WebSphere MQ client considerations

 

WebSphere MQ provides SSL support for WebSphere MQ clients in the following:

• WebSphere MQ for AIX

• WebSphere MQ for HP-UX

• WebSphere MQ for Linux

• WebSphere MQ for Solaris

• WebSphere MQ for Windows

If you are using the Java™ client or JMS, refer to WebSphere MQ Using Java. The rest of this section does not apply to the Java or JMS environments.

We can specify the key repository for a WebSphere MQ client either with the MQSSLKEYR environment variable or when your application makes an MQCONNX call. You have three options for specifying that a channel uses SSL:

• Using a channel definition table

• Using the SSL configuration options structure, MQSCO, on an MQCONNX call

• Using the Active Directory (on Windows systems)

We cannot use the MQSERVER environment variable to specify that a channel uses SSL.

We can continue to run your existing WebSphere MQ client applications without SSL, as long as SSL is not specified at the other end of the channel.

If changes are made on a client machine to the contents of the SSL Key Repository, the location of the SSL Key Repository, the Authentication Information, or the Cryptographic hardware parameters, we need to end all the SSL connections in order to reflect these changes in the client-connection channels that the application is using to connect to the queue manager. Once all of the connections have ended, restart the SSL channels. All the new SSL settings are used. These settings are analogous to those refreshed by the REFRESH SECURITY TYPE(SSL) command on queue manager systems.

When your WebSphere MQ client runs on a Windows or UNIX system with cryptographic hardware, you configure that hardware with the MQSSLCRYP environment variable. This variable is equivalent to the SSLCRYP parameter on the ALTER QMGR MQSC command. Refer to Queue manager attributes for a description of the SSLCRYP parameter. If you use the GSK_PCS11 version of the SSLCRYP parameter, the PKCS #11 token label must be specified entirely in lower-case.

SSL secret key reset and FIPS are supported on WebSphere MQ clients. For more information, see Resetting SSL secret keys and Federal Information Processing Standards (FIPS).

Refer to the WebSphere MQ Clients book for more information about the SSL support for WebSphere MQ clients, and to Protecting WebSphere MQ client key repositories.

 

Parent topic:

WebSphere MQ SSL support

sy11020_