The SSL key repository
A key repository is a store for digital certificates and their associated private keys. The specific store names used on the platforms that support SSL are:
OS/400 certificate store UNIX key database file Windows certificate store z/OS key ring A fully authenticated SSL connection requires a key repository at each end of the connection. The key repository contains:
- A number of CA certificates from various Certification Authorities that allow the queue manager to verify certificates it receives from its partner at the remote end of the connection. Individual certificates might be in a certificate chain.
- A personal certificate received from a Certification Authority. You associate a single certificate with each queue manager and a single certificate with each WebSphere MQ client.
The location of the key repository depends on the platform you are using:
- OS/400
- On OS/400 the key repository is a certificate store. The default system certificate store is located at /QIBM/UserData/ICSS/Cert/Server/Default in the integrated file system (IFS). To use a different certificate store, refer to Working with a key repository.
On OS/400, WebSphere MQ stores the password for the certificate store in a password stash file. For example, the stash file for queue manager PARIS is /QIBM/UserData/mqm/qmgrs/PARIS/ssl/Stash.sth.
On OS/400 the certificate store also contains the private key for the queue manager.
- UNIX
- On UNIX systems the key repository is a key database file, held in the SSL directory for the queue manager or WebSphere MQ client. The name of the key database file must have a file extension of .kdb. For example, the default key database file for queue manager PARIS is /var/mqm/qmgrs/PARIS/ssl/key.kdb.
On UNIX systems each key database file has an associated password stash file. This file holds encrypted passwords that allow programs to access the key database. The password stash file must be in the same directory and have the same file stem as the key database, and must end with the suffix .sth, for example /var/mqm/qmgrs/PARIS/ssl/key.sth
On UNIX systems, PKCS #11 cryptographic hardware cards can contain the certificates and keys that are otherwise held in a key database file. When certificates and keys are held on PKCS #11 cards, WebSphere MQ still requires access to both a key database file and a password stash file.
On UNIX systems, the key database also contains the private key for the queue manager or WebSphere MQ client.
- Windows
- On Windows systems the key repository is a Microsoft certificate store file. The name of the certificate store file must have a file extension of .sto, but you can choose the stem, for example PARIS.sto
On Windows systems there is no associated password stash file. The store databases can be read by any application with permission to access the files. Give particular attention to controlling access to certificate stores.
On Windows systems, private keys are held separately from the key repository.
- z/OS
- Certificates are held in a key ring in RACF. Refer to Setting up a key repository for more information about creating a key ring in RACF.
Other external security managers (ESMs) also use key rings for storing certificates.
On z/OS, private keys are managed by RACF.
Protecting WebSphere MQ client key repositories
The key repository for a WebSphere MQ client is a file on the client machine. Ensure that only the intended user can access the key repository file. This prevents an intruder or other unauthorized user copying the key repository file to another system, and then setting up an identical user ID on that system to impersonate the intended user.
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.