Change the Password for the Message Queue SSL Keystore

Implementation Guide › Changing CA Access Control Service Account Settings › Changing Message Queue Communication Settings › Change the Password for the Message Queue SSL Keystore

Change the Password for the Message Queue SSL Keystore

The Message Queue SSL keystore stores the server certificates that the Message Queue uses for SSL communication. When you change the password for the Message Queue SSL keystore, you update the public/private key pair that signs the server certificates.

You may need to regularly change the password for the Message Queue SSL keystore to comply with your organization's security and password policies.

Before you change the password for the Message Queue SSL keystore, note the following:

The default password is the communication password that you specify when you install CA Access Control Enterprise Management.
The password has the following limitations:
- Must be 6-50 characters long
- Must not contain high ASCII characters
- Must not contain double quotes ( " )
The password is stored in the following file, where ACServer is the directory in which you installed CA Access Control Enterprise Management:
```
ACServer/MessageQueue/conf/keystore.p12
```

Important! If you have more than one Distribution Server in your enterprise, first change the password on the Distribution Server installed on the Enterprise Management Server, then change the password on the other Distribution Servers in your enterprise. The Message Queue is part of the Distribution Server.

To change the password for the Message Queue SSL keystore

Stop the CA Access Control Message Queue service.
Open a command prompt window and navigate to the following directory, where JDK is the directory in which you installed the Java Development Kit:
```
JDK/bin
```
Run the following command:
```
keytool -genkey -keyalg RSA -keysize 1024 -keystore "keystore.p12" -storetype PKCS12 -dname "cn=acmq" -alias acmq -storepass "password" -keypass "password"
```
-genkey

Specifies that the command creates a key pair (public and private keys).

-keyalg RSA

Specifies to use the RSA algorithm to generate the key pair.

-keysize 1024

Specifies that the size of the generated key is 1024 bits.

-storetype PKCS12

Specifies that the generated key is in the PKCS12 file format.

-dname "cn=acmq"

Specifies that X.500 distinguished name for the generated certificate is acmq. This name is used in the issuer and subject fields of the certificate.

-alias acmq

Specifies to update the keystore entry names acmq.

-storepass "password"

Specifies the password that protects the Message Queue SSL keystore. The password must be identical to the password that you specify for the -keypass parameter.

-keypass "password"

Specifies the password that protects the private key of the new key pair. The password must be identical to the password that you specify for the -storepass parameter.

The keytool utility changes the password for the Message Queue SSL keystore.
Navigate to the following directory, where DistServer is the directory in which you installed the Distribution Server:
```
DistServer/MessageQueue/tibco/bin/ems
```
Run the following command:
```
tibemsadmin -mangle password 
```
The password for the SSL keystore is encrypted.

Tell Technical Publications how we can improve this information