MQ Security: Obtaining personal certificates

Manage digital certificates

This section tells you about managing the digital certificates in the key database file.
When you make changes to the certificates in a key database file, refer to When changes become effective.
Perform the following steps to work with the key database file:

Execute the gsk6ikm command to start the iKeyman GUI.
From the Key Database File menu, click Open. The Open window displays.
Click Key database type and select CMS (Certificate Management System).
Click Browse to navigate to the directory that contains the key database files.
Select the key database file to which you want to add the certificate, for example key.kdb.
Click Open. The Password Prompt window displays.
Type the password you set when you created the key database and click OK. The name of the key database file displays in the File Name field.

Transferring certificates

This section tells you how to perform the following tasks:

Extracting a CA certificate from a key repository
Adding a CA certificate into a key repository
Exporting a personal certificate from a key repository
Importing a personal certificate into a key repository

Extracting a CA certificate from a key repository

Perform the following steps on the machine from which you want to extract the CA certificate:

In the Key database content field, select Signer Certificates and select the certificate you want to extract.
Click Extract. The Extract a Certificate to a File window displays.
Select the Data type of the certificate, for example Base64-encoded ASCII data for a file with the .arm extension.
Type the certificate file name and location where you want to store the certificate, or click Browse to select the name and location.
Click OK. The certificate is written to the file you specified.

Use the following command to extract a CA certificate using IKEYCMD:
gsk6cmd -cert -extract -db filename -pw password -label label -target filename
        -format ascii
where:

-db filename is the fully qualified path name of a CMS key database.

-pw password is the password for the CMS key database.

-label label is the label attached to the certificate.

-target filename is the name of the destination file.

-format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.

Adding a CA certificate into a key repository

Perform the following steps on the machine to which you want to add the CA certificate:

In the Key database content field, select Signer Certificates and select the certificate you want to add.
Click Add. The Add CA's Certificate from a File window displays.
Select the Data type of the certificate you transferred, for example Base64-encoded ASCII data for a file with the .arm extension.
Type the certificate file name and location where the certificate is stored, or click Browse to select the name and location.
Click OK. The Enter a Label window displays.
In the Enter a Label window, type the name of the certificate.
Click OK. The certificate is added to the key database.

Use the following command to add a CA certificate using IKEYCMD:
gsk6cmd -cert -add -db filename -pw password -label label -file filename
        -format ascii
where:

-db filename is the fully qualified path name of the CMS key database.

-pw password is the password for the CMS key database.

-label label is the label attached to the certificate.

-file filename is the name of the file containing the certificate.

-format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.

Exporting a personal certificate from a key repository

Perform the following steps on the machine from which you want to export the personal certificate:

In the Key database content field, select Personal Certificates and select the certificate you want to export.
Click Export/Import. The Export/Import key window displays.
Select Export Key.
Select the Key file type of the certificate you want to export, for example PKCS12.
Type the file name and location to which you want to export the certificate, or click Browse to select the name and location.
Click OK. The Password Prompt window displays.
Type a password in the Password field, and type it again in the Confirm Password field.
Click OK. The certificate is exported to the file you specified.

Use the following command to export a personal certificate using IKEYCMD:
gsk6cmd -cert -export -db filename -pw password -label label -type cms
        -target filename -target_pw password -target_type pkcs12
where:

-db filename is the fully qualified path name of the CMS key database.

-pw password is the password for the CMS key database.

-label label is the label attached to the certificate.

-type cms is the type of the database.

-target filename is the name of the destination file.

-target_pw password is the password for encrypting the certificate.

-target_type pkcs12 is the type of the certificate.

Importing a personal certificate into a key repository

Notes:

Before you import a personal certificate in PKCS #12 format into iKeyman, first import the corresponding CA certificates.
You cannot import a personal certificate that has multiple OU attributes.

Perform the following steps on the machine to which you want to import the personal certificate:

In the Key database content field, select Personal Certificates and select the certificate you want to import.
Click Export/Import. The Export/Import key window displays.
Select Import Key.
Select the Key file type of the certificate you want to import, for example PKCS12.
Type the certificate file name and location where the certificate is stored, or click Browse to select the name and location.
Click OK. The Password Prompt window displays.
In the Password field, type the password used when the certificate was exported.
Click OK. The certificate is imported to the key database.

Use the following command to import a personal certificate using IKEYCMD:
gsk6cmd -cert -import -file filename -pw password -type pkcs12 -target filename
        -target_pw password -target_type cms
where:

-file filename is the fully qualified path name of the file containing the PKCS #12 certificate.

-pw password is the password for the PKCS #12 certificate.

-type pkcs12 is the type of the file.

-target filename is the name of the destination CMS key database.

-target_pw password is the password for the CMS key database.

-target_type cms is the type of the database specified by -target

Removing certificates

Use the following procedure to remove personal certificates:

In the Personal Certificates field, select the certificate labelled:

For a queue manager, ibmwebspheremq followed by the name of the queue manager folded to lower case. For example, for PARIS, ibmwebspheremqPARIS, or,
For a WebSphere MQ client, ibmwebspheremq followed by the logon user ID folded to lower case, for example ibmwebspheremqmyuserid.

If you do not already have a copy of the certificate and you want to save it:

Click Extract. The Extract a Certificate to a File window displays.
Select the Data type of the new personal certificate, for example Base64-encoded ASCII data for a file with the .arm extension.
Type the certificate file name and location where you want to store the certificate, or click Browse to select the name and location.
Click OK. The certificate is written to the file you specified.

With the certificate selected, click Delete. The Confirm window displays.
Click Yes. The Personal Certificates field no longer shows the label of the certificate you deleted.

Use the following command to remove a certificate using IKEYCMD:
gsk6cmd -cert -delete -db filename -pw password -label label
where:

-db filename is the fully qualified path name of a CMS key database.

-pw password is the password for the CMS key database.

-label label is the label attached to the certificate.

Editing a certificate label

When you import a personal certificate into iKeyman for use with WebSphere MQ, ensure that the Friendly name attribute is set to the correct value:

For a queue manager, ibmwebspheremq followed by the name of the queue manager folded to lower case. For example, for PARIS, ibmwebspheremqPARIS, or,
For a WebSphere MQ client, ibmwebspheremq followed by the logon user ID folded to lower case, for example ibmwebspheremqmyuserid.

Note:

The value of the attribute must be exact. When you receive the personal certificate from the Certification Authority and edit the Friendly name property, some browsers add extra characters, for example a carriage return. After editing, you might need to import the certificate into a different browser and export it before the import the certificate into iKeyman.

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.

-db filename	is the fully qualified path name of a CMS key database.
-pw password	is the password for the CMS key database.
-label label	is the label attached to the certificate.
-target filename	is the name of the destination file.
-format ascii	is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.

-db filename	is the fully qualified path name of the CMS key database.
-pw password	is the password for the CMS key database.
-label label	is the label attached to the certificate.
-file filename	is the name of the file containing the certificate.
-format ascii	is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.