SSL properties for MFT

SSL properties for MFT

Some MFT properties files include SSL properties. We can use SSL or TLS with IBM MQ and Managed File Transfer to prevent unauthorized connections between agents and queue managers, and to encrypt message traffic between agents and queue managers.
The following MFT properties files include SSL properties:

The agent.properties file
The coordination.properties file
The command.properties file
The logger.properties file

For information about using SSL or TLS with Managed File Transfer, see Configure SSL or TLS encryption for MFT.

From IBM WebSphere MQ Version 7.5, we can use environment variables in some Managed File Transfer properties that represent file or directory locations. This allows the locations of files or directories that are used when running parts of the product to vary depending on environment changes, such as which user is running the process. For more information, see The use of environment variables in MFT properties.

SSL properties for the agent.properties file

The agent.properties file for an agent is in the MQ_DATA_PATH/mqft/config/coordination_qmgr_name/agents/agent_name directory. The properties that it contains include the following SSL properties:

Property name Description Default value

agentSslCipherSpec Specifies the protocol, hash algorithm, and encryption algorithm that is used, and how many bits are used in the encryption key, when data is exchanged between the agent and the agent queue manager.
The value of agentSslCipherSpec is a CipherSpec name. This CipherSpec name is the same as the CipherSpec name used on the agent queue manager channel. A list of valid CipherSpec names is included in SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java and SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS.

agentSslCipherSpec is similar to agentSslCipherSuite. If both agentSslCipherSuite and agentSslCipherSpec are specified, the value of agentSslCipherSpec is used.
None

agentSslCipherSuite Specifies SSL aspects of how the agent and the agent queue manager exchange data.
The value of agentSslCipherSuite is a CipherSuite name. The CipherSuite name maps to the CipherSpec name used on the agent queue manager channel. For more information, see CipherSuite and CipherSpec name mappings.

agentSslCipherSuite is similar to agentSslCipherSpec. If both agentSslCipherSuite and agentSslCipherSpec are specified, the value of agentSslCipherSpec is used.
None

agentSslPeerName Specifies a distinguished name skeleton that must match the name that is provided by the agent queue manager. The distinguished name is used to check the identifying certificate that is presented by the queue manager on connection. None

agentSslTrustStore Specifies the location of the certificates that the agent trusts. The value of agentSslTrustStore is a file path. If it is a Windows file path the backslash character (\) must be escaped (\\).
From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.
None

agentSslKeyStore Specifies the location of the private key of the agent. The value of agentSslKeyStore is a file path. If it is a Windows file path the backslash character (\) must be escaped (\\). This property is only required if the agent queue manager requires client authentication.
From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.
None

agentSslFipsRequired Specifies that we want to enable FIPS support at the level of the agent. The value of this property can be true or false. For more information, see FIPS support in MFT. false

agentSslKeyStoreType The type of SSL keystore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12. jks

agentSslKeyStoreCredentialsFile The path to the file that contains the agentSslKeyStore credential.
From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.
The default value for this property is %USERPROFILE%\MQMFTCredentials.xml on Windows and $HOME/MQMFTCredentials.xml on other platforms.

agentSslTrustStoreType The type of SSL keystore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12. jks

agentSslTrustStoreCredentialsFile The path to the file that contains the agentSslTrustStore credential.
From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.
The default value for this property is %USERPROFILE%\MQMFTCredentials.xml on Windows and $HOME/MQMFTCredentials.xml on other platforms.

SSL properties for the coordination.properties file

The coordination.properties file is located in the MQ_DATA_PATH/mqft/config/coordination_qmgr_name directory. The properties that it contains include the following SSL properties:

Property name Description Default value

coordinationSslCipherSpec Specifies the protocol, hash algorithm, and encryption algorithm that is used, and how many bits are used in the encryption key, when data is exchanged between the commands and the coordination queue manager.
The value of coordinationSslCipherSpec is a CipherSpec name. This CipherSpec name is the same as the CipherSpec name used on the coordination queue manager channel. A list of valid CipherSpec names is included in SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java and SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS.

coordinationSslCipherSpec is similar to coordinationSslCipherSuite. If both coordinationSslCipherSuite and coordinationSslCipherSpec are specified, the value of coordinationSslCipherSpec is used.
None

coordinationSslCipherSuite Specifies SSL aspects of how the commands and the coordination queue manager exchange data.
The value of coordinationSslCipherSuite is a CipherSuite name. The CipherSuite name maps to the CipherSpec name used on the agent queue manager channel. For more information, see CipherSuite and CipherSpec name mappings.

