SSL/TLS on the IBM MQ MQI client
IBM MQ supports TLS on clients. We can tailor the use of TLS in various ways.
IBM MQ provides TLS support for IBM MQ MQI clients on Windows, UNIX and Linux systems. If you are using IBM MQ classes for Java™, see Use IBM MQ classes for Java and if you are using IBM MQ classes for JMS, see Use IBM MQ classes for JMS. The rest of this section does not apply to the Java or JMS environments.
We can specify the key repository for an IBM MQ MQI client either with the MQSSLKEYR value in your IBM MQ client configuration file, or when our application makes an MQCONNX call. You have three options for specifying that a channel uses TLS:- Use a channel definition table
- Use the SSL configuration options structure, MQSCO, on an MQCONNX call
- Use the Active Directory (on Windows systems)
We can continue to run your existing IBM MQ MQI client applications without TLS, as long as TLS is not specified at the other end of the channel.
If changes are made on a client machine to the contents of the TLS Key Repository, the location of the TLS Key Repository, the Authentication Information, or the Cryptographic hardware parameters, you need to end all the TLS connections in order to reflect these changes in the client-connection channels that the application is using to connect to the queue manager. Once all the connections have ended, restart the TLS channels. All the new TLS settings are used. These settings are analogous to those refreshed by the REFRESH SECURITY TYPE(SSL) command on queue manager systems.
When your IBM MQ MQI client runs on a Windows, UNIX and Linux system with cryptographic hardware, you configure that hardware with the MQSSLCRYP environment variable. This variable is equivalent to the SSLCRYP parameter on the ALTER QMGR MQSC command. Refer to ALTER QMGR for a description of the SSLCRYP parameter on the ALTER QMGR MQSC command. If we use the GSK_PCS11 version of the SSLCRYP parameter, the PKCS #11 token label must be specified entirely in lower-case.
TLS secret key reset and FIPS are supported on IBM MQ MQI clients. For more information, see Resetting SSL and TLS secret keys and Federal Information Processing Standards (FIPS) for UNIX, Linux, and Windows.
See Set up IBM MQ MQI client security for more information about the TLS support for IBM MQ MQI clients.