runmqckm and runmqakm options

A table of the runmqckm and runmqakm options that can be present on the command line.

Note: IBM® MQ does not support SHA-3 or SHA-5 algorithms. You can use the digital signature algorithm names SHA384WithRSA and SHA512WithRSA because both algorithms are members of the SHA-2 family.

The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.

The meaning of an option can depend on the object and action specified in the command.

Table 1. Options that can be used with runmqckm and runmqakm
Option Description
-create Option to create a key database.
-crypto Name of the module to manage a PKCS #11 cryptographic device.

The value after -crypto is optional if you specify the module name in the properties file.

If you are using certificates or keys stored on PKCS #11 cryptographic hardware, note that iKeycmd and iKeyman are 32-bit programs. External modules required for PKCS #11 support will be loaded into a 32-bit process, therefore you must have a 32-bit PKCS #11 library installed for the administration of cryptographic hardware, and must specify this library to iKeycmd or iKeyman. The HP Itanium platform is the only exception, as the iKeyman program is 64-bit on the HP Itanium platform.
-db Fully qualified path name of a key database.
-default_cert Sets a certificate as the default certificate. The value can be yes or no. The default is no.
-dn X.500 distinguished name. The value is a string enclosed in double quotation marks, for example CN=John Smith,O=IBM,OU=Test,C=GB. Note that the CN, O, and C attributes are required.
-encryption Strength of encryption used in certificate export command. The value can be strong or weak. The default is strong.
-expire Expiration time in days of either a certificate or a database password. The default is 365 days for a certificate password.

There is no default time for a database password: use the -expire option to set a database password expiration time explicitly.

-file File name of a certificate or certificate request.
-fips specifies that the command is run in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.
-format Format of a certificate. The value can be ascii for Base64_encoded ASCII or binary for Binary DER data. The default is ascii.
-label Label attached to a certificate or certificate request. If the certificate is a personal certificate used to identify an IBM MQ client application or queue manager, the label must correspond to the IBM MQ certificate label (CERTLABL) setting, for more information, see Digital certificate labels, understanding the requirements.
-new_format New format of key database.
-new_label Used on a certificate import command, this option allows a certificate to be imported with a different label from the label it had in the source key database. If the certificate is a personal certificate used to identify an IBM MQ client application or queue manager, the label must correspond to the IBM MQ certificate label (CERTLABL) setting, for more information, see Digital certificate labels, understanding the requirements.
-new_pw New database password.
-old_format Old format of key database.
-pw Password for the key database or PKCS #12 file.
-secondaryDB Name of a secondary key database for PKCS #11 device operations.
-secondaryDBpw Password for the secondary key database for PKCS #11 device operations.
-showOID Displays the full certificate or certificate request.
-sig_alg The hashing algorithm used during the creation of a certificate request, a self-signed certificate, or the signing of a certificate. This hashing algorithm is used to create the signature associated with the newly-created certificate or certificate request.

For runmqckm, the value can be MD2_WITH_RSA, MD2WithRSA, MD5_WITH_RSA, MD5WithRSA, SHA1WithDSA, SHA1WithRSA, SHA256_WITH_RSA, SHA256WithRSA, SHA2WithRSA, SHA384_WITH_RSA, SHA384WithRSA, SHA512_WITH_RSA, SHA512WithRSA, SHA_WITH_DSA, SHA_WITH_RSA, SHAWithDSA, or SHAWithRSA. The default value is SHA1WithRSA.

For runmqakm, the value can be md5, MD5_WITH_RSA, MD5WithRSA, SHA_WITH_DSA, SHA_WITH_RSA, sha1, SHA1WithDSA, SHA1WithECDSA, SHA1WithRSA, sha224, SHA224_WITH_RSA, SHA224WithDSA, SHA224WithECDSA, SHA224WithRSA, sha256, SHA256_WITH_RSA, SHA256WithDSA, SHA256WithECDSA, SHA256WithRSA, SHA2WithRSA, sha384, SHA384_WITH_RSA, SHA384WithECDSA, SHA384WithRSA, sha512, SHA512_WITH_RSA, SHA512WithECDSA, SHA512WithRSA, SHAWithDSA, SHAWithRSA, EC_ecdsa_with_SHA1, EC_ecdsa_with_SHA224, EC_ecdsa_with_SHA256, EC_ecdsa_with_SHA384, or EC_ecdsa_with_SHA512. The default value is SHA1WithRSA.

-size Key size.

For runmqckm, the value can be 512, 1024, or 2048. The default value is 1024 bits.

For runmqakm, the value depends upon the signature algorithm:
  • For RSA signature algorithms (the default algorithm used if no -sig_alg is specified), the value can be 512, 1024, 2048, or 4096. An RSA key size of 512 bits is not permitted if the -fips parameter is enabled. The default RSA key size is 1024 bits.
  • For Elliptic Curve algorithms, the value can be 256, 384, or 512. The default Elliptic Curve key size depends upon the signature algorithm. For SHA256, it is 256; for SHA384, it is 384; and for SHA512, it is 512.
-stash Stash the key database password to a file.
Note: -stash is valid on -keydb -create commands to tell runmqckm/runmqakm to create a stash file containing the password.

Issuing the command $ runmqakm -help lists the high-level help parameters only.
-stashed Indicates password for the key database is in a stash file.
Note: The -stashed option is valid on calls apart from the -keydb -create commands. If you do not specify this option, you have to supply the password using -pw.

In addition, only when you instruct the command what kind of action you are performing does the detailed help showing -stashed appear.
-target Destination file or database.
-target_pw Password for the key database if -target specifies a key database.
-target_type Type of database specified by -target operand. See -type option for permitted values.
-tokenLabel Label of a PKCS #11 cryptographic device.
-trust Trust status of a CA certificate. The value can be enable or disable. The default is enable.
-type Type of database. The value can be any of the following values:
  • cms for a CMS key database
  • pkcs12 for a PKCS #12 file.
-x509version Version of X.509 certificate to create. The value can be 1, 2, or 3. The default is 3.
[V8.0.0.4 Oct 2015]-rfc3339 [V8.0.0.4 Oct 2015]Use this parameter to output the date in the RFC 3339 format for the runmqakm -cert -details command, which is of the following format: 

Not Before : 2015-08-26T08:53:37Z
Not After : 2016-08-26T08:53:37Z
Note that the -rfc3339 parameter has to appear in the command after the additional parameters: 

runmqakm -cert -details -db exampleDB -stashed -label 
          certficateLabel -rfc3339
Note: Properties provided with IBM Global Secure Toolkit (GSKit) relating to symmetric-key encryption -seckey option in the 'runmqckm' utility are ignored and not supported by IBM MQ.