coordinationSslCipherSuite is similar to coordinationSslCipherSpec. If both coordinationSslCipherSuite and coordinationSslCipherSpec are specified, the value of coordinationSslCipherSpec is used.
None

coordinationSslPeerName Specifies a distinguished name skeleton that must match the name that is provided by the coordination queue manager. The distinguished name is used to check the identifying certificate that is presented by the coordination queue manager on connection. None

coordinationSslTrustStore Specifies the location of the certificates that the commands trust. The value of coordinationSslTrustStore is a file path. If it is a Windows file path, the backslash character (\) must be escaped (\\).
From IBM WebSphere MQ Version 7.5 or later, the value of this property can contain environment variables.
None

coordinationSslTrustStoreType The type of SSL keystore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12. jks

coordinationSslTrustStoreCredentialsFile The path to the file that contains the coordinationSslTrustStore credentials.
From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.
The default value for this property is %USERPROFILE%\MQMFTCredentials.xml on Windows and $HOME/MQMFTCredentials.xml on other platforms.

coordinationSslKeyStore Specifies the location of the private key of the commands. The value of coordinationSslKeyStore is a file path. If it is a Windows file path, the backslash character (\) must be escaped (\\). This property is only required if the coordination queue manager requires client authentication.
From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.
None

coordinationSslKeyStoreType The type of SSL keystore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12. jks

coordinationSslKeyStoreCredentialsFile The path to the file that contains the coordinationSslKeyStore credentials.
From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.
The default value for this property is %USERPROFILE%\MQMFTCredentials.xml on Windows and $HOME/MQMFTCredentials.xml on other platforms.

coordinationSslFipsRequired Specifies that we want to enable FIPS support at the level of the coordination queue manager. The value of this property can be true or false. For more information, see FIPS support in MFT. false

SSL properties for the command.properties file

The command.properties file is located in the MQ_DATA_PATH/mqft/config/coordination_qmgr_name directory. The properties that it contains include the following SSL properties:

Property name Description Default value

connectionSslCipherSpec Specifies the protocol, hash algorithm, and encryption algorithm that is used, and how many bits are used in the encryption key, when data is exchanged between the commands and the command queue manager.
The value of connectionSslCipherSpec is a CipherSpec name. This CipherSpec name is the same as the CipherSpec name used on the command queue manager channel. A list of valid CipherSpec names is included in SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java and SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS.

connectionSslCipherSpec is similar to connectionSslCipherSuite. If both connectionSslCipherSuite and connectionSslCipherSpec are specified, the value of connectionSslCipherSpec is used.
None

connectionSslCipherSuite Specifies SSL aspects of how the commands and the command queue manager exchange data.
The value of connectionSslCipherSuite is a CipherSuite name. The CipherSuite name maps to the CipherSpec name used on the agent queue manager channel. For more information, see CipherSuite and CipherSpec name mappings.

connectionSslCipherSuite is similar to connectionSslCipherSpec. If both connectionSslCipherSuite and connectionSslCipherSpec are specified, the value of connectionSslCipherSpec is used.
None

connectionSslPeerName Specifies a distinguished name skeleton that must match the name that is provided by the command queue manager. The distinguished name is used to check the identifying certificate that is presented by the command queue manager on connection. None

connectionSslTrustStore Specifies the location of the certificates that the commands trust. The value of connectionSslTrustStore is a file path. If it is a Windows file path, the backslash character (\) must be escaped (\\).
From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.
None

connectionSslTrustStoreType The type of SSL truststore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12. jks

connectionSslTrustStoreCredentialsFile The path to the file that contains the connectionSslTrustStore credentials.
From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.
The default value for this property is %USERPROFILE%\MQMFTCredentials.xml on Windows and $HOME/MQMFTCredentials.xml on other platforms.

connectionSslKeyStore Specifies the location of the private key of the commands. The value of connectionSslKeyStore is a file path. If it is a Windows file path, the backslash character (\) must be escaped (\\). This property is only required if the command queue manager requires client authentication.
From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.
None

connectionSslKeyStoreType The type of SSL keystore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12.
From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.
jks

connectionSslKeyStoreCredentialsFile The path to the file that contains the connectionSslKeyStore credentials.
From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.
The default value for this property is %USERPROFILE%\MQMFTCredentials.xml on Windows and $HOME/MQMFTCredentials.xml on other platforms.

