[AIX, Linux, Windows]

runmqakm and runmqktool commands on AIX, Linux, and Windows

On AIX®, Linux®, and Windows systems, use the runmqakm (GSKCapiCmd) or runmqktool (keytool) commands to manage keys and certificates.

[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Note:

From IBM® MQ 9.4.0, the runmqckm and strmqikm commands are removed. The runmqktool command can be used instead of the runmqckm command to manage PKCS #12 and JKS key repositories. There is no replacement for the strmqikm GUI.

The runmqckm and runmqktool commands have the following important differences:
  • The runmqktool command does not support stash files to store key repository passwords. The password to access a key repository must always be provided to the runmqktool command when it is run, either as a parameter to the command, or in response to a prompt issued by the command.
  • The runmqktool command does not support CMS key repositories. Therefore, to export a certificate from a JKS to a CMS key repository, you must complete following steps:
    1. Use the runmqktool -importkeystore command to copy the certificate from the JKS key repository to an intermediate PKCS #12 key repository. For more information about exporting a certificate, see Exporting a personal certificate from a key repository on AIX, Linux, and Windows.
    2. Use the runmqakm -cert -import command to import the certificate from the intermediate PKCS #12 key repository to the CMS key repository. For more information about importing a certificate, see Importing a personal certificate into a key repository on AIX, Linux, and Windows.
The following IBM MQ commands can be used to manage keys and certificates:
runmqakm
  • Provides functions that are similar to those of gskitcapicmd.
  • Supports CMS and PKCS #12 key repositories.
  • Supports the creation of a stash file to store the encrypted key repository password.
  • Certified as FIPS 140-2 compliant, and can be configured to operate in a FIPS-compliant manner with the -fips parameter.
[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]runmqktool
  • Provides functions that are similar to those of the Java keytool command.
  • Supports PKCS #12, JKS, and JCEKS key repositories.
  • Requires that the IBM MQ Java runtime environment (JRE) component is installed.
If you need to manage certificates in a way that is FIPS-compliant, use the runmqakm command.

For more information about the runmqakm command, see runmqakm.

[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]For more information about the runmqktool command, see runmqktool.

The topics in this section contain examples of how these commands are used to complete common certificate management tasks.