Certificate validation policies in IBM MQ
The certificate validation policy determines how strictly the certificate chain validation conforms to industry security standards.
The certificate validation policy depends upon the platform and environment as follows:
- For Java and JMS applications on all platforms, the certificate validation policy depends on the JSSE component of the Java runtime environment. For more information about the certificate validation policy, see the documentation for the JRE.
- For IBM i systems, the certificate validation policy depends on the secure sockets library provided by the operating system. For more information about the certificate validation policy, see the documentation for the operating system.
- For z/OS systems, the certificate validation policy depends on the System SSL component provided by the operating system. For more information about the certificate validation policy, see the documentation for the operating system.
- For UNIX, Linux, and Windows systems, the certificate validation policy is supplied by GSKit and can be configured. Two different certificate validation policies are supported:
- A legacy certificate validation policy, used for maximum backwards compatibility and interoperability with old digital certificates that do not comply with the current IETF certificate validation standards. This policy is known as the Basic policy.
- A strict, standards-compliant certificate validation policy which enforces the RFC 5280 standard. This policy is known as the Standard policy.
For information about how to configure the certificate validation policy on UNIX, Linux, and Windows, see Configure certificate validation policies in IBM MQ. For more information about the differences between the Basic and Standard certificate validation policies, see Certificate validation and trust policy design on UNIX, Linux, and Windows. Parent topic: TLS security protocols in IBM MQ