connectionSslFipsRequired Specifies that we want to enable FIPS support at the level of the command queue manager. The value of this property can be true or false. For more information, see FIPS support in MFT. false

SSL properties for the logger.properties file
The logger.properties file is in the MQ_DATA_PATH/mqft/config/coordination_qmgr_name/loggers/logger_name directory. The properties required to support client mode connection to a logger queue manager include the following SSL properties:

Property name Description Default value

wmqfte.queue.manager.host Host name, or IP address, of logger queue manager. No default value

wmqfte.queue.manager.port Port on which the logger queue manager is listening. 1414

wmqfte.queue.manager.channel Name of the server connection channel on the logger queue manager. SYSTEM.DEF.SVRCONN

wmqfte.Ssl.CipherSuite
Specifies TLS aspects of how the logger and the logger queue manager exchange data.

The value of wmqfte.Ssl.CipherSuite is a CipherSuite name. The CipherSuite name maps to the CipherSpec name used on the logger queue manager channel.

For more information, see CipherSuite and CipherSpec name mappings.
No default value

wmqfte.Ssl.PeerName Specifies a distinguished name skeleton that must match the name that is provided by the logger queue manager. The distinguished name is used to check the identifying certificate that is presented by the queue manager on connection. No default value

wmqfte.Ssl.TrustStore Specifies the location of the certificates that the logger trusts. The value of wmqfte.Ssl.TrustStore is a file path.
If the file path is a Windows file path the backslash character (\) must be escaped with a further backslash character (\\).

Note that the value of this property can contain environment variables.
No default value

wmqfte.Ssl.TrustStoreCredentialsFile The path to the file that contains the wmqfte.Ssl.TrustStore credential.
Note that the value of this property can contain environment variables.
No default value

wmqfte.Ssl.TrustStoreType The type of SSL keystore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12. jks

wmqfte.Ssl.KeyStore Specifies the location of the private key of the logger. The value of wmqfte.Ssl.KeyStore is a file path.
If the file path is a Windows file path the backslash character (\) must be escaped with a further backslash character (\\).

Note that the value of this property can contain environment variables.
No default value

wmqfte.Ssl.KeyStore.CredentialsFile The path to the file that contains the wmqfte.Ssl.KeyStore credential.
Note that the value of this property can contain environment variables.
No default value

wmqfte.Ssl.KeyStoreType The type of SSL keystore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12. jks

wmqfte.Ssl.FipsRequired Specifies that we want to enable FIPS support at the level of the logger. The value of this property can be true or false. For more information, see FIPS support in MFT. false

Parent topic: Managed File Transfer configuration reference

Related reference

The use of environment variables in MFT properties

Related information

MFT configuration options on Multiplatforms

Last updated: 2020-10-04

Property name	Description	Default value
agentSslCipherSpec	Specifies the protocol, hash algorithm, and encryption algorithm that is used, and how many bits are used in the encryption key, when data is exchanged between the agent and the agent queue manager. The value of agentSslCipherSpec is a CipherSpec name. This CipherSpec name is the same as the CipherSpec name used on the agent queue manager channel. A list of valid CipherSpec names is included in SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java and SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS. agentSslCipherSpec is similar to agentSslCipherSuite. If both agentSslCipherSuite and agentSslCipherSpec are specified, the value of agentSslCipherSpec is used.	None
agentSslCipherSuite	Specifies SSL aspects of how the agent and the agent queue manager exchange data. The value of agentSslCipherSuite is a CipherSuite name. The CipherSuite name maps to the CipherSpec name used on the agent queue manager channel. For more information, see CipherSuite and CipherSpec name mappings. agentSslCipherSuite is similar to agentSslCipherSpec. If both agentSslCipherSuite and agentSslCipherSpec are specified, the value of agentSslCipherSpec is used.	None
agentSslPeerName	Specifies a distinguished name skeleton that must match the name that is provided by the agent queue manager. The distinguished name is used to check the identifying certificate that is presented by the queue manager on connection.	None
agentSslTrustStore	Specifies the location of the certificates that the agent trusts. The value of agentSslTrustStore is a file path. If it is a Windows file path the backslash character (\) must be escaped (\\). From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.	None
agentSslKeyStore	Specifies the location of the private key of the agent. The value of agentSslKeyStore is a file path. If it is a Windows file path the backslash character (\) must be escaped (\\). This property is only required if the agent queue manager requires client authentication. From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.	None
agentSslFipsRequired	Specifies that we want to enable FIPS support at the level of the agent. The value of this property can be true or false. For more information, see FIPS support in MFT.	false
agentSslKeyStoreType	The type of SSL keystore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12.	jks
agentSslKeyStoreCredentialsFile	The path to the file that contains the agentSslKeyStore credential. From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.	The default value for this property is %USERPROFILE%\MQMFTCredentials.xml on Windows and $HOME/MQMFTCredentials.xml on other platforms.
agentSslTrustStoreType	The type of SSL keystore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12.	jks
agentSslTrustStoreCredentialsFile	The path to the file that contains the agentSslTrustStore credential. From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.	The default value for this property is %USERPROFILE%\MQMFTCredentials.xml on Windows and $HOME/MQMFTCredentials.xml on other platforms.

