See information about the latest product version
Viewing and setting keystore and truststore runtime properties at execution group level
Configure an execution group to refer to a keystore, a truststore, or both, before deploying any message flows that require policy set or bindings for signature, encryption, or X.509 Authentication.
An execution group is a named grouping of message flows that have been assigned to a broker. The broker enforces a degree of isolation between message flows in distinct execution groups by ensuring that they run in separate address spaces, or as unique processes. For more information about execution groups, see Execution groups.
Execution group keystore and truststore runtime property values override equivalent property values on the broker, if any are set.
Keystores can contain two kinds of entries: key entries and trusted certificate entries. If a keystore is used to contain trusted certificates, it is typically referred to as a truststore. WebSphere® Message Broker can refer to a keystore and a truststore per execution group. When the broker is encrypting or decrypting, it uses entries in its keystore; if the broker is verifying a signature or performing X.509 authentication, it uses entries in its truststore.
Displaying execution group level properties
To display execution group level properties, run the command:
mqsireportproperties broker_name -o ComIbmJVMManager -a -e execution_group
Updating the execution group reference to a keystore
mqsichangeproperties broker_name -e execution_group -o ComIbmJVMManager
–n keystoreFile
-v c:\keystore\server.keystore,JKS
where c:\keystore\server.keystore,JKS is
a Java™ keystore (JKS). Updating the execution group reference to a truststore
mqsichangeproperties broker_name -e execution_group -o ComIbmJVMManager
–n truststoreFile
-v c:\truststore\server.truststore
where c:\truststore\server.truststore is
the truststore to be referenced.Updating the keystore and truststore passwords
- To update the broker with the keystore password; see Updating the broker with the keystore password.
- To update the broker with the truststore password; see Updating the broker with the truststore password.
- To update the broker with a private key password; see Updating the broker with a private key password.
mqsichangeproperties broker_name -e execution_group -o ComIbmJVMManager -n keystorePass
-v execution_group::keystorePass
mqsisetdbparms broker_name -n execution_group::keystorePass -u na -p password
mqsichangeproperties broker_name -e execution_group -o ComIbmJVMManager -n truststorePass
-v execution_group::truststorePass
mqsisetdbparms broker_name -n execution_group::truststorePass -u na -p password
Adding new certificates to a keystore or truststore
If you add new certificates to a keystore or truststore, to ensure that the new certificates are picked up, you must reload the Java virtual machine (JVM). You can reload the JVM by restarting the execution group.