Use TLS with IBM MQ classes for JMS

IBM MQ classes for JMS applications can use Transport Layer Security (TLS) encryption. To do this they require a JSSE provider.

IBM MQ classes for JMS connections using TRANSPORT(CLIENT) support TLS encryption. TLS provides communication encryption, authentication, and message integrity. It is typically used to secure communications between any two peers on the Internet or within an intranet.

IBM MQ classes for JMS uses Java Secure Socket Extension (JSSE) to handle TLS encryption, and therefore requires a JSSE provider. JSE v1.4 JVMs have a JSSE provider built-in. Details of how to manage and store certificates can vary from provider to provider. For information about this, see your JSSE provider's documentation.

This section assumes that your JSSE provider is correctly installed and configured, and that suitable certificates have been installed and made available to your JSSE provider. We can now use JMSAdmin to set a number of administrative properties.

If the IBM MQ classes for JMS application uses a client channel definition table (CCDT) to connect to a queue manager, see Use a client channel definition table with IBM MQ classes for JMS.

• SSLCIPHERSUITE object property
  Set SSLCIPHERSUITE to enable TLS encryption on a ConnectionFactory object.
• SSLFIPSREQUIRED object property
  If you require a connection to use a CipherSuite that is supported by the IBM Java JSSE FIPS provider (IBMJSSEFIPS), set the SSLFIPSREQUIRED property of the connection factory to YES.
• SSLPEERNAME object property
  Use SSLPEERNAME to specify a distinguished name pattern, to ensure that your JMS application connects to the correct queue manager.
• SSLCERTSTORES object property
  Use SSLCERTSTORES to specify a list of LDAP servers to use for certificate revocation list (CRL) checking.
• SSLRESETCOUNT object property
  This property represents the total number of bytes sent and received by a connection before the secret key that is used for encryption is renegotiated.
• SSLSocketFactory object property
  To customize other aspects of the TLS connection for an application, create an SSLSocketFactory and configure JMS to use it.
• Making changes to the JSSE keystore or truststore
  If you make changes to the keystore or truststore, we must take certain actions for the changes to be picked up.
• TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS
  The ability of IBM MQ classes for JMS applications to establish connections to a queue manager, depends on the CipherSpec specified at the server end of the MQI channel and the CipherSuite specified at the client end.

Parent topic: Accessing IBM MQ features from an IBM MQ classes for JMS application