WebSphere Message Broker, Version 8.0.0.7
Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS
See information about the latest product version
See information about the latest product version
Viewing and setting keystore and truststore runtime properties at broker level
Configure the message broker to refer to a keystore, a truststore, or both, before deploying any message flows that require policy set or bindings for signature, encryption, or X.509 Authentication.
Keystores and truststores are both keystores. They differ
only in the way they are used.
- Put all private keys and public key certificates (PKC) in the keystore.
- Put all trusted root certificate authority (CA) certificates in the truststore. These certificates are used to establish the trust of any inbound public key certificates.
The only supported type of store is Java™ keystore (JKS).
Each instance of a broker can be configured to refer to one keystore and one truststore.
The following properties of the broker registry component must be defined correctly for policy sets and bindings:
- brokerKeystoreFile
- The directory and file location of the keystore.
- brokerTruststoreFile
- The directory and file location of the truststore.
Listing existing broker registry entries
To display all broker registry values, run the command:
mqsireportproperties broker_name -o BrokerRegistry -a
This returns entries like these:
BrokerRegistry=''
uuid='BrokerRegistry'
brokerKeystoreType='JKS'
brokerKeystoreFile=''
brokerKeystorePass='brokerKeystore::password'
brokerTruststoreType='JKS'
brokerTruststoreFile=''
brokerTruststorePass='brokerTruststore::password'
httpConnectorPortRange=''
httpsConnectorPortRange=''
Updating the broker reference to a keystore
To update the broker reference to a keystore, use the following
command:
mqsichangeproperties broker_name -o BrokerRegistry
–n brokerKeystoreFile
-v c:\keystore\server.keystore
Where c:\keystore\server.keystore is
the keystore to be referenced. Updating the broker reference to a truststore
To update the broker reference to a truststore, use the following
command:
mqsichangeproperties broker_name -o BrokerRegistry
–n brokerTruststoreFile
-v c:\truststore\server.truststore
Where c:\truststore\server.truststore is
the truststore to be referenced.Updating the broker with the keystore password
Keystores and truststores normally require passwords for
access. Use the mqsisetdbparms command to add these
passwords to the broker runtime component.
mqsisetdbparms broker_name
-n brokerKeystore::password
-u temp -p pa55word
The user ID, which can be any value, is not required to
access the keystore.Updating the broker with the truststore password
To update the broker with the truststore password, use the
following command:
mqsisetdbparms broker_name
-n brokerTruststore::password
-u temp -p pa55word
The user ID, which can be any value, is not required to
access the keystore.Updating the broker with a private key password
Private keys in the keystore might have their own individual
passwords. These can be configured based on the alias name that is
specified for the key in the Policy sets and bindings editor. If a
key password based on the alias is not found, the keystore password
is used. The following command updates the broker with the private
key password for the key whose alias is encKey.
mqsisetdbparms broker_name
-n brokerTruststore::keypass::encKey
-u temp -p pa55word
The user ID, which can be any value, is not required to
access the keystore.