+

Search Tips | Advanced Search

Certificate label (CERTLABL)

This attribute specifies the certificate label of the channel definition.

The label identifies which personal certificate in the key repository is sent to the remote peer. The certificate is defined as described in Digital certificate labels.

Inbound channels (including RCVR, RQSTR, CLUSRCVR, unqualified SERVER, and SVRCONN channels) will only send the configured certificate if the IBM MQ version of the remote peer fully supports certificate label configuration and the channel is using a TLS CipherSpec. If that is not the case, the queue manager CERTLABL attribute determines the certificate sent. This restriction is because the certificate label selection mechanism for inbound channels depends upon a TLS protocol extension that is not supported in all cases. In particular, Java clients, JMS clients, and all versions of IBM MQ prior to Version 8.0 do not support the required protocol extension and will only ever receive the certificate configured by the queue manager CERTLABL attribute, regardless of the channel-specific label setting.

An unqualified server channel is one that does not have the CONNAME field set.

None of the administrative interfaces allow this attribute to be inquired or set for CLUSSDR channels. You will receive an MQRCCF_WRONG_CHANNEL_TYPE message. However, the attribute is present in CLUSSDR channel objects (including MQCD structures) and a CHAD exit can set it programmatically if required.

For more information about what the certificate label can contain, see Digital certificate labels, understanding the requirements.

This attribute is valid for all channel types.

Note: The QMGR CERTLABL is still checked and validated, even if CHANNEL CERTLABL is being used.

The channel program needs to access a certificate with the label name, ibmwebspheremq, appended with the name of the queue manager, all in lowercase. For example, with a queue manager named QM1, the default certificate label is ibmwebspheremqqm1.

This rule applies even when you are using the CERTLABL attribute on the channel to tell the queue manager to use a different certificate from ibmwebspheremq appended with the queue manager name all in lowercase.