TLS support for the managed .NET client

The managed .NET client uses the Microsoft.NET Framework libraries to implement TLS secure socket protocols. The Microsoft System.Net.SecuritySslStream class operates as a stream over connected TCP sockets and sends and receives data over that socket connection.

The minimum required .NET Framework level is .NET Framework v3.5. The level of Cipher Algorithm support is based on the .NET Framework level that the application is using:

  • For applications that are based on .NET Framework levels 3.5 and 4.0, the available secure socket protocols are SSL 3.0 and TSL 1.0.
  • For applications that are based on .NET Framework level 4.5, the available secure socket protocols are SSL 3.0, TLS 1.1 and TLS 1.2.

We might need to move applications that expect higher TLS protocol support to a later version of the framework as defined for Microsoft Security support in the .NET Framework.

The main features of TLS support for the managed .NET client are as follows:

    TLS protocol support
    TLS support for the .NET managed client is defined through the .NET SSLStream class, and depends on the .NET Framework that the application is using. For more information see TLS protocol support for the managed .NET client.

    CipherSpec support
    The TLS settings for the .NET managed client are as for the Microsoft.NET TLS steams. For more information see CipherSpec support for the managed .NET client and CipherSpec mappings for the managed .NET client.

    Key repositories
    The key repository on the client side is a Windows keystore. The server side repository is a Cryptographic Message Syntax (CMS) type of repository. For more information see Key repositories for the managed .NET client.

    Certificates
    We can use self-signed TLS certificates to implement mutual authentication between a client and a queue manager. For more information see Use certificates for the managed .NET client.

    SSLPEERNAME
    In .NET, applications can use the optional SSLPEERNAME attribute to specify a Distinguished Name (DN) pattern. For more information see SSLPEERNAME.

    FIPS compliance
    Enable FIPS programmatically is not supported by the Microsoft.NET Security library. FIPS enablement is controlled by the Windows Group Policy setting.

    NSA Suite B compliance
    IBM MQ implements RFC 6460. The Microsoft.NET implementation for NSA suite B is 5430. This is supported from .NET Framework 3.5 onwards.

    Secret key reset or renegotiation
    Although the SSLStream class does not support secret key resetting or renegotiation, for consistency with other IBM MQ clients, the .NET managed client allows applications to set SSLKeyResetCount. For more information see Secret key reset or renegotiation.

    Revocation check
    The SSLStream class supports certificate revocation checking, which is automatically done by the certificate chaining engine. For more information see Revocation check.

    IBM MQ security exit support
    The SSLStream class provides limited support for IBM MQ security exits. Querying local and remote certificates to get SSLPeerNamePtr(Subject DN) and SSLRemCertIssNamePtr (Issuer DN) is possible since this is supported in Microsoft.NET. However, there is no support for getting attributes like DNQ, UNSTRUCTUREDNAME and UNSTRUCTUREDADDRESS, so these values cannot be retrieved using the exits.

    Cryptographic hardware support
    Cryptographic hardware is not supported for the managed .NET client.

  • TLS protocol support for the managed .NET client
    IBM MQ.NET TLS support is based on the .NET SSLStream class.
  • CipherSpec support for the managed .NET client
    The CipherSpec settings for an application are used during the handshake with the server.
  • CipherSpec mappings for the managed .NET client
    The IBM MQ.NET interface maintains an IBM MQ to Microsoft.NET mapping table that is used to determine the version of the TLS protocol that the managed client needs to use to establish a secure connection with a queue manager.
  • Key repositories for the managed .NET client
    The key repository on the client side of the TLS configuration is a Windows keystore. The server side repository is a Cryptographic Message Syntax (CMS) type of repository.
  • Use certificates for the managed .NET client
    For client certificates, the IBM MQ managed .NET client accesses the Windows keystore and loads all of the client's certificates that are matched either by certificate label or matched by the string.
  • SSLPEERNAME
    The SSLPEERNAME attribute is used to check the Distinguished Name (DN) of the certificate from the peer queue manager.
  • Secret key reset or renegotiation
    The SSLStream class does not support secret key reset/renegotiation. However, to be consistent with other IBM MQ clients, the IBM MQ managed .NET client allows applications to set SSLKeyResetCount.
  • Revocation check
    The SSLStream class supports certificate revocation checking.
  • Configure TLS for managed IBM MQ .NET
    Configuring TLS for managed IBM MQ .NET consists of creating the signer certificates, then configuring the server side, the client side, and the application program.
  • Writing a simple application
    Tips for writing a simple IBM MQ managed .NET TLS application, including examples for setting the SSL properties for connection factories, creating a queue manager instance, connection, session and destination, and sending a test message.
  • Configure trace for SSLStream
    To capture tracing events and messages relating to the SSLStream class, we must add a configuration section for system diagnostics to the application configuration file for the application.
  • Sample applications for implementing TLS in managed .NET
    Sample applications are provided to show the implementation of TLS for managed .NET in IBM MQ classes for .NET, XMS .NET and IBM MQ custom channel for WCF.

Parent topic: Transport Layer Security (TLS) support for .NET