TLS security protocols in IBM MQ

IBM MQ supports the Transport Layer Security (TLS) protocol to provide link level security for message channels and MQI channels.

Message channels and MQI channels can use the TLS protocol to provide link level security. A caller MCA is a TLS client and a responder MCA is a TLS server. IBM MQ supports Version 1.0 and Version 1.2 of the TLS protocol. We can specify the cryptographic algorithms that are used by the TLS protocol by supplying a CipherSpec as part of the channel definition.

Note: From IBM MQ Version 8.0.0, Fix Pack 2, the SSLv3 protocol and the use of some IBM MQ CipherSpecs is deprecated. For more information, see Deprecation: SSLv3 protocol.

We can use the SECPROT parameter to display the security protocol in use on a channel.

At each end of a message channel, and at the server end of an MQI channel, the MCA acts on behalf of the queue manager to which it is connected. During the TLS handshake, the MCA sends the digital certificate of the queue manager to its partner MCA at the other end of the channel. The IBM MQ code at the client end of an MQI channel acts on behalf of the user of the IBM MQ client application. During the TLS handshake, the IBM MQ code sends the user's digital certificate to the MCA at the server end of the MQI channel.

Queue managers and IBM MQ client users are not required to have personal digital certificates associated with them when they are acting as TLS clients, unless SSLCAUTH(REQUIRED) is specified at the server side of the channel.

Digital certificates are stored in a key repository. The queue manager attribute SSLKeyRepository specifies the location of the key repository that holds the queue manager's digital certificate. On an IBM MQ client system, the MQSSLKEYR environment variable specifies the location of the key repository that holds the user's digital certificate. Alternatively, an IBM MQ client application can specify its location in the KeyRepository field of the TLS configuration options structure, MQSCO, on an MQCONNX call. See the related topics for more information about key repositories and how to specify where they are located.


Support for TLS

IBM MQ provides support for TLS 1.0 and TLS 1.2 according to the platform you are using. For more information about the TLS protocol, refer to the information in the subtopics.

    IBM i
    TLS support is integral to the IBM i operating system.

    Java and JMS clients
    These clients use the JVM to provide TLS support.

    HP Integrity NonStop Server, UNIX, Linux , and Windows systems
    TLS support is installed with IBM MQ.

    z/OSĀ®
    TLS support is integral to the z/OS operating system. The TLS support on z/OS is known as System SSL.

For information about any prerequisites for IBM MQ TLS support, see System Requirements for IBM MQ.