Property name	Description	Default value
coordinationSslCipherSpec	Specifies the protocol, hash algorithm, and encryption algorithm that is used, and how many bits are used in the encryption key, when data is exchanged between the commands and the coordination queue manager. The value of coordinationSslCipherSpec is a CipherSpec name. This CipherSpec name is the same as the CipherSpec name used on the coordination queue manager channel. A list of valid CipherSpec names is included in SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java and SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS. coordinationSslCipherSpec is similar to coordinationSslCipherSuite. If both coordinationSslCipherSuite and coordinationSslCipherSpec are specified, the value of coordinationSslCipherSpec is used.	None
coordinationSslCipherSuite	Specifies SSL aspects of how the commands and the coordination queue manager exchange data. The value of coordinationSslCipherSuite is a CipherSuite name. The CipherSuite name maps to the CipherSpec name used on the agent queue manager channel. For more information, see CipherSuite and CipherSpec name mappings. coordinationSslCipherSuite is similar to coordinationSslCipherSpec. If both coordinationSslCipherSuite and coordinationSslCipherSpec are specified, the value of coordinationSslCipherSpec is used.	None
coordinationSslPeerName	Specifies a distinguished name skeleton that must match the name that is provided by the coordination queue manager. The distinguished name is used to check the identifying certificate that is presented by the coordination queue manager on connection.	None
coordinationSslTrustStore	Specifies the location of the certificates that the commands trust. The value of coordinationSslTrustStore is a file path. If it is a Windows file path, the backslash character (\) must be escaped (\\). From IBM WebSphere MQ Version 7.5 or later, the value of this property can contain environment variables.	None
coordinationSslTrustStoreType	The type of SSL keystore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12.	jks
coordinationSslTrustStoreCredentialsFile	The path to the file that contains the coordinationSslTrustStore credentials. From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.	The default value for this property is %USERPROFILE%\MQMFTCredentials.xml on Windows and $HOME/MQMFTCredentials.xml on other platforms.
coordinationSslKeyStore	Specifies the location of the private key of the commands. The value of coordinationSslKeyStore is a file path. If it is a Windows file path, the backslash character (\) must be escaped (\\). This property is only required if the coordination queue manager requires client authentication. From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.	None
coordinationSslKeyStoreType	The type of SSL keystore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12.	jks
coordinationSslKeyStoreCredentialsFile	The path to the file that contains the coordinationSslKeyStore credentials. From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.	The default value for this property is %USERPROFILE%\MQMFTCredentials.xml on Windows and $HOME/MQMFTCredentials.xml on other platforms.
coordinationSslFipsRequired	Specifies that we want to enable FIPS support at the level of the coordination queue manager. The value of this property can be true or false. For more information, see FIPS support in MFT.	false

