Security reference

Use the reference information in this section to help you configure security for IBM MQ .

• The API exit
  An API exit is a program module that monitors or modifies the function of MQI calls. An API exit comprises multiple API exit functions, each with its own entry point in the module.
• The API-crossing exit
  An API-crossing exit is a program that monitors or modifies the function of MQI calls issued by CICS applications on z/OS .
• Certificate validation and trust policy design on UNIX, Linux and Windows systems
  IBM MQ validates TLS certificates according to two types of policy, basic, and standard. Standard policy checking conforms to RFC 5280.
• Managed File Transfer security reference
  Reference information to help you configure security for Managed File Transfer.
• Cryptographic hardware
  The way in which IBM MQ provides support for cryptographic hardware depends on which platform we are using.
• IBM MQ rules for SSLPEER values
  The SSLPEER attribute is used to check the Distinguished Name (DN) of the certificate from the peer queue manager or client at the other end of an IBM MQ channel. IBM MQ uses certain rules when comparing these values
• GSKit: Digital certificate signature algorithms compliant with FIPS 140-2
  The list of digital certificate signature algorithms in GSKit that are compliant with FIPS 140-2
• GSKit return codes used in AMS messages
  This topic describes the IBM Global Security Kit (GSKit) return codes that appear in some Advanced Message Security (AMS) messages.
• Migrating with AltGSKit from Version 7.0.1 to Version 7.1
  Perform this task only if we are migrating from IBM WebSphere MQ Version 7.0.1 using the AltGSKit configuration setting to load an alternative GSKit. The alternative GSKit used by IBM WebSphere MQ Version 7.0.1 with the AltGSKit setting is separate from the GSKit used by IBM WebSphere MQ Version 7.1; changes to each GSKit do not affect the other. This is because Version 7.1 uses a private local copy of GSKit in its installation directory and does not support the use of an alternative GSKit.
• CipherSpec mismatches
  Both ends of an IBM MQ TLS channel must use the same CipherSpec. Mismatches can be detected during the TLS handshake or during channel startup.
• Authentication failures
  There are a number common reasons for authentication failures during the TLS handshake.

Parent topic: IBM MQ Reference

Related concepts

• The API exit
• The API-crossing exit
• Certificate validation and trust policy design on UNIX, Linux and Windows systems
• Cryptographic hardware
• IBM MQ rules for SSLPEER values
• Migrating with AltGSKit from Version 7.0.1 to Version 7.1
• CipherSpec mismatches
• Authentication failures

Related reference

• GSKit: Digital certificate signature algorithms compliant with FIPS 140-2

Related information

• Overview of Advanced Message Security interception on message channels