IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Create and initialize the broker keystore and truststore (z/OS®)

Create a keystore and import your personal certificate and signer certificates.

Before you start:
Note: Due to export restrictions, the IBM® JDKs ship with a set of restricted policy files that limit the size of the cryptographic keys that are supported. To overcome these restrictions, use the unrestricted policy files in the $JAVA_HOME/lib/security directory:
  • local_policy.jar
  • US_export_policy.jar

The unrestricted policy files are the same for the IBM JDK 1.4.2, IBM JDK 5, and IBM JDK 6.  These files are in the JAVA_HOME/demo/jce/policy-files/unrestricted directory.

This topic describes how to use the same file as keystore and truststore. To specify different files, complete the process twice:
  • Do not import signer certificates into the keystore.
  • Do not import personal certificates into the truststore.

The tasks use keytool to create the keystore. An alternative is the ikeyman graphical tool, which requires an X Window System.

The following are the steps required to create and initialize the broker keystore:
  1. Create the keystore. keytool requires a dummy key to be created to force the creation of the keystore file. The dummy key is deleted after the keystore is created.
  2. Import the CA signer certificate or certificates. These are certificates that have signed certificates of client applications that connect to the IBM Integration Bus and that are accepted as trusted applications.
Example commands for each step are as follows:
  1. Create the JKS keystore. For example: 
    /usr/lpp/java/J6.0/bin/keytool -genkey   
     -alias DUMMY
     -keystore  /u/CSQPBRK/ssl/csqpbrkKeystore.jks 
     -storetype jks 
     -dname  "CN=DUMMY,OU=BROKER,O=IBM,L=Hursley,C=GB"
     -storepass changeit 
     -keypass changeit
  2. Delete the dummy key. For example: 
    /usr/lpp/java/J6.0/bin/keytool -delete  
     -alias DUMMY
     -keystore  /u/CSQPBRK/ssl/csqpbrkKeystore.jks
     -storepass changeit
  3. Optional: Import the CA signer certificates. Omit this step if you require separate files for a keystore and truststore, and are creating a keystore. For example: 
    /usr/lpp/java/J6.0/bin/keytool -import  
     -keystore /u/CSQPBRK/ssl/csqpbrkKeystore.jks 
     -storepass changeit 
     -alias RACFCA
     -file /u/CSQPBRK/ssl/csqpbrk.ca.der -v
  4. Optional: Import the broker personal certificate. Omit this step if you require separate files for a keystore and truststore, and are creating a truststore. For example: 
    /usr/lpp/java/J6.0/bin/keytool -import  
  -keystore /u/CSQPBRK/ssl/csqbrkKeystore.jks
  -storepass changeit
  -alias CSQPBRK
  -file /u/CSQPBRK/ssl/csqpbrk.pers.p12 
  -v 
  -pkcs12
  -keypass changeit 
  -noprompt
    If you are going to use the keystore with inbound https connections, then ensure that you always specify a keypass and that it matches the storepass.
  5. List the contents of the broker keystore. For example: 
    /usr/lpp/java/J6.0/bin/keytool -list  
   -keystore /u/CSQPBRK/ssl/csqbrkKeystore.jks
   -storepass changeit
What to do next: Configure IBM Integration Bus on z/OS for SSL.
Parent topic: Implementing SSL authentication on z/OS
Related tasks:
Implementing SSL authentication on z/OS
Generate a broker certificate using RACF as the Certification Authority (z/OS)
Configure IBM Integration Bus on z/OS for SSL
ap34025_.htm | Last updated Friday, 21 July 2017