Configure TLS channels
To configure TLS channels, we use the SSL page of the Channel properties dialog to define the cipher specification to be used. You can optionally configure a channel to accept only certificates with attributes in the distinguished name of the owner that match given values. We can also optionally configure a queue manager channel so that the queue manager refuses the connection if the initiating party does not send its own personal certificate.
To configure channels in IBM MQ Explorer, complete the following steps.
Procedure
- Open IBM MQ Explorer.
- In the Navigator view, expand the Queue Managers folder, then click the Channels folder.
- In the Content view, right-click the channel, then click Properties.
- In the Properties dialog, open the SSL page.
Results
Use the SSL page of the Channel properties dialog for the following tasks.
Set message security
TLS-enabled messaging offers two methods of ensuring message security:
- Encryption ensures that if the message is intercepted, it is unreadable.
- Hash functions ensure that if the message is altered, this is detected.
The combination of these methods is called the cipher specification, or CipherSpec. The same CipherSpec must be set for both ends of a channel, otherwise TLS-enabled messaging fails. For more information, see Securing.
On the SSL page of the Properties dialog, do one of the following:
- From the Standard cipher field, select a standard cipher.
- If we are an advanced user and we are administering a queue manager on a z/OS or IBM i platform that includes new CipherSpecs that are not the IBM MQ predefined list, enter a platform-specific value for a CipherSpec in the Custom ciphers field.
Filtering certificates on their owner's name
Certificates contain the distinguished name of the owner of the certificate. You can optionally configure the channel to accept only certificates with attributes in the distinguished name of the owner that match given values. To do this, select the Accept only certificates with Distinguished Names matching these values check box.
The attribute names that IBM MQ can filter are listed in the following table:
| Attribute names | Meaning |
|---|---|
| SERIALNUMBER | Certificate serial number |
| Email address | |
| E | Email address (Deprecated in preference to MAIL) |
| UID or USERID | User identifier |
| CN | Common Name |
| T | Title |
| OU | Organizational Unit name |
| DC | Domain component |
| O | Organization name |
| STREET | Street / First line of address |
| L | Locality name |
| ST (or SP or S) | State or Province name |
| PC | Postal code / zip code |
| C | Country |
| UNSTRUCTUREDNAME | Host name |
| UNSTRUCTUREDADDRESS | IP address |
| DNQ | Distinguished name qualifier |
In the Accept only certificates with Distinguished Names matching these values field, we can use the wildcard character (*) at the beginning or the end of the attribute value in place of any number of characters. For example, to accept only certificates from any person with a name ending with Smith working for IBM in GB, type:
CN=*Smith, O=IBM, C=GB
Authenticating parties initiating connections to a queue manager
When another party initiates a TLS-enabled connection to a queue manager, the queue manager must send its personal certificate to the initiating party as proof of identity. We can also optionally configure the queue manager channel so that the queue manager refuses the connection if the initiating party does not send its own personal certificate. To do this, on the SSL page of the Channel properties dialog, select Required from the Authentication of parties initiating connections list.
Parent topic: Securing channels with TLSRelated tasks