Connecting a client to a queue manager anonymously
Follow these sample instructions to modify a system with mutual authentication to allow a queue manager to connect anonymously to another.
Scenario:
- Your queue manager and client (QM1 and C1) have been set up as in Use CA-signed certificates for mutual authentication of a client and queue manager.
- You want to change C1 so that it connects anonymously to QM1.
Procedure
- Remove the personal certificate from the key repository for C1, according to operating system: The certificate label is either ibmwebspheremq followed by your logon user ID in lowercase, or the value of the CERTLABL attribute. See Digital certificate labels.
- Restart the client application, or cause the client application to close and reopen all SSL/TLS connections.
-
Allow anonymous connections on the queue manager, by issuing the following command:
ALTER CHANNEL(C1.TO.QM1) CHLTYPE(SVRCONN) SSLCAUTH(OPTIONAL)
Results
Key repositories and channels are changed as illustrated in Figure 1
What to do next
At the server end of the channel, the presence of the peer name parameter value on the channel status display indicates that a client certificate has flowed.
Verify that the task has been completed successfully by issuing some DISPLAY commands. If the task was successful, the resulting output is similar to that shown in the following example:
From queue manager QM1, enter the following command:DISPLAY CHSTATUS(C1.TO.QM1) SSLPEER SSLCERTIThe resulting output will be similar to the following example:
DISPLAY CHSTATUS(C1.TO.QM1) SSLPEER SSLCERTI
5 : DISPLAY CHSTATUS(C1.TO.QM1) SSLPEER SSLCERTI
AMQ8417: Display Channel Status details.
CHANNEL(C1.TO.QM1) CHLTYPE(SVRCONN)
CONNAME(192.0.0.1) CURRENT
SSLCERTI( ) SSLPEER( )
STATUS(RUNNING) SUBSTATE(RECEIVE)
The SSLCERTI and SSLPEER fields are empty, showing that C1 did not send a certificate.