+

Search Tips | Advanced Search

Default security preferences

A security exit can be defined for all client connections in the same IBM MQ Explorer. This is known as a default security exit and the preferences for the security exit are described here.

The default security preferences are part of the Preferences dialog, and they can be opened in the following way:
  1. Click Windows > Preferences.... The Preferences dialog opens.
  2. Expand MQ Explorer.
  3. Expand Client Connections. The default security settings dialogs are now accessible.


Security Exit

Select Enable default security exit to set the default security exit for all client connections in the same IBM MQ Explorer. The security exit for all the client-connected queue managers in a set can be changed. The security exit can be overridden if you define a new security exit when you add a new remote queue manager.

The Security Exit for all client-connected queue managers in a set can be changed. The TLS options can be overridden when you add a new remote queue manager.

Item Description
Exit name Specifies the name of the exit program to be run by the security exit. Exit name can be up to 1024 characters long and is case sensitive. Exit name can be a fully qualified java class name found in the directory or jar file. Exit name can be a C exit, of the format: dll_name(function_name). The default path for exits is always used to locate C exits, we cannot specify the location of the exit library in this entry field unless no default path is set.
in directory Specifies the directory for the security exit (Java exits only).
in jar Specifies the jar file for the security exit (Java exits only).
Exit data Exit data can be up to 32 characters long. If no value has been defined for that attribute, this field is all blanks.


SSL/TLS Options

Select Enable default SSL options to enable the default SSL/TLS options for all client connections in the same IBM MQ Explorer. The SSL/TLS options for all client-connected queue managers in a set can be changed. The SSL/TLS options can be overridden when you add a new remote queue manager.

Item Description
SSL CipherSpec The CipherSpec identifies the combination of encryption algorithm and hash function used by an SSL/TLS connection. A CipherSpec forms part of a CipherSuite, which identifies the key exchange and authentication mechanism as well as the encryption and hash function algorithms.

The size of the key used during the handshake can depend on the digital certificate we use, but some of the CipherSpecs supported by IBM MQ include a specification of the handshake key size. Note that larger handshake key sizes provide stronger authentication. With smaller key sizes, the handshake is faster.

For more information, see CipherSpecs and CipherSuites.

SSL FIPS required

Select Yes to use only FIPS-certified cipher suites. If you select Yes, then all TLS connections must use FIPS-certified cipher suites.

Select No to use any available cipher suites.

The default setting is No.

If we change this setting from Yes to No, or from No to Yes a dialog will be opened asking if we want to restart MQ Explorer.

Any changes to this setting will not be applied until the MQ Explorer has been restarted.

SSL reset count Type the number of bytes, from 0 to 999 999 999, that are sent and received within a TLS conversation before the secret key is renegotiated. A value of 0 means that the secret key is never renegotiated. The number of bytes includes control information that is sent by the message channel agent (MCA). If the value of this attribute is greater than 0 and the value of the Heartbeat interval attribute in the Channel properties is greater than 0, the secret key is also renegotiated before message data is sent or received following a channel heartbeat.
Peer name The Distinguished Name (DN) of the queue manager to be used by TLS. The peer name is set to indicate that connections will only be allowed where the server is successfully authenticated as a specific DN.


SSL/TLS Stores

Select Enable default SSL stores to work with the Trusted Certificate Store and the Personal Certificate Store.

To configure IBM MQ Explorer with the location and password of the SSL/TLS certificate store, refer to: Specify the default location and default password of TLS certificates.

By enabling the default SSL/TLS stores, IBM MQ Explorer can use the certificates in the TrustStore and KeyStore to connect to remote queue managers with a TLS-enabled connection.

The SSL/TLS Stores for all client-connected queue managers in a set can be changed. The SSL/TLS Stores can be overridden when you add a new remote queue manager.

Parent topic: Configure a default security exit Parent topic: Preferences for IBM MQ Explorer


Related tasks


Related reference

Last updated: 2020-10-04