Testing SSL/TLS
We can test an SSL/TLS connection by using the examples provided in this documentation.
See Getting started with IBM MQ Internet Pass-Thru for a description of various scenarios. In particular, see the following tasks:- Authenticating an SSL/TLS server
- Authenticating an SSL/TLS client
- Running MQIPT in SSL/TLS proxy mode
- Running MQIPT in SSL/TLS proxy mode with a security manager
To test that your SSL/TLS configuration works correctly, we can use self-signed certificates. Self-signed certificates are useful in test scenarios so that we can ensure SSL/TLS connectivity without paying a Certificate Authority (CA) for a certificate. See Create test certificates for details.
We can find an example of a self-signed certificate in the sslSample.pfx sample key ring file provided with MQIPT in the samples/ssl subdirectory. To open the sample PKCS #12 key ring files, we must use the password mqiptSample. The sample certificate is provided for the convenience during testing. However, the private keys of the sample certificate is known to all MQIPT users. This means that it is insecure and should be used only in a test environment.
We should not use any self-signed certificates in production environments, whether they are sample certificates or not. Instead, obtain a CA-signed certificate from a trusted CA. To create a CA-signed certificate, see Create a key ring file.
When creating or requesting a certificate, we should consider which key type, key size and digital signature algorithm are appropriate for the security needs. See Digital certificate considerations for MQIPT for further information.
Certificates and certificate management technologies are available from a number of third-party suppliers.
Parent topic: SSL/TLS support