SSL-related options in the URI

sslCipherSpec, sslCipherSuite, sslPeerName, sslKeyResetCount, sslCryptoHardware, sslFipsRequired, sslKeyStore, sslKeyStorePassword, sslLDAPCRLServers, sslTrustStore, sslTrustStorePassword" /> SSL-related options in the URI

SSL-related options in the URI

The SSL options provided are:

sslKeyRepository=KeyRepository

For SSL enabled client connections, this specifies the location of the SSL key repository in which SSL keys and certificates are stored. This is specified in "stem" format, that is, a full path with file name but with the file extension omitted. The effect is the same as setting the KeyRepository field in the MQSCO structure on an MQCONNX call (see WebSphere MQ Application Programming Reference for details).
This property applies to the .NET client environment only and is mandatory if sslCipherSpec is set. It is ignored in the Java environment or if sslCipherSpec is null.

sslCipherSpec=CipherSpec

For SSL enabled client connection, this specifies the SSL CipherSpec used on the channel. For more information about CipherSpecs, including a list of the CipherSpecs that can be used with WebSphere MQ SSL support, see WebSphere MQ Security.
This property applies to the .NET client environment only and is mandatory if SSL is being used. It is ignored in the Java environment.

sslCipherSuite=CipherSuite

For SSL enabled client connection, this specifies the SSL CipherSuite used on the channel. For more information about CipherSuites including a list of CipherSuites that can be used with WebSphere MQ SSL support, see WebSphere MQ Using Java.
This property applies to the Java client environment only and is mandatory in if SSL is being used. It is ignored in the .NET environment.

sslPeerName=PeerName

For SSL enabled client connections, this specifies an SSL peer name. The format of an SSL peer name is described in WebSphere MQ Script (MQSC) Command Reference.
This property is ignored if sslCipherSpec (for .NET) or sslCipherSuite (for Java) is null.

sslKeyResetCount=bytecount

For SSL enabled client connections, this specifies the number of bytes passed across an SSL channel before the SSL secret key must be renegotiated. To disable the renegotiation of SSL keys the field can either be omitted or set to 0. The effect is the same as setting the KeyResetCount field in the MQSCO structure on an MQCONNX call (see WebSphere MQ Application Programming Reference for details).
This property is ignored if sslCipherSpec (for .NET) or sslCipherSuite (for Java) is null.
This property should not be used in certain Java environments, see WebSphere MQ Using Java for details.

sslCryptoHardware=cryptographic hardware details

For SSL enabled client connections, this specifies details relating to the cryptographic hardware to be used. The possible values for this field, and the effect of setting it, are the same as for the CryptoHardware field of the MQSCO structure on an MQCONNX call (see WebSphere MQ Application Programming Reference for details).
This property applies to the .NET environment only. It is ignored in the Java environment or if sslCipherSpec is null.

sslFipsRequired=YES|NO

For SSL enabled client connections, this specifies whether the CipherSpecs or CipherSuites requested must use FIPS-certified cryptography in WebSphere MQ. The default value is NO. The effect of setting this field is the same as setting the FipsRequired field of the MQSCO structure on an MQCONNX call (see WebSphere MQ Application Programming Reference for details).
This property is ignored if sslCipherSpec (for .NET) or sslCipherSuite (for Java) is null.

sslKeyStore=key store name

For SSL enabled client connections, this specifies the JSSE key store.
This property applies to the Java environment only. It is ignored in the .NET environment or if sslCipherSuite is null. For information about keystores, see WebSphere MQ Using Java.

sslKeyStorePassword=password

For SSL enabled client connections, this specifies the password for the JSSE key store.
This property applies to the Java environment only. It is ignored in the .NET environment or if sslCipherSuite is null. For information about keystores, see WebSphere MQ Using Java.

sslLDAPCRLServers=LDAP server list

For SSL enabled client connections, this specifies a list of LDAP servers to be used for Certificate Revocation List checking This string must consist of a sequence of space-delimited LDAP URIs of the form ldap://host[:port]. If no port is specified, the LDAP default of 389 is assumed. The certificate provided by the queue manager is checked against one of the listed LDAP CRL servers; if found, the connection fails. Each LDAP server is tried in turn until connectivity is established to one of them. If it is impossible to connect to any of those specified, the certificate is rejected. Once a connection has been successfully established to one of them, the certificate is accepted or rejected depending on the CRLs present on that LDAP server. If sslLDAPCRLServers is set to null (the default), the queue manager's certificate is not checked against a Certificate Revocation List. An error message is displayed if the supplied list of LDAP URIs is not valid. The effect of setting this field is the same as that of including MQAIR records and accessing them from an MQSCO structure on an MQCONNX call (see WebSphere MQ Application Programming Reference).
This property is ignored if sslCipherSpec (for .NET) or sslCipherSuite (for Java) is null.

sslTrustStore

For SSL enabled client connections, this specifies the JSSE trust store.
This property applies to the Java environment only. It is ignored in the .NET environment or if sslCipherSuite is null. For information about truststores, see WebSphere MQ Using Java.

sslTrustStorePassword

For SSL enabled client connections, this specifies the password for the JSSE trust store.
This property applies to the Java environment only. It is ignored in the .NET environment or if sslCipherSuite is null. For information about truststores, see WebSphere MQ Using Java.

If you use Java, the first SSL connection from a SOAP/WebSphere MQ client causes the following SSL parameters to become fixed for subsequent connections on this client process:

sslKeyStore
sslKeyStorePassword
sslTrustStore
sslTrustStorePassword
sslFipsRequired
sslLDAPCRLservers

The effect of varying these parameters on subsequent connections from this client is undefined.
If you use .NET, the first SSL connection from a SOAP/WebSphere MQ client causes the following SSL parameters to become fixed for subsequent connections on this client process:

sslKeyRepository
sslCryptoHardware
sslFipsRequired
sslLDAPCRLservers
The effect of varying these parameters on subsequent connections from this client is undefined. These parameters are reset if all SSL connections become inactive and a new SSL connection is subsequently made.
The following properties can also be specified as system properties:

sslKeyStore
sslKeyStorePassword
sslTrustStore
sslTrustStorePassword

If they are specified both as system properties and in the URI, and the values differ, the deployment utility displays a warning and the URI values take precedence.