SSL properties
When you specify TRANSPORT(CLIENT), we can enable Secure Sockets Layer (SSL) encrypted communication using the SSLCIPHERSUITE property. Set this property to a valid CipherSuite provided by your JSSE provider; it must match the CipherSpec named on the SVRCONN channel named by the CHANNEL property.
However, CipherSpecs (as specified on the SVRCONN channel) and CipherSuites (as specified on ConnectionFactory objects) use different naming schemes to represent the same SSL encryption algorithms. If a recognized CipherSpec name is specified on the SSLCIPHERSUITE property, JMSAdmin issues a warning and maps the CipherSpec to its equivalent CipherSuite. See SSL CipherSpecs and CipherSuites for a list of CipherSpecs recognized by WebSphere MQ and JMSAdmin.
If you require a connection to use a CipherSuite that is supported by the IBM Java™ JSSE FIPS provider (IBMJSSEFIPS), set the SSLFIPSREQUIRED property of the connection factory to YES. The default value of this property is NO, which means that a connection can use any CipherSuite that is not supported by IBMJSSEFIPS. The property is ignored if SSLCIPHERSUITE is not set.
The SSLPEERNAME matches the format of the SSLPEER parameter, which can be set on channel definitions. It is a list of attribute name and value pairs separated by commas or semicolons. For example:
SSLPEERNAME(CN=QMGR.*, OU=IBM, OU=WEBSPHERE)The set of names and values makes up a distinguished name. For more details about distinguished names and their use with WebSphere MQ, see the WebSphere MQ Security book.The example given checks the identifying certificate presented by the server at connect-time. For the connection to succeed, the certificate must have a Common Name beginning QMGR., and must have at least two Organizational Unit names, the first of which is IBM and the second WEBSPHERE. Checking is case-insensitive.
If SSLPEERNAME is not set, no such checking is performed. SSLPEERNAME is ignored if SSLCIPHERSUITE is not set.
The SSLCRL property specifies zero or more CRL (Certificate Revocation List) servers. Use of this property requires a JVM at Java 2 v1.4. This is a space-delimited list of entries of the form:
ldap://hostname:[port]optionally followed by a single /. If port is omitted, the default LDAP port of 389 is assumed. At connect-time, the SSL certificate presented by the server is checked against the specified CRL servers. See the WebSphere MQ Security book for more about CRL security.If SSLCRL is not set, no such checking is performed. SSLCRL is ignored if SSLCIPHERSUITE is not set.
The SSLRESETCOUNT property represents the total number of bytes sent and received by a connection before the secret key that is used for encryption is renegotiated. The number of bytes sent is the number before encryption, and the number of bytes received is the number after decryption. The number of bytes also includes control information sent and received by the WebSphere MQ JMS client.
For example, to configure a ConnectionFactory object that can be used to create a connection over an SSL enabled MQI channel whose secret key is renegotiated after 4 MB of data have flowed, issue the following command to JMSAdmin:
ALTER CF(my.cf) SSLRESETCOUNT(4194304)If the value of SSLRESETCOUNT is zero, which is the default value, the secret key is never renegotiated. The SSLRESETCOUNT property is ignored if SSLCIPHERSUITE is not set.
If you are using an HP or Sun Java 2 Software Development Kit (SDK) or Java Runtime Environment (JRE), do not set SSLRESETCOUNT to a value other than zero. If you do set SSLRESETCOUNT to a value other than zero, a connection fails when it attempts to renegotiate the secret key.
For more information about the secret key that is used for encryption on an SSL enabled channel, see WebSphere MQ Security.
uj10940_