I tried to use strmqikm but it gave an exception.
You can use some of the runmqakm commands you know and love, to access a certificate with an HSM. For example
The command to list the database available to the runmqakm command,
runmqakm -keydb -list -crypto /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Gives
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so : UserPIN (mytoken)
You can then use the token label UserPIN (mytoken) and password to use the key store, for example
runmqakm -cert -list all -crypto /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
-tokenlabel “UserPIN (mytoken)” -pw 12345678
gives
Certificates found * default, - personal, ! trusted, # secret key - my_key3
and
runmqakm -cert -details -crypto /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
-tokenlabel “UserPIN (mytoken)” -pw 12345678
-label my_key3
displays the details of the certificate with label my_key3.
If the -tokenlabel was wrong or the -pw was wrong, I got the unhelpful messages
- CTGSK3026W The key file “pkcs11” does not exist or cannot be read.
- CTGSK2137W The label does not exist on the PKCS#11 device.
Create your certificate request
The following command create a new RSA private-public key pair and a PKCS10 certificate request. The documentation for runmqakm says it supports RSA. If you want to use an Elliptic Curve you will need to use an alternative method, for example openssl.
runmqakm -certreq -create -crypto /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
-tokenlabel “UserPIN (mytoken)” -pw 12345678
-dn “cn=colin,o=SSS” -file runmq.csr -label runmqlab -size 1024
Sign it
openssl ca -config openssl-ca-user.cnf -policy signing_policy -md sha256 -cert carsa1024.pem -keyfile carsa1024.key.pem -out runmq.pem -in runmq.csr
Store it back into the HSM keystore
I could not get the runmqakm command to receive the signed certificate and store it into the HSM keystore.
runmqakm -cert -receive -crypto /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -tokenlabel “UserPIN (mytoken)” -file runmq.pem -pw 12345678
It failed with
CTGSK3034W The certificate request created for the certificate is not in the key database.
I could use
openssl x509 -inform pem -outform der -in runmq.pem -out runmq.der
pkcs11-tool –write-object runmq.der –type cert –label “runmqlab” -l –pin 12345678
The openssl command converts the file from .pem format, to .der format as .der format is required by pkcs11-tool.
Using strmqikm – the theory
If you want to use the strmqikm GUI, you have to configure the java.security file. For example edit /opt/mqm/java/jre64/jre/lib/security/java.security and add the next security.provider in the list.
security.provider.12=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl /home/colinpaice/mq/nitrokey.cfg
Where /home/colinpaice/mq/nitrokey.cfg is the configuration file, with
name = nitrokey
library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
slot=0
You can then use Ctrl+O, which brings up a pop up with “Key database type”. In this list should be PKCS11Config, if not check your java.security file. Select this, leave File Name and Location empty, and click “OK”. It pops up “Open Cryptographic Token” with the “Token Label” value taken from the configuration file name = nitrokey. This is strange as the runmqakm command uses a TokenLabel of “UserPIN (mytoken)”.
In practice…
I then got an exception java.lang.RuntimeException: PKCS11KeyStore.java: findSigner(): Failure while executing cobj.getX509Certificate(certFactory, session), and strmqikm ended.
ColinPaice 
One thought on “Using the runmqakm commands and an HSM (but not strmqikm).”