+

Search Tips | Advanced Search

Use runmqckm, runmqakm, and strmqikm to manage digital certificates

On UNIX, Linux, and Windows systems, manage keys and digital certificates with the strmqikm (iKeyman) GUI, or from the command line using runmqckm (iKeycmd) or runmqakm (GSKCapiCmd).

Attention: Both the runmqckm and strmqikm commands rely on the IBM MQ Java Runtime Environment (JRE). From IBM MQ Version 9.1, if the JRE is not installed, you receive message AMQ9183.

  • For UNIX and Linux systems:

    • Use the strmqikm (iKeyman) command to start the iKeyman GUI.
    • Use the runmqckm command to perform tasks with the command line interface.
    • Use the runmqakm (GSKCapiCmd) command to perform tasks with the runmqakm command line interface. The command syntax for runmqakm is the same as the syntax for runmqckm.

      For to manage TLS certificates in a way that is FIPS compliant, use the runmqakm command instead of the runmqckm or strmqikm commands.

    See Manage keys and certificates for a full description of the command line interfaces for the runmqckm and runmqakm commands.

    If we are using certificates or keys stored on PKCS #11 cryptographic hardware, note that runmqckm and iKeyman are 64-bit programs. External modules required for PKCS #11 support will be loaded into a 64-bit process, therefore we must have a 64-bit PKCS #11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the iKeyman and runmqckm programs are 32-bit on those platforms.

    See GSKit: PKCS#11 and IBM MQ JRE addressing mode for further information.

    Before you run the strmqikm command to start the iKeyman GUI, ensure we are working on a machine that is able to run the X Window System and that you do the following:

    • Set the DISPLAY environment variable, for example:
      export DISPLAY=mypc:0
      
    • Ensure that your PATH environment variable contains /usr/bin and /bin. This is also required for the runmqckm and runmqakm commands. For example:
      export PATH=$PATH:/usr/bin:/bin
      

  • For Windows systems:

    • Use the strmqikm command to start the iKeyman GUI.
    • Use the runmqckm command to perform tasks with the command line interface.

      For to manage TLS certificates in a way that is FIPS compliant, use the runmqakm command instead of the runmqckm or strmqikm commands.

    • Use the runmqakm -keydb command with the stashpw or stash option.When using the runmqakm -keydb command in this way, for example:
      runmqakm -keydb -create -db key.kdb -pw secretpwd -stash
      the resultant .sth file does not have read permission enabled for the mqm group.

      Only the creator can read the file. After creating a stash file using the runmqakm command, check the file permissions, and grant permission to the service account running the queue manager, or to a group such as local mqm.

To request TLS tracing on UNIX, Linux or Windows systems, see strmqtrc.

Parent topic: Work with SSL/TLS on UNIX, Linux, and Windows


Related reference

Last updated: 2020-10-04