Work with SSL/TLS on UNIX, Linux, and Windows
On UNIX, Linux, and Windows systems, Transport Layer Security (TLS) support is installed with IBM MQ .
For more detailed information about certificate validation policies, see Certificate validation and trust policy design.
- Use runmqckm, runmqakm, and strmqikm to manage digital certificates
On UNIX, Linux, and Windows systems, manage keys and digital certificates with the strmqikm (iKeyman) GUI, or from the command line using runmqckm (iKeycmd) or runmqakm (GSKCapiCmd). - Set up a key repository on UNIX, Linux, and Windows
We can set up a key repository by the using strmqikm (iKeyman) GUI, or from the command line using runmqckm (iKeycmd) or runmqakm (GSKCapiCmd) commands. - Locating the key repository for a queue manager on UNIX, Linux, and Windows
Use this procedure to obtain the location of our queue manager's key database file - Change the key repository location for a queue manager on UNIX, Linux, and Windows
We can change the location of our queue manager's key database file by various means including the MQSC command ALTER QMGR. - Locating the key repository for an IBM MQ MQI client on UNIX, Linux, and Windows
The location of the key repository is given by the MQSSLKEYR variable, or specified in the MQCONNX call. - Specify the key repository location for an IBM MQ MQI client on UNIX, Linux, and Windows
There is no default key repository for an IBM MQ MQI client. We can specify its location in either of two ways. Ensure that the key database file can be accessed only by intended users or administrators to prevent unauthorized copying to other systems. - When changes to certificates or the certificate store become effective on UNIX, Linux, and Windows
When we change the certificates in a certificate store, or the location of the certificate store, the changes take effect depending on the type of channel and how the channel is running. - Create a self-signed personal certificate on UNIX, Linux, and Windows
We can create a self-signed certificate by using the strmqikm (iKeyman) GUI, or from the command line using runmqckm (iKeycmd) or runmqakm (GSKCapiCmd). - Requesting a personal certificate on UNIX, Linux, and Windows
We can request a personal certificate by using the strmqikm (iKeyman) GUI, or from the command line using the runmqckm (iKeycmd) or runmqakm (GSKCapiCmd) commands. For to manage SSL or TLS certificates in a way that is FIPS-compliant, use the runmqakm command. - Renewing an existing personal certificate on UNIX, Linux, and Windows
We can renew a personal certificate by using the strmqikm (iKeyman) GUI, or from the command line using the runmqckm (iKeycmd) or runmqakm (GSKCapiCmd) commands. - Receive personal certificates into a key repository on UNIX, Linux, and Windows
Use this procedure to receive a personal certificate into the key database file. The key repository must be the same repository where you created the certificate request. - Extracting a CA certificate from a key repository on UNIX, Linux, and Windows
Follow this procedure to extract a CA certificate. - Extracting the public part of a self-signed certificate from a key repository on UNIX, Linux, and Windows
Follow this procedure to extract the public part of a self-signed certificate. - Adding a CA certificate, or the public part of a self-signed certificate, into a key repository on UNIX, Linux, and Windows
Follow this procedure to add a CA certificate or the public part of a self-signed certificate to the key repository. - Exporting a personal certificate from a key repository on UNIX, Linux, and Windows
Follow this procedure to exporting a personal certificate. - Importing a personal certificate into a key repository on UNIX, Linux, and Windows
Follow this procedure to import a personal certificate - Importing a personal certificate from a Microsoft.pfx file
Follow this procedure to import from a Microsoft.pfx file on UNIX, Linux, and Windows. - Importing a personal certificate from a PKCS #7 file
The strmqikm (iKeyman) and runmqckm (iKeycmd) tools do not support PKCS #7 ( .p7b ) files. Use the runmqckm tool to import certificates from a PKCS #7 file on UNIX, Linux, and Windows. - Delete a certificate from a key repository on UNIX, Linux, and Windows
Use this procedure to remove personal or CA certificates. - Generating strong passwords for key repository protection on UNIX, Linux, and Windows
We can generate strong passwords for key repository protection using the runmqakm (GSKCapiCmd) command. - Configure for cryptographic hardware on UNIX, Linux, and Windows
We can configure cryptographic hardware for a queue manager or client in a number of ways.
Parent topic: Work with SSL/TLS