Configure TLS on IBM MQ MQI clients

To work with TLS on an IBM MQ client, you must use various commands.


This task introduces the commands that we use to work with TLS on an IBM MQ client. For more information, see Securing in the IBM MQ online product documentation.

Managing the IBM MQ client's certificates

Use the IBM Key Management (iKeyman) GUI to manage your TLS certificates. For more information, see Starting the IBM Key Management GUI.

In the iKeyman GUI, ensure that the client key repository contains all the Certificate Authority (CA) certificates that might be required to validate certificates that are received from other queue managers.

To find out the location of the client's key repository, type the following command to examine the MQSSLKEYR environment variable:

echo %MQSSLKEYR%

Also check our application because the key repository can be set on an MQCONNX call. If both values are set, the value set on the MQCONNX call overrides the value of MQSSLKEYR.

Configure the channels to use TLS

The TLS channels must be set up as described here in Configure TLS channels.

For more information about setting up IBM MQ client security, see Set up IBM MQ MQI client security in the IBM MQ online product documentation.


Authenticating certificates using Certificate Revocation Lists

About this task

We can set up a IBM MQ MQI client to check certificates against CRLs on LDAP servers:

Procedure

  1. On the IBM MQ server, in IBM MQ Explorer, expand the queue manager.
  2. Create a new authentication information object of type CRL LDAP. For more information, see Create and configure queue managers and objects.
  3. Repeat Step 2 to create as many authentication information objects as you need.
  4. Create a new namelist and add to the namelist the names of the authentication information objects that you created in Steps 2 and 3. For more information, see Create and configure queue managers and objects.
  5. Right-click the queue manager, then click Properties.
  6. On the SSL page, in the CRL Namelist field, type the name of the namelist that you created in Step 4.
  7. Click OK. All the LDAP CRL information is now written to the client channel definition table.
  8. Make the client channel definition table available to the client, or, if you are using Windows Active Directory, write out the information from the client channel definition table to the Active Directory. See the setmqscp command in the IBM MQ online product documentation).

Results

For more information, see Overview of IBM MQ MQI clients in the IBM MQ online product documentation.

We can add to the namelist up to 10 connections to alternative LDAP servers to ensure continuity of service if one or more LDAP servers are inaccessible. For more information, see Securing in the IBM MQ online product documentation.


Authenticating certificates using OCSP authentication

About this task

We can set up a IBM MQ MQI client to check certificates against an OCSP responder. Some client environments do not support OCSP revocation checking, but all server platforms support the ability to define OCSP configuration which will be written into the client channel definition table file.

Procedure

  1. On the IBM MQ server, in IBM MQ Explorer, expand the queue manager.
  2. Create a new authentication information object of type OCSP. For more information, see Create and configure queue managers and objects.
  3. Repeat Step 2 to create as many OCSP authentication information objects as you need.
  4. Create a new namelist and add to the namelist the names of the OCSP authentication information objects that you created in Steps 2 and 3. For more information, see Create and configure queue managers and objects.
  5. Right-click the queue manager, then click Properties.
  6. On the SSL page, in the Revocation namelist field, type the name of the namelist that you created in Step 4.
  7. Click OK.
  8. Make the client channel definition table available to the client.

Results

For more information, see Overview of IBM MQ MQI clients in the IBM MQ online product documentation.

Only one OCSP object can be added to the namelist because the socket library can only use one OCSP responder URL at a time. For more information, see Securing in the IBM MQ online product documentation.