Verify TLS/SSL key repository files


Error icon TLS/SSL Key Repository attribute must not include the file extension .kdb

IBM MQ automatically appends a file extension to the TLS/SSL key repository location. So if you explicitly specify the file extension with the file extension .kdb, IBM MQ looks for a key repository ending in ".kdb.kdb".

Remove the file extension from the Key Repository attribute.

This test is valid only for queue managers on Windows, UNIX, and Linux.

Warning icon SSL key repository file cannot be found

The TLS/SSL key repository file could not be found at the location specified in the queue manager's Key Repository attribute.

The key repository file must be accessible for the queue manager to use TLS/SSL. This is not an error if you are not intending to use TLS/SSL; this test is intended for use in environments where TLS/SSL is in use.

This test is run only against queue managers that are hosted on the local computer.

Warning icon Stash file for TLS/SSL key repository cannot be found

The password stash file for the TLS/SSL key repository cannot be found at the location specified in the queue manager's Key Repository attribute.

On Windows, UNIX, and Linux computers, each key database file has an associated password stash file. This file holds encrypted passwords that allow programs to access the key database. The password stash file must be in the same directory as the key repository and must have the same file name as the key database but with the suffix .sth

The password stash file must be accessible for the queue manager to use TLS/SSL. This is not an error if you are not intending to use TLS/SSL; this test is intended for use in environments where SSL is in use.

This test is run only against queue managers that are hosted on the local computer.

Error icon Access control incorrectly configured for TLS/SSL system file (<filename>)

Queue manager attribute SSLKeyRepository gives the directory and file name stem for the TLS/SSL system files used to support TLS/SSL channels running to and from from that queue manager. These files are very important for the security of the queue manager and access to them must be tightly controlled. On Windows the recommended maximum levels of access for these files are: full authority for BUILTIN\Administrators, NT AUTHORITY\SYSTEM, and one other user; and read authority for just <xxxxxxxx>\mqm and nothing else (<xxxxxxxx> represents a domain identifier).

The Access Control List (ACL) for (<filename>) has been obtained using the cacls command. It shows that access to the file is not sufficiently restricted.

This test is only run against local Windows queue managers.

Error icon File permissions incorrect for TLS/SSL system file (<filename>)

Queue manager attribute SSLKeyRepository gives the directory and file name stem for the TLS/SSL system files used to support TLS/SSL channels running to and from from that queue manager. These files are very important for the security of the queue manager and access to them must be tightly controlled. On Linux the permissions on these files should be set to read and write for the file's owner, and to read for the file's group (-rw-r-----).

This test is only run against local Linux queue managers.

Warning icon TLS/SSL system file (<filename>) is held on a non-NTFS file system

The test selected cannot determine the access control for the file because it is not held on an NTFS file system. You should consider whether it is adequately protected, as non-NTFS file systems tend to have weak access controls.