Transport Layer Security (TLS) support in IBM MQ classes for Java

IBM MQ classes for Java client applications support TLS encryption. You require a JSSE provider to use TLS encryption.

IBM MQ classes for Java client applications using TRANSPORT(CLIENT) support TLS encryption. TLS provides communication encryption, authentication, and message integrity. It is typically used to secure communications between any two peers on the Internet or within an intranet.

IBM MQ classes for Java uses Java Secure Socket Extension (JSSE) to handle TLS encryption, and so requires a JSSE provider. JSE v1.4 JVMs have a JSSE provider built in. Details of how to manage and store certificates can vary from provider to provider. For information about this, refer to your JSSE provider's documentation.

This section assumes that your JSSE provider is correctly installed and configured, and that suitable certificates have been installed and made available to your JSSE provider.

If the IBM MQ classes for Java client application uses a client channel definition table (CCDT) to connect to a queue manager, see Use a client channel definition table with IBM MQ classes for Java.

• Enable TLS in IBM MQ classes for Java
  To enable TLS, you specify a CipherSuite. There are two ways of specifying a CipherSuite.
• Use the distinguished name of the queue manager in IBM MQ classes for Java
  The queue manager identifies itself using a TLS certificate, which contains a distinguished name (DN). An IBM MQ classes for Java client application can use this DN to ensure that it is communicating with the correct queue manager.
• Use certificate revocation lists in IBM MQ classes for Java
  Specify the certificate revocation lists to use through the java.security.cert.CertStore class. IBM MQ classes for Java then checks certificates against the specified CRL.
• Renegotiating the secret key in IBM MQ classes for Java
  An IBM MQ classes for Java client application can control when the secret key that is used for encryption on a client connection is renegotiated, in terms of the total number of bytes sent and received.
• Supplying a customized SSLSocketFactory in IBM MQ classes for Java
  If we use a customized JSSE Socket Factory, set the MQEnvironment.sslSocketFactory to the customized factory object. Details vary between different JSSE implementations.
• Making changes to the JSSE keystore or truststore in IBM MQ classes for Java
  If we change the JSSE keystore or truststore, we must perform certain actions for the changes to take effect.
• Error handling when using TLS with IBM MQ classes for Java
  A number of reason codes can be issued by IBM MQ classes for Java when connecting to a queue manager using TLS.
• TLS CipherSpecs and CipherSuites in IBM MQ classes for Java
  The ability of IBM MQ classes for Java applications to establish connections to a queue manager, depends on the CipherSpec specified at the server end of the MQI channel and the CipherSuite specified at the client end.

Parent topic: Writing IBM MQ classes for Java applications