Set up a key repository

 

An SSL connection requires a key repository at each end of the connection. Each queue manager must have access to a key repository. Use the SSLKEYR parameter on the ALTER QMGR command to associate a key repository with a queue manager. See The SSL key repository for more information.

On z/OS, digital certificates are stored in a key ring that is managed by your External Security Manager (ESM) . These digital certificates have labels, which associate the certificate with a queue manager. SSL uses these certificates for authentication purposes. All the examples that follow use RACF commands. Equivalent commands exist for other ESM programs.

On z/OS, WebSphere MQ uses the ibmWebSphereMQ prefix on a label to avoid confusion with certificates for other products. The prefix is followed by the name of the queue manager.

The key repository name for a queue manager is the name of a key ring in your RACF database. We can specify the key ring name either before or after creating the key ring.

Use the following procedure to create a new key ring for a queue manager:

  1. Ensure that you have the appropriate authority to issue the RACDCERT command (see the SecureWay Security Server RACF Command Language Reference for more details).

  2. Issue the following command:
    RACDCERT ID(userid1) ADDRING(ring-name)

    where:

    • userid1 is the user ID of the channel initiator address space, or the user ID that is going to own the key ring (if the key ring is shared).

    • ring-name is the name you want to give to your key ring. The length of this name can be up to 237 characters. This name is case-sensitive. Specify ring-name in upper case to avoid problems.

 

Parent topic:

Working with the Secure Sockets Layer (SSL) on z/OS


sy12460_