WMQ AMS keystore

Can I use the same keystore and cert for AMS that my app alread开发者_开发技巧y uses?

You can, but also have the option to use separate certs and/or keystores if you want. The keystore.conf file contains the details of the keystore and the label of the certificate that AMS will use for encrypting and signing messages. This can point to the same certificate as used by the application for making connections to WebSphere MQ, the same certificate the app server uses for SSL connections or an entirely separate keystore dedicated to AMS.

The key (excuse the pun) is to manage the keystores based on the security model required. The app server's keystore probably has a number of external-facing certificates in its trust store. For example, it might trust several commercial certificate authorities. The AMS keystore must contain the certificates of anyone who will be signing or encrypting messages that your app will consume or receiving encrypted messages from your app. Since these are usually internal-facing it might be worthwhile to use a separate keystore for AMS than is used for external-facing entities. Otherwise the two different security models (internal-facing and external-facing) end up trusting each others participants.

This is just one example and in general the idea is to construct the keystores based on the specific security model required and using a least-trust principle. You have to balance the cost of maintaining separate keystores against the extra security of maintaining individual ones.