Use the *SYSTEM certificate store for one-way authentication on IBM i

Follow these instructions to set up one-way authentication.

Before you begin

• Create a queue manager, channels, and transmission queues.
• Create a server or client certificate on the server queue manager.
• Transfer the CA certificate to the client queue manager and imported it into the key repository.
• Start a listener on the server and client queue managers.

About this task

To use one-way authentication, using a computer running IBM® i as the TLS server, set the SSL Key Repository (SSLKEYR) parameter to *SYSTEM. This setting registers the IBM MQ queue manager as an application. We can then assign a certificate to the queue manager to enable one-way authentication.

We can also use private keystores to implement one-way authentication by creating a dummy certificate for the client queue manager in the key repository.

Procedure

1. Perform the following steps on the server and client queue managers:
   1. Alter the queue manager to set the SSLKEYR parameter by issuing the command CHGMQM MQMNAME(SSL) SSLKEYR(*SYSTEM).
   2. Stash the password for the default key repository by issuing the command CHGMQM MQMNAME(SSL) SSLKEYRPWD('xxxxxxx'). The password must be in single quotation marks.
   3. Alter the channels to have the correct CipherSpec in the SSLCIPHER parameter.
   4. Refresh TLS security by issuing the command RFRMQMAUT QMNAME(QMGRNAME) TYPE(*SSL).
2. Assign the certificate to the server queue manager using DCM, as follows:
   1. Access the DCM interface, as described in Accessing DCM.
   2. In the navigation panel, click Select a Certificate Store. The Select a Certificate Store page is displayed in the task frame.
   3. Select the *SYSTEM certificate store and click Continue.
   4. In the left panel, expand Manage Applications.
   5. Select the View Application definition to check that the queue manager has been registered as an application. SSL (WMQ) is listed in the table.
   6. Select Update Certificate Assignment.
   7. Select Server and click Continue.
   8. Select QMGRNAME (WMQ) and click Update certificate assignment.
   9. Select the certificate and click Assign New Certificate. A window opens stating that the certificate has been assigned to the application.