Secure connections to an IBM MQ queue manager
To enable an XMS .NET application to make secure connections to an IBM MQ queue manager, the relevant properties must be defined in the ConnectionFactory object.
The protocol used in the encryption negotiation can be either Secure Sockets Layer (SSL) or Transport Layer Security (TLS), depending on which CipherSuite you specify in the ConnectionFactory object.
If we use the IBM WebSphere MQ Version 7.0.0.1 and later client libraries and connect to a IBM WebSphere MQ Version 7.0 queue manager, then we can create multiple connections to same queue manager in XMS application. However connection to different queue manager is not permitted. If you attempt, you get the MQRC_SSL_ALREADY_INITIALIZED error.
If we use the IBM WebSphere MQ Version 6.0 and later client libraries, then we can create a SSL connection only if you close any previous SSL connection first. Multiple concurrent SSL connections from the same process to the same or different queue managers are not permitted. If you attempt more than one request, you get the warning MQRC_SSL_ALREADY_INITIALIZED, which might mean that some requested parameters for the SSL connection were ignored.
ConnectionFactory properties for connections via SSL to an IBM MQ queue manager, with a brief description, are shown in the following table:
| Name of property | Description |
|---|---|
| XMSC_WMQ_SSL_CERT_STORES | The locations of the servers that hold the certificate revocation lists (CRLs) to be used on an SSL connection to a queue manager. |
| XMSC_WMQ_SSL_CIPHER_SPEC | The name of the CipherSpec to be used on a secure connection to a queue manager. |
| XMSC_WMQ_SSL_CIPHER_SUITE | The name of the CipherSuite to be used on a TLS connection to a queue manager. The protocol used in negotiating the secure connection depends on the specified CipherSuite. |
| XMSC_WMQ_SSL_CRYPTO_HW | Configuration details for the cryptographic hardware connected to the client system. |
| XMSC_WMQ_SSL_FIPS_REQUIRED | The value of this property determines whether an application can or cannot use non-FIPS compliant cipher suites. If this property is set to true, only FIPS algorithms are used for the client-server connection. |
| XMSC_WMQ_SSL_KEY_REPOSITORY | The location of the key database file in which keys and certificates are stored. |
| XMSC_WMQ_SSL_KEY_RESETCOUNT | The KeyResetCount represents the total number of unencrypted bytes sent and received within an SSL conversation before the secret key is renegotiated. |
| XMSC_WMQ_SSL_PEER_NAME | The peer name to be used on an SSL connection to a queue manager. |
- CipherSuite and CipherSpec name mappings for XMS connections to an IBM MQ queue manager
The InitialContext translates between the JMSAdmin Connection Factory property SSLCIPHERSUITE and the XMS near-equivalent XMSC_WMQ_SSL_CIPHER_SPEC. A similar translation is necessary if we specify a value for XMSC_WMQ_SSL_CIPHER_SUITE but omit value for XMSC_WMQ_SSL_CIPHER_SPEC.
Parent topic: Securing communications for XMS applications