Telemetry channel authentication using TLS

Connections between the MQTT client and the queue manager are always initiated by the MQTT client. The MQTT client is always the SSL client. Client authentication of the server and server authentication of the MQTT client are both optional.

The client always attempts to authenticate the server, unless the client is configured to use a CipherSpec that supports anonymous connection. If the authentication fails, then the connection is not established.

As an alternative to using SSL, some kinds of Virtual Private Network (VPN), such as IPsec, authenticate the endpoints of a TCP/IP connection. VPN encrypts each IP packet that flows over the network. Once such a VPN connection is established, you have established a trusted network. We can connect MQTT clients to telemetry channels using TCP/IP over the VPN network.

Server authentication using SSL authenticates the server to which we are about to send confidential information to. The client performs the checks matching the certificates sent from the server, against certificates placed in its truststore, or in its JRE cacerts store.

The JRE certificate store is a JKS file, cacerts. It is located in JRE InstallPath\lib\security\. It is installed with the default password changeit. We can either store certificates you trust in the JRE certificate store, or in the client truststore. We cannot use both stores. Use the client truststore if we want to keep the public certificates the client trusts separate from certificates other Java applications use. Use the JRE certificate store if we want to use a common certificate store for all Java applications running on the client. If you decide to use the JRE certificate store review the certificates it contains, to make sure you trust them.

We can modify the JSSE configuration by supplying a different trust provider. We can customize a trust provider to perform different checks on a certificate. In some OGSi environments that have used the MQTT client, the environment provides a different trust provider.

To authenticate the telemetry channel using TLS, configure the server, and the client.

• Telemetry channel configuration for channel authentication using TLS
  The IBM MQ administrator configures telemetry channels at the server. Each channel is configured to accept a TCP/IP connection on a different port number. TLS channels are configured with passphrase protected access to key files. If a TLS channel is defined with no passphrase or key file, the channel does not accept TLS connections.
• MQTT client configuration for channel authentication using TLS