runmqckm and runmqakm options

We can use the runmqckm (iKeycmd) and runmqakm command line options to manage keys, certificates, and certificate requests.

The runmqakm command is available on UNIX, Linux, and Windows.

The runmqckm command is available on UNIX and Windows.

Note: IBM MQ does not support SHA-3 or SHA-5 algorithms. You can use the digital signature algorithm names SHA384WithRSA and SHA512WithRSA because both algorithms are members of the SHA-2 family.

The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.

The meaning of an option can depend on the object and action specified in the command.

Parameter Description
-create Option to create a key database.
-crypto Name of the module to manage a PKCS #11 cryptographic device.

The value after -crypto is optional if we specify the module name in the properties file.

If we are using certificates or keys stored on PKCS #11 cryptographic hardware, note that runmqckm and strmqikm are run using the Java virtual machine (JVM) supplied with the IBM MQ installation. External modules required for PKCS #11 support will be loaded into the JVM process, therefore we must have a PKCS #11 library installed for the administration of cryptographic hardware that matches the bitness of the JVM, and must specify this library to runmqckm or strmqikm.
-db Fully qualified path name of a key database.
-default_cert Sets a certificate as the default certificate. The value can be yes or no. The default is no.
-dn X.500 distinguished name. The value is a string enclosed in double quotation marks, for example "CN=John Smith,O=IBM,OU=Test,C=GB". Note that only the O, and C attributes are required. Specifying a common name (CN) is optional.
-encryption Strength of encryption used in certificate export command. The value can be strong or weak. The default is strong.
-expire Expiration time in days of either a certificate or a database password. The default is 365 days for a certificate password.

There is no default time for a database password: use the -expire parameter to set a database password expiration time explicitly.

-file File name of a certificate or certificate request.
-fips specifies that the command is run in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.
-format Format of a certificate. The value can be ascii for Base64_encoded ASCII or binary for Binary DER data. The default is ascii.
-label Label attached to a certificate or certificate request. If the certificate is a personal certificate used to identify an IBM MQ client application or queue manager, the label must correspond to the IBM MQ certificate label (CERTLABL) setting, for more information, see Digital certificate labels, understanding the requirements.
-new_format New format of key database.
-new_label Used on a certificate import command, this option allows a certificate to be imported with a different label from the label it had in the source key database. If the certificate is a personal certificate used to identify an IBM MQ client application or queue manager, the label must correspond to the IBM MQ certificate label (CERTLABL) setting, for more information, see Digital certificate labels, understanding the requirements.
-new_pw New database password.
-old_format Old format of key database.
-pw Password for the key database or PKCS #12 file.
-secondaryDB Name of a secondary key database for PKCS #11 device operations.
-secondaryDBpw Password for the secondary key database for PKCS #11 device operations.
-showOID Displays the full certificate or certificate request.
-sig_alg The hashing algorithm used during the creation of a certificate request, a self-signed certificate, or the signing of a certificate. This hashing algorithm is used to create the signature associated with the newly-created certificate or certificate request.

For runmqckm, the value can be, MD2_WITH_RSA, MD2WithRSA, MD5_WITH_RSA, MD5WithRSA, SHA1WithDSA, SHA1WithECDSA, SHA1WithRSA, SHA2/ECDSA, SHA224WithECDSA, SHA256_WITH_RSA, SHA256WithECDSA, SHA256WithRSA, SHA2WithECDSA, SHA3/ECDSA, SHA384_WITH_RSA, SHA384WithECDSA, SHA384WithRSA, SHA3WithECDSA, SHA5/ECDSA, SHA512_WITH_RSA, SHA512WithECDSA, SHA512WithRSA, SHA5WithECDSA, SHA_WITH_DSA, SHA_WITH_RSA, SHAWithDSA, SHAWithRSA. The default value is SHA1WithRSA.

For runmqakm, the value can be md5, MD5_WITH_RSA, MD5WithRSA, SHA_WITH_DSA, SHA_WITH_RSA, sha1, SHA1WithDSA, SHA1WithECDSA, SHA1WithRSA, sha224, SHA224_WITH_RSA, SHA224WithDSA, SHA224WithECDSA, SHA224WithRSA, sha256, SHA256_WITH_RSA, SHA256WithDSA, SHA256WithECDSA, SHA256WithRSA, SHA2WithRSA, sha384, SHA384_WITH_RSA, SHA384WithECDSA, SHA384WithRSA, sha512, SHA512_WITH_RSA, SHA512WithECDSA, SHA512WithRSA, SHAWithDSA, SHAWithRSA, EC_ecdsa_with_SHA1, EC_ecdsa_with_SHA224, EC_ecdsa_with_SHA256, EC_ecdsa_with_SHA384, or EC_ecdsa_with_SHA512. The default value is SHA1WithRSA.

-size Key size.

For runmqckm, the value can be 512, 1024, or 2048. The default value is 1024 bits.

For runmqakm, the value depends upon the signature algorithm:

  • For RSA signature algorithms (the default algorithm used if no -sig_alg is specified), the value can be 512, 1024, 2048, or 4096. An RSA key size of 512 bits is not permitted if the -fips parameter is enabled. The default RSA key size is 1024 bits.
  • For Elliptic Curve algorithms, the value can be 256, 384, or 512. The default Elliptic Curve key size depends upon the signature algorithm. For SHA256, it is 256; for SHA384, it is 384; and for SHA512, it is 512.

-stash Stash the key database password to a file. Only applicable to databases of type CMS and PKCS12.
-stashpw Stash the key database password to a file. Only applicable to databases of type CMS and PKCS12.
-target Destination file or database.
-target_pw Password for the key database if -target specifies a key database.
-target_type Type of database specified by -target operand. See -type parameter for permitted values.
-tokenLabel Label of a PKCS #11 cryptographic device.
-trust Trust status of a CA certificate. The value can be enable or disable. The default is enable.
-type Type of database. The value can be any of the following values:

  • cms for a CMS key database
  • pkcs12 for a PKCS #12 file.

-x509version Version of X.509 certificate to create. The value can be 1, 2, or 3. The default is 3.
-rfc3339 Use this parameter to output the date in the RFC 3339 format for the runmqakm -cert -details command, which is of the following format:
Not Before : 2015-08-26T08:53:37Z
Not After : 2016-08-26T08:53:37Z
Note that the -rfc3339 parameter has to appear in the command after the additional parameters:
runmqakm -cert -details -db exampleDB -stashed -label 
          certficateLabel -rfc3339
Note: Properties provided with IBM Global Security Kit (GSKit) relating to symmetric-key encryption -seckey parameter in the runmqckm utility are ignored and not supported by IBM MQ. Parent topic: Manage keys and certificates on UNIX, Linux, and Windows