Set up a key repository on z/OS
Set up a key repository at both ends of the connection. Associate each key repository with its queue manager.
A TLS connection requires a key repository at each end of the connection. Each queue manager must have access to a key repository. Use the SSLKEYR parameter on the ALTER QMGR command to associate a key repository with a queue manager. See The SSL/TLS key repository for more information.
On z/OS, digital certificates are stored in a key ring that is managed by your External Security Manager (ESM) . These digital certificates have labels, which associate the certificate with a queue manager. TLS uses these certificates for authentication purposes. All the examples that follow use RACF commands. Equivalent commands exist for other ESM programs.
On z/OS, IBM MQ uses either the value of the CERTLABL attribute, if it is set, or the default ibmWebSphereMQ with the name of the queue manager appended. See Digital certificate labels for details.
The key repository name for a queue manager is the name of a key ring in your RACF database. We can specify the key ring name either before or after creating the key ring.
Use the following procedure to create a new key ring for a queue manager:
- Ensure that we have the appropriate authority to issue the RACDCERT command (see the SecureWay Security Server RACF Command Language Reference for more details).
- Issue the following command:
RACDCERT ID( userid1 ) ADDRING( ring-name )where:
- userid1 is the user ID of the channel initiator address space, or the user ID that is going to own the key ring (if the key ring is shared).
- ring-name is the name we want to give to your key ring. The length of this name can be up to 237 characters. This name is case-sensitive. Specify ring-name in uppercase characters to avoid problems.
- Making CA certificates available to a queue manager on z/OS
After you have created your key ring, connect any relevant CA certificates to it.Parent topic: Work with SSL/TLS on z/OS