[AIX, Linux, Windows]

runmqakm and runmqktool commands on AIX, Linux, and Windows

On AIX®, Linux®, and Windows systems, use the runmqakm (GSKCapiCmd) or runmqktool (keytool) commands to manage keys and certificates.

[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Note:

From IBM® MQ 9.4.0, the runmqckm and strmqikm commands are removed. The runmqktool command can be used instead of the runmqckm command to manage PKCS #12 and JKS key repositories. There is no replacement for the strmqikm GUI.

The runmqckm and runmqktool commands have the following important differences:
  • The runmqktool command does not support stash files to store key repository passwords. The password to access a key repository must always be provided to the runmqktool command when it is run. Specify the password either as a parameter to the command, or in response to a prompt issued by the command.
  • The runmqktool command does not support CMS key repositories. Therefore, to export a certificate from a JKS to a CMS key repository, you must complete following steps:
    1. Use the runmqktool -importkeystore command to copy the certificate from the JKS key repository to an intermediate PKCS #12 key repository. For more information about exporting a certificate, see Exporting a personal certificate from a key repository on AIX, Linux, and Windows.
    2. Use the runmqakm -cert -import command to import the certificate from the intermediate PKCS #12 key repository to the CMS key repository. For more information about importing a certificate, see Importing a personal certificate into a key repository on AIX, Linux, and Windows.
  • The runmqktool command cannot create a new, empty, key repository. A new key repository is created when the command is used to create a certificate, or add a certificate to a key repository. If the key repository that is specified on the command does not exist, it is created when the command runs.
The following IBM MQ commands can be used to manage keys and certificates:
runmqakm
  • Provides functions that are similar to those of gskitcapicmd.
  • Supports CMS and PKCS #12 key repositories.
  • Supports the creation of a stash file to store the encrypted key repository password.
  • Certified as FIPS 140-2 compliant, and can be configured to operate in a FIPS-compliant manner with the -fips parameter.
[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]runmqktool
  • Provides functions that are similar to those of the Java keytool command.
  • Supports PKCS #12, JKS, and JCEKS key repositories.
  • Requires that the IBM MQ Java runtime environment (JRE) component is installed.
If you need to manage certificates in a way that is FIPS-compliant, use the runmqakm command.

For more information about the runmqakm command, see runmqakm -cert, runmqakm -certreq, runmqakm -keydb, and runmqakm -secretkey.

[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]For more information about the runmqktool command, see runmqktool.

The topics in this section contain examples of how these commands are used to complete common certificate management tasks.