Managing MQIPT keystores
Use the mqiptKeytool command to manage
certificates in keystores that IBM® MQ Internet Pass-Thru (MQIPT) uses.
![[MQ 9.4.0 Jun 2024]](ng940.gif)
![[MQ 9.4.0 Jun 2024]](ng940cd.gif)
From IBM MQ 9.4.0, this command replaces the mqiptKeycmd command that is used to manage certificates in earlier versions of MQIPT.
Required keystore format for MQIPT
MQIPT supports keystores
that use the PKCS #12 file format. When you use the mqiptKeytool command to
manage MQIPT keystore, specify the -storetype
pkcs12 parameter to indicate that the keystore uses the PKCS #12 format.
MQIPT can also access certificates that are stored in cryptographic hardware that supports the PKCS #11 interface. The interface can also be used to manage certificates on PKCS #11 hardware. For more information, see Using PKCS #11 cryptographic hardware in MQIPT.
Encrypting the keystore password for MQIPT
Encrypt the keystore password in a format that MQIPT can use to access the file. For more information, see Encrypting a key ring password in MQIPT.
The stash file facility that IBM MQ supports is not supported by MQIPT. Use the mqiptPW command to encrypt the keystore password instead of using a stash file.
![[MQ 9.4.0 Jun 2024]](ng940.gif)
![[MQ 9.4.0 Jun 2024]](ng940cd.gif)
Examples
-
The following command creates a self-signed personal certificate for testing purposes:
The command creates a digital certificate with a 2048-bit RSA public key and a digital signature that uses RSA with the SHA-256 hash algorithm. The certificate and its associated public and private keys are stored in a PKCS #12 format keystore named key.p12. The keystore file is created if it does not exist.mqiptKeytool -genkeypair -keystore key.p12 -storetype pkcs12 -storepass password -alias mqipt -dname "CN=Test Certificate,OU=Sales,O=Example,C=US" -keyalg RSA -keysize 2048 -sigalg SHA256withRSA
When you create a certificate, choose a public key encryption algorithm, key size, and digital signature algorithm that are appropriate for your organization's security needs. For more information, see Digital certificate considerations for MQIPT.
This example uses a self-signed certificate that is suitable for test purposes. In a production environment, use a certificate that is signed by a certificate authority instead.
-
The following command creates a certificate request for a CA-signed certificate to be used for production purposes:
The command creates a Certificate Signing Request (CSR) in the PKCS #10 format. The CSR can be sent to a certificate authority to request a CA-signed certificate. The public and private key pair with the aliasmqiptKeytool -certreq -keystore key.p12 -storetype pkcs12 -storepass password -alias mqipt -file cert.req
mqipt
must be created before issuing this command, by issuing the mqiptKeytool -genkeypair command in the previous example. -
The following command receives the CA-signed personal certificate file that is named cert.crt into the keystore:
Import the CA certificate of the CA that signed the personal certificate into the keystore by issuing the following command:mqiptKeytool -importcert -keystore key.p12 -storetype pkcs12 -storepass password -file cert.crt
mqiptKeytool -importcert -keystore key.p12 -storetype pkcs12 -storepass password -file ca.crt -alias rootCA