Managing MQIPT keystores

[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Use the mqiptKeytool command to manage certificates in keystores that IBM® MQ Internet Pass-Thru (MQIPT) uses.

[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]

From IBM MQ 9.4.0, this command replaces the mqiptKeycmd command that is used to manage certificates in earlier versions of MQIPT.

Required keystore format for MQIPT

[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]MQIPT supports keystores that use the PKCS #12 file format. When you use the mqiptKeytool command to manage MQIPT keystore, specify the -storetype pkcs12 parameter to indicate that the keystore uses the PKCS #12 format.

MQIPT can also access certificates that are stored in cryptographic hardware that supports the PKCS #11 interface. The interface can also be used to manage certificates on PKCS #11 hardware. For more information, see Using PKCS #11 cryptographic hardware in MQIPT.

Encrypting the keystore password for MQIPT

Encrypt the keystore password in a format that MQIPT can use to access the file. For more information, see Encrypting a key ring password in MQIPT.

The stash file facility that IBM MQ supports is not supported by MQIPT. Use the mqiptPW command to encrypt the keystore password instead of using a stash file.

[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]

Examples

The following examples show how the mqiptKeytool command is used to manage certificates in a MQIPT keystore.
  • The following command creates a self-signed personal certificate for testing purposes: 
    mqiptKeytool -genkeypair -keystore key.p12 -storetype pkcs12 -storepass password
             -alias mqipt -dname "CN=Test Certificate,OU=Sales,O=Example,C=US"
             -keyalg RSA -keysize 2048 -sigalg SHA256withRSA
    The command creates a digital certificate with a 2048-bit RSA public key and a digital signature that uses RSA with the SHA-256 hash algorithm. The certificate and its associated public and private keys are stored in a PKCS #12 format keystore named key.p12. The keystore file is created if it does not exist.

    When you create a certificate, choose a public key encryption algorithm, key size, and digital signature algorithm that are appropriate for your organization's security needs. For more information, see Digital certificate considerations for MQIPT.

    This example uses a self-signed certificate that is suitable for test purposes. In a production environment, use a certificate that is signed by a certificate authority instead.

  • The following command creates a certificate request for a CA-signed certificate to be used for production purposes:
    mqiptKeytool -certreq -keystore key.p12 -storetype pkcs12 -storepass password
             -alias mqipt -file cert.req
    The command creates a Certificate Signing Request (CSR) in the PKCS #10 format. The CSR can be sent to a certificate authority to request a CA-signed certificate. The public and private key pair with the alias mqipt must be created before issuing this command, by issuing the mqiptKeytool -genkeypair command in the previous example.
  • The following command receives the CA-signed personal certificate file that is named cert.crt into the keystore:
    mqiptKeytool -importcert -keystore key.p12 -storetype pkcs12 -storepass password -file cert.crt
    Import the CA certificate of the CA that signed the personal certificate into the keystore by issuing the following command:
    mqiptKeytool -importcert -keystore key.p12 -storetype pkcs12 -storepass password
             -file ca.crt -alias rootCA