The TLS sample program

AMQSSSLC is a sample C program that demonstrates how to use the MQCNO and MQSCO structures to supply TLS client connection information on the MQCONNX call. This enables a client MQI application to provide the definition of its client connection channel and TLS settings at run time without a client channel definition table (CCDT).

If a connection name is supplied, the program constructs a client connection channel definition in an MQCD structure.

If the stem name of the key repository file is supplied, the program constructs an MQSCO structure; if an OCSP responder URL is also supplied, the program constructs an authentication information record MQAIR structure.

The program then connects to the queue manager using MQCONNX. It inquires and prints out the name of the queue manager to which it connected.

This program is intended to be linked as an MQI client application. However, it can be linked as a regular MQI application. Then, it simply connects to a local queue manager and ignores the client connection information

AMQSSSLC accepts the following parameters, all of which are optional:

    -m QmgrName
    Name of the queue manager to connect to

    -c ChannelName
    Name of the channel to use

    -x ConnName
    Server connection name

TLS parameters:

    -k KeyReposStem
    The stem name of the key repository file. This is the full path to the file without the .kdb suffix. For example: 
    /home/user/client
C:\User\client

    -s CipherSpec
    The TLS channel CipherSpec string corresponding to the SSLCIPH on the SVRCONN channel definition on the queue manager.

    -f
    Specifies that only FIPS 140-2 certified algorithms must be used.

    -b VALUE1[,VALUE2...]
    Specifies that only Suite B compliant algorithms must be used. This parameter is a comma-separated list of one or more of the following values: NONE,128_BIT,192_BIT. These values have the same meaning as those for the MQSUITEB environment variable, and the equivalent EncryptionPolicySuiteB setting in the client configuration file SSL stanza.

    -p Policy
    Specifies the certificate validation policy to be used. This can be one of the following values:

      ANY
      Apply each of the certificate validation policies supported by the secure sockets library and accept the certificate chain if any of the policies considers the certificate chain valid. This setting can be used for maximum backwards compatibility with older digital certificates which do not comply with the modern certificate standards.

      RFC5280
      Apply only the RFC 5280 compliant certificate validation policy. This setting provides stricter validation than the ANY setting, but rejects some older digital certificates.

    The default value is ANY.

    -l CertLabel
    The certificate label to use for the secure connection.Note: We must specify the value using lowercase characters.

OCSP certificate revocation parameter:

    -o URL
    The OCSP Responder URL

  • Running the TLS sample program
    To run the TLS sample program we must first set up your TLS environment. You then run the sample from the command line, supplying a number of parameters.

Parent topic: Use the sample programs on Multiplatforms