Private registries

Certain security property, such as com.ibm.mqe.attributes.MQeWTLSCertAuthenticator, prerequisite an appropriate private registry, where the entity's private/public keys can be found, and, in some cases the queue manager's public registry, where foreign entities' public keys can be found. This happens when a security attribute uses a public/private key based algorithm to perform encryption/authentication.

There are two types of private registries, queue manager owed and queue owed and each private registry only stores its owner's security credentials. The queue manager's credential, however, can be shared by the queues it owes. For this reason, if the com.ibm.mqe.attributes.MQeWTLSCertAuthenticator class authenticator is used, an additional parameter "target registry" on the queue attribute the authenticator is attached to must also be set. This parameter determines which registry is to supply the credentials for authentication, and can have the value of either "Queue manager" or "Queue".

If "Queue manager" is specified, the credentials used are those of the queue manager owning the queue, and come from the private registry of the queue manager. The queue manager originally obtains these credentials through auto-registration with the mini-certificate server (see the relevant "Private Registry Service" section the WebSphere MQ Everyplace Application Programming Guide for further details). This option is the recommended default.

If "Queue" is specified, the credentials used are those of the queue itself, and come from the private registry of the queue. The queue originally obtains these credentials through auto-registration with the mini-certificate server as well.

Please refer to the "Mini-certificate issuance service" in the WebSphere MQ Everyplace Application Programming Guide for issues related to mini-certificate management issues.



© IBM Corporation 2002, 2003. All Rights Reserved