Set up SSL communications

 

To set up your SSL installation define your channels to use SSL. You must also create and manage your digital certificates. On UNIX systems, Windows systems, and on z/OS, we can perform the tests with self–signed certificates. On i5/OS, Windows systems, and on z/OS, we can work with personal certificates signed by a local CA. For full information about creating and managing certificates, see:

• Working with the Secure Sockets Layer (SSL) on i5/OS

• Working with the Secure Sockets Layer (SSL) on UNIX and Windows systems

• Working with the Secure Sockets Layer (SSL) on z/OS

This chapter introduces some of the tasks involved in setting up SSL communications, and provides step-by-step guidance on completing those tasks:

• Task 1: Using self-signed certificates

• Task 2: Using CA-signed certificates

• Task 3: Anonymous queue managers

You might also want to test SSL client authentication, which is an optional part of the SSL protocol. During the SSL handshake the SSL client always obtains and validates a digital certificate from the SSL server. With the WebSphere MQ implementation, the SSL server always requests a certificate from the SSL client.

On UNIX, i5/OS, or Windows, the SSL client sends a certificate only if it has one labelled in the correct WebSphere MQ format:

• For a queue manager on UNIX, i5/OS, or Windows, ibmwebspheremq followed by the name of your queue manager changed to lower case. For example, for QM1, ibmwebspheremqqm1

• For a WebSphere MQ client on UNIX or Windows systems, ibmwebspheremq followed by your logon user ID changed to lower case, for example ibmwebspheremqmyuserid.

On z/OS, the SSL client sends a certificate only if it has either of the following:

• For a queue manager on z/OS, ibmWebSphereMQ followed by the name of your queue manager, for example ibmWebSphereMQQM1

• A default certificate (which might be the ibmWebSphereMQ certificate).

On UNIX, i5/OS, and Windows systems, WebSphere MQ uses the ibmwebspheremq prefix, and on z/OS the ibmWebSphereMQ prefix, on a label to avoid confusion with certificates for other products. On UNIX and Windows systems, ensure that you specify the entire certificate label in lower case.

The SSL server always validates the client certificate if one is sent. If the SSL client does not send a certificate, authentication fails only if the end of the channel acting as the SSL server is defined:

• With the SSLCAUTH parameter set to REQUIRED or

• With an SSLPEER parameter value

For more information, see Task 3: Anonymous queue managers.

• Task 1: Using self-signed certificates
  

• Task 2: Using CA-signed certificates
  

• Task 3: Anonymous queue managers
  

 

Parent topic:

Working with WebSphere MQ SSL support

sy11560_