SSL/TLS on the IBM MQ MQI client

IBM MQ supports TLS on clients. We can tailor the use of TLS in various ways.

IBM MQ provides TLS support for IBM MQ MQI clients on Windows, UNIX and Linux systems. If we are using IBM MQ classes for Java, see Use IBM MQ classes for Java and if we are using IBM MQ classes for JMS, see Use IBM MQ classes for JMS. The rest of this section does not apply to the Java or JMS environments.

We can specify the key repository for an IBM MQ MQI client either with the MQSSLKEYR value in the IBM MQ client configuration file, or when the application makes an MQCONNX call. We have three options for specifying that a channel uses TLS:

Use a channel definition table
Use the SSL configuration options structure, MQSCO, on an MQCONNX call
Use the Active Directory (on Windows systems)

We cannot use the MQSERVER environment variable to specify that a channel uses TLS.

We can continue to run your existing IBM MQ MQI client applications without TLS, as long as TLS is not specified at the other end of the channel.

If changes are made on a client machine to the contents of the TLS Key Repository, the location of the TLS Key Repository, the Authentication Information, or the Cryptographic hardware parameters, we need to end all the TLS connections in order to reflect these changes in the client-connection channels that the application is using to connect to the queue manager. Once all the connections have ended, restart the TLS channels. All the new TLS settings are used. These settings are analogous to those refreshed by the REFRESH SECURITY TYPE(SSL) command on queue manager systems.

When the IBM MQ MQI client runs on a Windows, UNIX and Linux system with cryptographic hardware, you configure that hardware with the MQSSLCRYP environment variable. This variable is equivalent to the SSLCRYP parameter on the ALTER QMGR MQSC command. Refer to ALTER QMGR for a description of the SSLCRYP parameter on the ALTER QMGR MQSC command. If we use the GSK_PCS11 version of the SSLCRYP parameter, the PKCS #11 token label must be specified entirely in lower-case.

TLS secret key reset and FIPS are supported on IBM MQ MQI clients. For more information, see Resetting SSL and TLS secret keys and Federal Information Processing Standards (FIPS) for UNIX, Linux, and Windows.

See Set up IBM MQ MQI client security for more information about the TLS support for IBM MQ MQI clients.

Specify that an MQI channel uses SSL/TLS
For an MQI channel to use TLS, the value of the SSLCipherSpec attribute of the client-connection channel must be the name of a CipherSpec that is supported by IBM MQ on the client platform.

Parent topic: TLS security protocols in IBM MQ

Related information

Configure a client using a configuration file