Configure MQ Light clients with TLS

We can configure MQ Light clients to use TLS to protect data flowing across the network and to authenticate the identity of the queue manager the client connects to.

To use TLS for the connection from an MQ Light client to an AMQP channel, we must ensure the queue manager has been configured to TLS. Configure TLS on queue managers describes how to configure the keystore that a queue manager reads TLS certificates from.

SSLCAUTH

The SSLCAUTH attribute is used to specify whether the queue manager should require an MQ Light client to present a client certificate to verify its identity.

SSLCIPH

The SSLCIPH attribute specifies the cipher the channel should use to encode data in the TLS flow.

SSLPEER

The SSLPEER attribute is used to specify the distinguished name (DN) a client certificate must match if a connection is to be allowed.

CERTLABL

The CERTLABL specifies the certificate the queue manager should present to the client. The queue manager's keystore can contain multiple certificates. This attribute allows you to specify the certificate to be used for connections to this channel. If no CERTLABL is specified, the certificate in the queue manager key repository with the label corresponding to the queue manager CERTLABL attribute is used.

When you have configured your AMQP channel with the TLS attributes, we must restart the AMQP service using the following command:

STOP SERVICE(SYSTEM.AMQP.SERVICE) START SERVICE(SYSTEM.AMQP.SERVICE)

• For the MQ Light client for Node JS API documentation, see https://www.npmjs.com/package/mqlight
• For the MQ Light client for Java API documentation, see https://mqlight.github.io/java-mqlight/
• For the MQ Light client for Ruby documentation, see https://www.rubydoc.info/github/mqlight/ruby-mqlight/
• For the MQ Light client for Python documentation, see https://python-mqlight.readthedocs.org/en/latest/

Parent topic: Administer IBM MQ Light