Set up a key repository

 

An SSL connection requires a key repository at each end of the connection. Each queue manager must have access to a key repository. If you want to access the key repository using a file name and password (that is, not using the *SYSTEM option) ensure:

• the QMQM user profile has execute authority for the directory containing the key repository

• the QMQM user profile has read authority for the file containing the key repository

See The SSL key repository for more information.

On i5/OS, digital certificates are stored in a certificate store that is managed with DCM. These digital certificates have labels, which associate a certificate with a queue manager. SSL uses the certificates for authentication purposes.

The queue manager certificate store name comprises a path and stem name. The default path is /QIBM/UserData/ICSS/Cert/Server/ and the default stem name is Default. On i5/OS, the default certificate store, /QIBM/UserData/ICSS/Cert/Server/Default.kdb, is also known as *SYSTEM. Optionally, we can choose your own path and stem name.

Working with a key repository tells you about checking and specifying the certificate store name. We can specify the certificate store name either before or after creating the certificate store.

The operations we can perform with DCM might be limited by the authority of your user profile. For example, you require *ALLOBJ and *SECADM authorities to create a CA certificate.

• Creating a new certificate store
  

• Stashing the certificate store password
  

 

Parent topic:

Working with the Secure Sockets Layer (SSL) on i5/OS

sy11950_