Specifying that an MQI channel uses SSL/TLS
For an MQI channel to use TLS, the value of the SSLCipherSpec attribute of the client-connection channel must be the name of a CipherSpec that is supported by IBM MQ on the client platform.
We can define a client-connection channel with a value for this attribute in the following ways. They are listed in order of decreasing precedence.- When a PreConnect exit provides a channel definition structure to use.
A PreConnect exit can provide the name of a CipherSpec in the SSLCipherSpec field of a channel definition structure, MQCD. This structure is returned in the ppMQCDArrayPtr field of the MQNXP exit parameter structure used by the PreConnect exit.
- When an IBM MQ MQI client application issues an MQCONNX call.
The application can specify the name of a CipherSpec in the SSLCipherSpec field of a channel definition structure, MQCD. This structure is referenced by the connect options structure, MQCNO, which is a parameter on the MQCONNX call.
- Use a client channel definition table (CCDT).
One or more entries in a client channel definition table can specify the name of a CipherSpec. For example, if you create an entry by using the DEFINE CHANNEL MQSC command, we can use the SSLCIPH parameter on the command to specify the name of a CipherSpec.
- Use Active Directory on Windows.
On Windows systems, we can use the setmqscp control command to publish the client-connection channel definitions in Active Directory. One or more of these definitions can specify the name of a CipherSpec.
For example, if a client application provides a client-connection channel definition in an MQCD structure on an MQCONNX call, this definition is used in preference to any entries in a client channel definition table that can be accessed by the IBM MQ client.
We cannot use the MQSERVER environment variable to provide the channel definition at the client end of an MQI channel that uses TLS.
To check whether a client certificate has flowed, display the channel status at the server end of a channel for the presence of a peer name parameter value.