' '/Path/Of/KeyDatabase/MyKey')
Running this code results in a request for the password of this key database. This password is stashed in a file with the same name as key database with a .sth extension. This file is stored on the same path as the key database. The code example generates a stash file of /Path/Of/KeyDatabase/MyKey.sth. QMQM is the user owner and QMQMADM the group owner for this file. QMQM and QMQMADM have read, write permission, and other profiles have only read permission. Parent topic: Work with SSL/TLS on IBM i