Structure of the keystore configuration file (keystore.conf) for AMS
The keystore configuration file (keystore.conf) points Advanced Message Security to the location of the appropriate keystore.
Each of the following configuration file types has a prefix:
- AMSCRED
- Parameters that relate to the password protection system.
- CMS
- Certificate Management System, configuration entries are prefixed with: cms.
- PKCS#11
- Public Key Cryptography Standard #11, configuration entries are prefixed with: pkcs11.
- PEM
- Privacy Enhanced Mail format, configuration entries are prefixed with: pem.
- JKS
- Java KeyStore, configuration entries are prefixed with: jks.
- JCEKS
- Java Cryptographic Encryption KeyStore, configuration entries are prefixed with: jceks.
- JCERACFKS
- Java Cryptographic Encryption RACF keyring KeyStore, configuration entries are prefixed with: jceracfks.
Important: From IBM® MQ 9.0 the
JCEKS.provider
and JKS.provider
values are ignored. The Bouncy
Castle provider is used, in conjunction with whichever JCE/JCE provision is supplied by the JRE in
use. For more information, see Support for non-IBM JREs with AMS.Example structures for keystores:
CMS
cms.keystore = /dir/keystore_file
cms.certificate = certificate_label
PKCS#11
pkcs11.library = dir\cryptoki.dll
pkcs11.certificate = certificatelabel
pkcs11.token = tokenlabel
pkcs11.token_pin = tokenpin
pkcs11.secondary_keystore = dir\signers
pkcs11.encrypted = no
PEM
pem.private = /dir/keystore_file_private_key
pem.public = /dir/keystore_file_public_keys
pem.password = password
pem.encrypted = no
Java JKS
jks.keystore = dir/Keystore
jks.certificate = certificate_label
jks.encrypted = no
jks.keystore_pass = password
jks.key_pass = password
Java JCEKS
jceks.keystore = dir/Keystore
jceks.certificate = certificate_label
jceks.encrypted = no
jceks.keystore_pass = password
jceks.key_pass = password
Java
JCERACFKS
jceracfks.keystore = safkeyring://user/keyring
jceracfks.certificate = certificate_label
Java PKCS#11
pkcs11.library = dir\cryptoki.dll
pkcs11.certificate = certificatelabel
pkcs11.token = tokenlabel
pkcs11.token_pin = tokenpin
pkcs11.secondary_keystore = dir\signers
pkcs11.secondary_keystore_pass = password
pkcs11.encrypted = no
Parameters | Required | Configuration file type | ||||
---|---|---|---|---|---|---|
Java (PKCS#11, JKS, JCEKS, and JCERACFKS) | PEM | PKCS#11 | CMS | AMSCRED | ||
keystore
|
||||||
private
|
||||||
public
|
||||||
password
|
||||||
library |
||||||
certificate
|
||||||
token |
||||||
token_pin |
||||||
secondary_keystore |
||||||
secondary_keystore_password |
||||||
encrypted
|
||||||
keystore_pass |
||||||
key_pass |
||||||
provider
|
||||||
keyfile |
You |
Note that you can add comments using the #
symbol.
Configuration file parameters are defined as follows:
-
keystore
- CMS and Java configuration only.
private
- PEM configuration only.
public
- PEM configuration only.
password
- PEM configuration only.
library
- PKCS#11 only.
-
certificate
- CMS, PKCS#11 and Java configuration only.
token
- PKCS#11 only.
token_pin
- PKCS#11 only.
secondary_keystore
- PKCS#11 only.
secondary_keystore_password
- Java PKCS#11 only.
-
encrypted
- Java configuration only.
-
keystore_pass
- Java configuration only.
-
key_pass
- Java configuration only.
keyfile
- Provides the location of the initial key to use when protecting or decrypting passwords contained in this configuration file; see Protecting passwords
-
provider
- Java configuration only.
Important: Information that is stored in the keystore is crucial for the secure flow of
data that is sent by using IBM MQ. Security
administrators must pay particular attention when they are assigning file permissions to these
files.
Protecting passwords
You should protect the passwords and other sensitive information contained in the keystore.conf file. See runamscred for more information.
Example of the keystore.conf file:
# Native AMS application configuration
cms.keystore = c:\Documents and Settings\Alice\AliceKeystore
cms.certificate = AliceCert
# Java AMS application configuration
jceks.keystore = c:/Documents and Settings/Alice/AliceKeystore
jceks.certificate = AliceCert
jceks.encrypted = no
jceks.keystore_pass = passw0rd
jceks.key_pass = passw0rd