Certificate exit
The purpose of a certificate exit is to validate an SSL/TLS peer certificate that is received by MQIPT. We can configure an MQIPT route to act as an SSL/TLS client when it makes a new connection and to act as an SSL/TLS server when it receives a connection request. During the SSL/TLS handshaking process, an SSL/TLS client receives a peer certificate from the server, and the certificate can be used to authenticate the server. An SSL/TLS server can also receive a peer certificate from the client, and the certificate can be used to authenticate the client.
The certificate exit is called when MQIPT receives a peer certificate, allowing you to perform further validation. Any exceptions that are caught by the exit are caught by MQIPT and the connection request terminated. It is, therefore, good practice for the exit to catch all exceptions and to pass back an appropriate return code to MQIPT.
A sample is provided to show a certificate exit can be implemented for more information see Use a certificate exit to authenticate an SSL/TLS server.
Note: MQIPT runs in a single Java virtual machine so a user-defined certificate exit might jeopardize the normal operation of MQIPT in one of these ways:- Affect system resources
- Generate bottlenecks
- Degrade performance
We should test the effects of our certificate exit extensively before implementing it in a production environment.
- The com.ibm.mq.ipt.exit.CertificateExit class
- The com.ibm.mq.ipt.exit.CertificateExitResponse class
- The com.ibm.mq.ipt.exit.IPTCertificate class
- The com.ibm.mq.ipt.exit.IPTTrace class
- Certificate exit return codes
Parent topic: SSL/TLS support