Set up communications for SSL or TLS on UNIX, Linux or Windows
Secure communications that use the SSL or TLS cryptographic security protocols involve setting up the communication channels and managing the digital certificates that we will use for authentication.
To set up your SSL or TLS installation we must define your channels to use SSL or TLS. We must also create and manage your digital certificates. On UNIX, Linux and Windows systems, we can perform the tests with self-signed certificates.Attention: It is not possible to use a mixture of Elliptic Curve-signed certificates and RSA-signed certificates on queue managers that we want to join together using TLS enabled channels.Queue managers using TLS enabled channels must all use RSA-signed certificates, or all use EC-signed certificates, not a mixture of both.
See Digital certificates and CipherSpec compatibility in IBM MQ for more information.
Self-signed certificates cannot be revoked, which could allow an attacker to spoof an identity after a private key has been compromised. CAs can revoke a compromised certificate, which prevents its further use. CA-signed certificates are therefore safer to use in a production environment, though self-signed certificates are more convenient for a test system.
For full information about creating and managing certificates, see Work with SSL/TLS on UNIX, Linux, and Windows.
This collection of topics introduces some of the tasks involved in setting up SSL communications, and provides step-by-step guidance on completing those tasks.
We might also want to test SSL or TLS client authentication, which are an optional part of the protocols. During the SSL or TLS handshake, the SSL or TLS client always obtains and validates a digital certificate from the server. With the IBM MQ implementation, the SSL or TLS server always requests a certificate from the client.
On UNIX, Linux, and Windows, the SSL or TLS client sends a certificate only if it has one labeled in the correct IBM MQ format:- For a queue manager, the format is ibmwebspheremq followed by the name of our queue manager changed to lowercase. For example, for QM1, ibmwebspheremqqm1
- For an IBM MQ client, ibmwebspheremq followed by your logon user ID changed to lowercase, for example ibmwebspheremqmyuserid.
IBM MQ uses the ibmwebspheremq prefix on a label to avoid confusion with certificates for other products. Ensure that you specify the entire certificate label in lowercase.
The SSL or TLS server always validates the client certificate if one is sent. If the client does not send a certificate, authentication fails only if the end of the channel acting as the SSL or TLS server is defined with either the SSLCAUTH parameter set to REQUIRED or an SSLPEER parameter value set. For more information, see Connect two queue managers using SSL or TLS.
Parent topic: Set up security