Assigning a certificate to a queue manager

 

In WebSphere MQ V6.0, we can use the traditional i5/OS digital certificate management. This means that we can specify that a queue manager uses the system certificate store, and that the queue manager is registered for use as an application with Digital Certificate Manager. To do this you change the value of the queue manager's SSLKEYR attribute to *SYSTEM.

When the SSLKEYR parameter is changed to *SYSTEM, WebSphere MQ registers the queue manager as a server application with a unique application label of QIBM_WEBSPHERE_MQ_QMGRNAME and a label with a description of Qmgrname (WMQ). The queue manager then appears as a server application in Digital Certificate Manager, and we can assign to this application any server or client certificate in the system store.

Because the queue manager is registered as an application, advanced features of DCM such as defining CA trust lists can be carried out.

If the SSLKEYR parameter is changed to a value other than *SYSTEM, WebSphere MQ deregisters the queue manager as an application with Digital Certificate Manager. If a queue manager is deleted, it is also deregistered from DCM. A user with sufficient *SECADM authority can also manually add or remove applications from DCM.

 

Parent topic:

Working with the Secure Sockets Layer (SSL) on i5/OS

sy11940_