Trust settings

A key ring contains a personal certificate that includes the signer certificate or chain of signer certificates.

Certificate Authority (CA) key ring

This key ring contains trusted CA certificates that are used to validate certificates belonging to a remote peer. These CA certificates help to determine whether the remote peer is trustworthy. MQIPT supports both PKCS #12 format key ring files, and cryptographic hardware key stores that support the PKCS #11 interface, for storing CA certificates. The MQIPT CA key ring files are identified by the SSLClientCAKeyRing and SSLServerCAKeyRing route properties. Use of cryptographic hardware to access CA certificates is enabled by setting the SSLClientCAKeyRingUseCryptoHardware and SSLServerCAKeyRingUseCryptoHardware properties.

The CA key ring on the SSL/TLS client side should contain a list of trusted CA certificates that will be used to authenticate the certificate sent from the server. If a SSL server route is configured for client authentication, the CA key ring on the SSL/TLS server side should contain a list of trusted CA certificates that will be used to authenticate the certificate sent from the client.

Personal certificate key ring

This key ring contains personal certificates that MQIPT uses to identify itself to a remote peer. When you generate a self-signed certificate or request a CA-signed certificate, we should do so by using the personal certificate key ring. MQIPT supports both PKCS #12 format key ring files, and cryptographic hardware key stores that support the PKCS #11 interface, for storing personal certificates. In MQIPT, personal certificate key ring files are identified by the SSLClientKeyRing and SSLServerKeyRing route properties. Use of cryptographic hardware to access personal certificates is enabled by setting the SSLClientKeyRingUseCryptoHardware and SSLServerKeyRingUseCryptoHardware properties.

The key ring on the SSL/TLS server side, should contain the MQIPT server's personal certificate. If client authentication is needed on an SSL client route, the key ring on the SSL/TLS client side should contain the client's personal certificate.

For client authentication, we must enable the SSLServerAskClientAuth property on the server side. The key ring on the client side should contain the client's personal certificate. The MQIPT key ring on the server side, identified by the SSLServerCAKeyRing property, should contain a list of trusted CA certificates that will be used to authenticate the client.

If we do not configure a CA key ring for a route, MQIPT will search for CA certificates in the personal certificate key ring instead, if one is configured. For example, if no value is set for SSLServerCAKeyRing, MQIPT will search for CA certificates in the key ring identified by SSLServerKeyRing.

As an alternative to using certificates signed by a trusted CA, we can use self-signed certificates. We can find an example of a self-signed certificate in the sslSample.pfx sample key ring file provided with MQIPT in the samples/ssl subdirectory. To open the sample PKCS#12 key ring files, we must use the password mqiptSample.

Self-signed certificates can be useful in test scenarios where we must ensure SSL/TLS connectivity without paying a CA for a certificate. However, we should not use self-signed certificates in production environments. To create a CA-signed certificate, see Create a key ring file.

We can use a utility called mqiptkeyman, which is provided with MQIPT, to manage digital certificates and key stores. See mqiptKeyman and mqiptKeycmd for installation instructions and further information.

We must protect any key ring files and password files by using the security features of the operating system to prevent unauthorized access to them.