Set up a key repository
An SSL connection requires a key repository at each end of the connection. Each queue manager must have access to a key repository. Use the SSLKEYR parameter on the ALTER QMGR command to associate a key repository with a queue manager. See The SSL key repository for more information.
On z/OS, digital certificates are stored in a key ring that is managed by your External Security Manager (ESM) . These digital certificates have labels, which associate the certificate with a queue manager. SSL uses these certificates for authentication purposes. All the examples that follow use RACF commands. Equivalent commands exist for other ESM programs.
On z/OS, WebSphere MQ uses the ibmWebSphereMQ prefix on a label to avoid confusion with certificates for other products. The prefix is followed by the name of the queue manager.
The key repository name for a queue manager is the name of a key ring in your RACF database. We can specify the key ring name either before or after creating the key ring.
Use the following procedure to create a new key ring for a queue manager:
- Ensure that you have the appropriate authority to issue the RACDCERT command (see the SecureWay Security Server RACF Command Language Reference for more details).
- Issue the following command:
RACDCERT ID(userid1) ADDRING(ring-name)where:
- userid1 is the user ID of the channel initiator address space, or the user ID that is going to own the key ring (if the key ring is shared).
- ring-name is the name you want to give to your key ring. The length of this name can be up to 237 characters. This name is case-sensitive. Specify ring-name in upper case to avoid problems.
Parent topic:
Working with the Secure Sockets Layer (SSL) on z/OS
sy12460_