Property name	Description	Default value
connectionSslCipherSpec	Specifies the protocol, hash algorithm, and encryption algorithm that is used, and how many bits are used in the encryption key, when data is exchanged between the commands and the command queue manager. The value of connectionSslCipherSpec is a CipherSpec name. This CipherSpec name is the same as the CipherSpec name used on the command queue manager channel. A list of valid CipherSpec names is included in SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java and SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS. connectionSslCipherSpec is similar to connectionSslCipherSuite. If both connectionSslCipherSuite and connectionSslCipherSpec are specified, the value of connectionSslCipherSpec is used.	None
connectionSslCipherSuite	Specifies SSL aspects of how the commands and the command queue manager exchange data. The value of connectionSslCipherSuite is a CipherSuite name. The CipherSuite name maps to the CipherSpec name used on the agent queue manager channel. For more information, see CipherSuite and CipherSpec name mappings. connectionSslCipherSuite is similar to connectionSslCipherSpec. If both connectionSslCipherSuite and connectionSslCipherSpec are specified, the value of connectionSslCipherSpec is used.	None
connectionSslPeerName	Specifies a distinguished name skeleton that must match the name that is provided by the command queue manager. The distinguished name is used to check the identifying certificate that is presented by the command queue manager on connection.	None
connectionSslTrustStore	Specifies the location of the certificates that the commands trust. The value of connectionSslTrustStore is a file path. If it is a Windows file path, the backslash character (\) must be escaped (\\). From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.	None
connectionSslTrustStoreType	The type of SSL truststore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12.	jks
connectionSslTrustStoreCredentialsFile	The path to the file that contains the connectionSslTrustStore credentials. From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.	The default value for this property is %USERPROFILE%\MQMFTCredentials.xml on Windows and $HOME/MQMFTCredentials.xml on other platforms.
connectionSslKeyStore	Specifies the location of the private key of the commands. The value of connectionSslKeyStore is a file path. If it is a Windows file path, the backslash character (\) must be escaped (\\). This property is only required if the command queue manager requires client authentication. From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.	None
connectionSslKeyStoreType	The type of SSL keystore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12. From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.	jks
connectionSslKeyStoreCredentialsFile	The path to the file that contains the connectionSslKeyStore credentials. From IBM WebSphere MQ Version 7.5, the value of this property can contain environment variables.	The default value for this property is %USERPROFILE%\MQMFTCredentials.xml on Windows and $HOME/MQMFTCredentials.xml on other platforms.
connectionSslFipsRequired	Specifies that we want to enable FIPS support at the level of the command queue manager. The value of this property can be true or false. For more information, see FIPS support in MFT.	false

Property name	Description	Default value
wmqfte.queue.manager.host	Host name, or IP address, of logger queue manager.	No default value
wmqfte.queue.manager.port	Port on which the logger queue manager is listening.	1414
wmqfte.queue.manager.channel	Name of the server connection channel on the logger queue manager.	SYSTEM.DEF.SVRCONN
wmqfte.Ssl.CipherSuite	Specifies TLS aspects of how the logger and the logger queue manager exchange data. The value of wmqfte.Ssl.CipherSuite is a CipherSuite name. The CipherSuite name maps to the CipherSpec name used on the logger queue manager channel. For more information, see CipherSuite and CipherSpec name mappings.	No default value
wmqfte.Ssl.PeerName	Specifies a distinguished name skeleton that must match the name that is provided by the logger queue manager. The distinguished name is used to check the identifying certificate that is presented by the queue manager on connection.	No default value
wmqfte.Ssl.TrustStore	Specifies the location of the certificates that the logger trusts. The value of wmqfte.Ssl.TrustStore is a file path. If the file path is a Windows file path the backslash character (\) must be escaped with a further backslash character (\\). Note that the value of this property can contain environment variables.	No default value
wmqfte.Ssl.TrustStoreCredentialsFile	The path to the file that contains the wmqfte.Ssl.TrustStore credential. Note that the value of this property can contain environment variables.	No default value
wmqfte.Ssl.TrustStoreType	The type of SSL keystore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12.	jks
wmqfte.Ssl.KeyStore	Specifies the location of the private key of the logger. The value of wmqfte.Ssl.KeyStore is a file path. If the file path is a Windows file path the backslash character (\) must be escaped with a further backslash character (\\). Note that the value of this property can contain environment variables.	No default value
wmqfte.Ssl.KeyStore.CredentialsFile	The path to the file that contains the wmqfte.Ssl.KeyStore credential. Note that the value of this property can contain environment variables.	No default value
wmqfte.Ssl.KeyStoreType	The type of SSL keystore we want to use. JKS and PKCS#12 keystores are supported. The value of this property can be either jks or pkcs12.	jks
wmqfte.Ssl.FipsRequired	Specifies that we want to enable FIPS support at the level of the logger. The value of this property can be true or false. For more information, see FIPS support in MFT.	false