IBM MQ automatically appends a file extension to the TLS/SSL key repository location. So if you explicitly specify the file extension with the file extension .kdb, IBM MQ looks for a key repository ending in ".kdb.kdb".
Remove the file extension from the Key Repository attribute.
This test is valid only for queue managers on Windows, UNIX, and Linux.
The TLS/SSL key repository file could not be found at the location specified in the queue manager's Key Repository attribute.
The key repository file must be accessible for the queue manager to use TLS/SSL. This is not an error if you are not intending to use TLS/SSL; this test is intended for use in environments where TLS/SSL is in use.
This test is run only against queue managers that are hosted on the local computer.
The password stash file for the TLS/SSL key repository cannot be found at the location specified in the queue manager's Key Repository attribute.
On Windows, UNIX, and Linux computers, each key database file has an associated password stash file. This file holds encrypted passwords that allow programs to access the key database. The password stash file must be in the same directory as the key repository and must have the same file name as the key database but with the suffix .sth
The password stash file must be accessible for the queue manager to use TLS/SSL. This is not an error if you are not intending to use TLS/SSL; this test is intended for use in environments where SSL is in use.
This test is run only against queue managers that are hosted on the local computer.
Queue manager attribute SSLKeyRepository gives the directory and file name stem for the TLS/SSL system files used to support TLS/SSL channels running to and from from that queue manager. These files are very important for the security of the queue manager and access to them must be tightly controlled. On Windows the recommended maximum levels of access for these files are: full authority for BUILTIN\Administrators, NT AUTHORITY\SYSTEM, and one other user; and read authority for just <xxxxxxxx>\mqm and nothing else (<xxxxxxxx> represents a domain identifier).
The Access Control List (ACL) for (<filename>) has been obtained using the cacls command. It shows that access to the file is not sufficiently restricted.
This test is only run against local Windows queue managers.
Queue manager attribute SSLKeyRepository gives the directory and file name stem for the TLS/SSL system files used to support TLS/SSL channels running to and from from that queue manager. These files are very important for the security of the queue manager and access to them must be tightly controlled. On Linux the permissions on these files should be set to read and write for the file's owner, and to read for the file's group (-rw-r-----).
This test is only run against local Linux queue managers.
The test selected cannot determine the access control for the file because it is not held on an NTFS file system. You should consider whether it is adequately protected, as non-NTFS file systems tend to have weak access controls.