Determining whether SSL connections have been set up

Determining whether SSL connections have been set up

This section deals with determining whether SSL connections have been set up for WebSphere MQ.

For channel definitions see the section "Checking whether channel definitions have been SSL-enabled".
For channels set up using client application MQCONNX calls, see the section "Checking whether client-connection channels set up using MQCONNX calls have been SSL-enabled".

Checking whether channel definitions have been SSL-enabled

For each queue manager on the computer you are working with, check whether any channels have been defined to use SSL. Display the SSLCIPH (CipherSpec) value for each channel defined on the queue manager. To do this have the queue manager running and have started the RUNMQSC environment. Enter DIS CHL(*) CHLTYPE SSLCIPH to display the channel details. The output should be similar to the following:
AMQ8414: Display Channel details.
CHANNEL(SYSTEM.DEF.SENDER) CHLTYPE(SDR) SSLCIPH( )
AMQ8414: Display Channel details.
CHANNEL(SYSTEM.DEF.SERVER) CHLTYPE(SVR) SSLCIPH( )
AMQ8414: Display Channel details.
CHANNEL(TO.QM4) CHLTYPE(CLUSRCVR) SSLCIPH(RC4_MD5_EXPORT)
AMQ8414: Display Channel details.
CHANNEL(TO.QM5) CHLTYPE(CLUSSDR) SSLCIPH(RC4_MD5_EXPORT)
AMQ8414: Display Channel details.
CHANNEL(TO.QM6) CHLTYPE(SVR) SSLCIPH( )
AMQ8414: Display Channel details.
CHANNEL(TO.QM7) CHLTYPE(CLNTCONN) SSLCIPH(NULL_SHA)
AMQ8414: Display Channel details.
CHANNEL(TO.QM7) CHLTYPE(SVRCONN) SSLCIPH(NULL_SHA)
Channel definitions that have a value in the brackets after SSLCIPH are SSL channels. If there are any SSL channels the section "SSL migration steps" will apply. In the above example, the 'TO.QM4', 'TO.QM5', and both 'TO.QM7' channel definitions have a value for SSLCIPH.
Any client channel definition tables copied from another computer or accessed as a shared file on another computer will also need to be checked for SSLCIPH values. To check these values, either:

use DIS CHL(*) CHLTYPE SSLCIPH on the queue manager they were defined on
if your client is running on a system that has a local queue manager, change the MQCHLLIB and MQCHLTAB environment variables which relate to RUNMQSC to specify the directory path and filename of the relevant client channel definition table, then use the DIS CHL(*) CHLTYPE SSLCIPH command on the local queue manager. (Note: You should return the MQCHLLIB and MQCHLTAB settings to their previous values after completing this check.)

Any client-connection channel definitions that have been imported into Active Directory will also need to be checked for non-null SSLCIPH values. Display these definitions using the command setmqscp -d.

Checking whether client-connection channels set up using MQCONNX calls are SSL-enabled

For each client application that uses an MQCONNX call, search the MQCD channel definition structure for the optional SSLCipherSpec field, which provides equivalent values to SSLCIPH.
If the value of the SSLCipherSpec field is not null, the MQI channel used by the client application is an SSL channel and the section "SSL migration steps" will apply.

Parent topic:
Migrating Windows Secure Sockets Layer (SSL) connections

mi10250_