Work with a key repository

 

This section tells you how to perform the following tasks:

When you change either the key repository attribute, or the certificates in the key database file, check When changes become effective.

 

Locating the key repository for a queue manager

Use this procedure to obtain information about the location of the queue manager's key database file:

  1. Display the queue manager's attributes, using either of the following MQSC commands: 
    DISPLAY QMGR ALL
DISPLAY QMGR SSLKEYR

  2. Examine the command output for the path and stem name of the key database file. For example: /var/mqm/qmgrs/PARIS/ssl/key, where /var/mqm/qmgrs/PARIS/ssl is the path and key is the stem name.

 

Changing the key repository location for a queue manager

You can change the location of the queue manager's key database file using either of the following methods:

  • Use the ALTER QMGR MQSC command to set the queue manager's key repository attribute, for example: 
    ALTER QMGR SSLKEYR('/var/mqm/qmgrs/PARIS/ssl/MyKey')

    The key database file has the fully-qualified filename: /var/mqm/qmgrs/PARIS/ssl/MyKey.kdb

    Note:
    The .kdb extension is a mandatory part of the filename, but is not included as part of the value of the parameter.

  • Use WebSphere MQ Explorer on a Windows system to work with the UNIX queue manager's key repository attribute, as described in Working with a key repository.

When you change the location of a queue manager's key database file, certificates are not transferred from the old location. If the CA certificates pre-installed when you created the certificate store are insufficient, populate the new key database file with certificates, as described in Managing digital certificates.

 

Locating the key repository for a WebSphere MQ client

Examine the MQSSLKEYR environment variable to obtain the location of the WebSphere MQ client's key database file. For example: 

echo $MQSSLKEYR

Also check the application, because the key database file can be set in an MQCONNX call, as described in Specifying the key repository location for a WebSphere MQ client. The value set in an MQCONNX call overrides the value of MQSSLKEYR.

 

Specifying the key repository location for a WebSphere MQ client

There is no default key repository for a WebSphere MQ client. Ensure that the key database file can be accessed only by intended users or administrators to prevent unauthorized copying to other systems.

You can specify the location of the WebSphere MQ client's key database file by:

 

When changes become effective

Changes to the certificates in the key database file and to the key repository attribute become effective:

  • When a new outbound single channel process first runs an SSL channel.

  • When a new inbound TCP/IP single channel process first receives a request to start an SSL channel.

  • For channels that run as threads of a process pooling process (amqrmppa), when the process pooling process is started or restarted and first runs an SSL channel. If the process pooling process has already run an SSL channel, and you want the change to become effective immediately, restart the queue manager.

  • For channels that run as threads of the channel initiator, when the channel initiator is started or restarted and first runs an SSL channel. If the channel initiator process has already run an SSL channel, and you want the change to become effective immediately, restart the queue manager.

  • For channels that run as threads of a TCP/IP listener, when the listener is started or restarted and first receives a request to start an SSL channel.

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.