Configure TLS on queue managers

Creating the queue manager key repository

About this task

The key repository is where certificates used by the queue manager are stored. On Windows, Linux , and UNIX platforms, the key repository is known as the key database file.

The location of the key repository of a queue manager is specified in the queue manager's Key Repository attribute. Before we can store the queue manager certificates in the key repository, you must ensure that a key database file exists in this location. If you need to create the key database file, use the iKeyman GUI. For more information, see Securing in the IBM MQ online product documentation.

Change the queue manager key repository

About this task

In certain circumstances you might want to change the key repository; for example, to use a single location that is shared by all queue managers on one operating system.

To change a queue manager key repository location:

Procedure

1. Change the key repository location in the queue manager properties:
   1. Open IBM MQ Explorer and expand the Queue Managers folder.
   2. Right-click the queue manager, then click Properties.
   3. On the SSL property page, edit the path in the Key repository field to point to your chosen directory.
   4. On the warning dialog, click Yes.
2. Transfer the queue manager personal certificates to the new location using the iKeyman GUI. For more information, see Securing in the IBM MQ online product documentation.

Authenticating certificates using Certificate Revocation Lists

About this task

Certification Authorities (CAs) can revoke certificates that are no longer trusted by publishing them in a Certification Revocation List (CRL). When a certificate is received by a queue manager or a IBM MQ MQI client, it can be checked against the CRL to ensure that it has not been revoked. CRL checking is not mandatory for TLS-enabled messaging to be achieved, but is recommended to ensure the trustworthiness of user certificates.

For more information about how to set up a CRL in this way, see Securing in the IBM MQ online product documentation.

To set up a connection to an LDAP CRL server:

Procedure

1. In IBM MQ Explorer, expand the queue manager.
2. Create an authentication information object of type CRL LDAP. For more information, see Create and configure queue managers and objects.
3. Repeat Step 2 to create as many CRL LDAP authentication information objects as you need.
4. Create a namelist and add the names of the authentication information objects that you created in Steps 2 and 3 to the new namelist. For more information, see Create and configure queue managers and objects.
5. Right-click the queue manager, then click Properties.
6. On the SSL page, in the Revocation namelist field, type the name of the namelist that you created in Step 4.
7. Click OK.

Results

The certificates that the queue manager receives can now be authenticated against the CRL held on the LDAP server.

You can add to the namelist up to 10 connections to alternative LDAP servers to ensure continuity of service if one or more LDAP servers are inaccessible.

Authenticating certificates using OCSP authentication

About this task

On UNIX and Windows, IBM MQ TLS support checks for revoked certificates using OCSP (Online Certificate Status Protocol) or using CRLs and ARLs on LDAP (Lightweight Directory Access Protocol) servers. OCSP is the preferred method. IBM MQ classes for Java and IBM MQ classes for JMS cannot use the OCSP information in a client channel definition table file. However, we can configure OCSP as described in Revoked certificates and OCSP in the IBM MQ online product documentation.

IBM i and z/OS® do not support OCSP checking, but they do allow the generation of client channel definition tables (CCDTs) containing OCSP information.

For more information about CCDTs and OCSP, see Client channel definition table in the IBM MQ online product documentation.

To set up a connection to an OCSP server:

Procedure

1. In IBM MQ Explorer, expand the queue manager.
2. Create an authentication information object of type OCSP. For more information, see: Create and configure queue managers and objects.
3. Repeat Step 2 to create as many OCSP authentication information objects as you need.
4. Create a namelist and add the names of the OCSP authentication information objects that you created in Steps 2 and 3 to the new namelist. For more information, see: Create and configure queue managers and objects.
5. Right-click the queue manager, then click Properties.
6. On the SSL page, in the Revocation namelist field, type the name of the namelist that you created in Step 4.
7. Click OK.

Results

The certificates that the queue manager receives are authenticated against the OCSP responder.

The queue manager writes OCSP information to the CCDT.

Only one OCSP object can be added to the namelist because the socket library can only use one OCSP responder URL at a time.

Configure cryptographic hardware

About this task

IBM MQ can support cryptographic hardware, and the queue manager must be configured accordingly.

To configure the queue manager for cryptographic hardware:

Procedure

1. Start IBM MQ Explorer.
2. In the Navigator view, right-click the queue manager, then click Properties. The Properties dialog opens.
3. On the SSL page, click Configure The Cryptographic Hardware Settings dialog opens.
4. In the Cryptographic Hardware Settings dialog: All supported cryptographic cards now use PKCS #11, so ignore references to the Rainbow Cryptoswift or nCipher nFast cards. Enter the path to the PKCS #11 driver, and the token label, the token password, and the symmetric cipher setting.
5. Click OK.

Results

The queue manager is now configured to use the cryptographic hardware.

We can also work with certificates that are stored on PKCS #11 hardware using iKeyman.

For more information, see Securing in the IBM MQ online product documentation.