IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Viewing and setting keystore and truststore runtime properties at broker level

Configure the message broker to refer to a keystore, a truststore, or both, before deploying any message flows that require policy set or bindings for signature, encryption, or X.509 Authentication.

Keystores and truststores are both keystores. They differ only in the way they are used.

Put all private keys and public key certificates (PKC) in the keystore.
Put all trusted root certificate authority (CA) certificates in the truststore. These certificates are used to establish the trust of any inbound public key certificates.

The only supported type of store is Java™ keystore (JKS).

Each instance of a broker can be configured to refer to one keystore and one truststore.

The following properties of the broker registry component must be defined correctly for policy sets and bindings:

brokerKeystoreFile: The directory and file location of the keystore.
brokerTruststoreFile: The directory and file location of the truststore.

If you want to check what security properties you have set for a broker, use the mqsireportdbparms command.

Listing existing broker registry entries

To display all broker registry values, run the command:

mqsireportproperties broker_name -o BrokerRegistry -a

This returns entries like these:

BrokerRegistry=''
  uuid='BrokerRegistry'
  brokerKeystoreType='JKS'
  brokerKeystoreFile=''
  brokerKeystorePass='brokerKeystore::password'
  brokerTruststoreType='JKS'
  brokerTruststoreFile=''
  brokerTruststorePass='brokerTruststore::password'
  httpConnectorPortRange=''
  httpsConnectorPortRange=''

Updating the broker reference to a keystore

To update the broker reference to a keystore, use the following command:

mqsichangeproperties broker_name -o BrokerRegistry 
  –n  brokerKeystoreFile 
  -v c:\keystore\server.keystore

Where c:\keystore\server.keystore is the keystore to be referenced.

Updating the broker reference to a truststore

To update the broker reference to a truststore, use the following command:

mqsichangeproperties broker_name -o BrokerRegistry 
  –n  brokerTruststoreFile 
  -v c:\truststore\server.truststore

Where c:\truststore\server.truststore is the truststore to be referenced.

Updating the broker with the keystore password

Keystores and truststores normally require passwords for access. Use the mqsisetdbparms command to add these passwords to the broker runtime component. If you want to check a password that you have set, use the mqsireportdbparms command.

mqsisetdbparms broker_name 
  -n brokerKeystore::password 
  -u temp -p pa55word

The user ID, which can be any value, is not required to access the keystore.

Updating the broker with the truststore password

To update the broker with the truststore password, use the following command:

mqsisetdbparms broker_name 
  -n brokerTruststore::password 
  -u temp -p pa55word

The user ID, which can be any value, is not required to access the keystore.

Updating the broker with a private key password

Private keys in the keystore might have their own individual passwords. These can be configured based on the alias name that is specified for the key in the Policy sets and bindings editor. If a key password based on the alias is not found, the keystore password is used. The following command updates the broker with the private key password for the key whose alias is encKey.

mqsisetdbparms broker_name 
  -n brokerTruststore::keypass::encKey 
  -u temp -p pa55word

The user ID, which can be any value, is not required to access the keystore.

ab60250_.htm |

Last updated Friday, 21 July 2017