Configure TLS on IBM MQ MQI clients

Manage the IBM MQ client certificates, configure the channels to use TLS, and authenticate certificates by using either Certificate Revocation Lists or OCSP authentication.


This task introduces the commands that we use to work with TLS on an IBM MQ client. For more information, see Securing and Set up IBM MQ MQI client security.

Complete any of the following tasks:
  1. Manage the IBM MQ client certificates
  2. Configure the channels to use TLS
  3. Authenticate certificates using Certificate Revocation Lists
  4. Authenticate certificates using OCSP authentication


Procedure

  • [OPTION 1] Manage the IBM MQ client certificates

    Use the IBM Key Management (iKeyman) GUI to manage your TLS certificates. For more information, see Starting the IBM Key Management GUI.

    1. Find the location of the client key repository. Type the following command to examine the MQSSLKEYR environment variable:
      echo %MQSSLKEYR%
    2. In the iKeyman GUI, ensure that the client key repository contains all the Certificate Authority (CA) certificates that might be required to validate certificates that are received from other queue managers.
    3. Check the application, because the key repository can be set on an MQCONNX call. If both values are set, the value set on the MQCONNX call overrides the value of MQSSLKEYR.

  • [OPTION 2] Configure the channels to use TLS

    Set up the TLS channels as described in Configure TLS channels.

  • [OPTION 3] Authenticate certificates using Certificate Revocation Lists

    Certification Authorities (CAs) can revoke certificates that are no longer trusted by publishing them in a Certification Revocation List (CRL). When a certificate is received by a queue manager or an IBM MQ MQI client, it can be checked against the CRL to ensure that it has not been revoked. CRL checking is not mandatory for TLS-enabled messaging to be achieved, but is recommended to ensure the trustworthiness of user certificates.

    We can set up an IBM MQ MQI client to check certificates against CRLs on LDAP servers.

    1. On the IBM MQ server, in IBM MQ Explorer, expand the queue manager.
    2. Create a new authentication information object of type CRL LDAP. For more information, see Create and configure queue managers and objects.
    3. Repeat the previous step to create as many authentication information objects as you need.
    4. Create a namelist and add to the namelist the names of the authentication information objects that you created in Steps 2 and 3. For more information, see Create and configure queue managers and objects.
    5. Right-click the queue manager, then click Properties.
    6. On the SSL page, in the CRL Namelist field, type the name of the namelist that you created in Step 4.
    7. Click OK.

      All the LDAP CRL information is now written to the client channel definition table.

    8. Make the client channel definition table available to the client, or, if we are using Windows Active Directory, write out the information from the client channel definition table to the Active Directory. See the setmqscp command.

    We can add to the namelist up to 10 connections to alternative LDAP servers to ensure continuity of service if one or more LDAP servers are inaccessible. For more information, see Securing.

    See also Overview of IBM MQ MQI clients.

  • [OPTION 4] Authenticate certificates using OCSP authentication

    We can set up a IBM MQ MQI client to check certificates against an OCSP responder. Some client environments do not support OCSP revocation checking, but all server platforms support the ability to define OCSP configuration which will be written into the client channel definition table file.

    1. On the IBM MQ server, in IBM MQ Explorer, expand the queue manager.
    2. Create a new authentication information object of type OCSP. For more information, see Create and configure queue managers and objects.
    3. Repeat the previous step to create as many OCSP authentication information objects as we need.
    4. Create a new namelist and add to the namelist the names of the OCSP authentication information objects that you created in Steps 2 and 3. For more information, see Create and configure queue managers and objects.
    5. Right-click the queue manager, then click Properties.
    6. On the SSL page, in the Revocation namelist field, type the name of the namelist that you created in Step 4.
    7. Click OK.
    8. Make the client channel definition table available to the client.

    Only one OCSP object can be added to the namelist because the socket library can only use one OCSP responder URL at a time. For more information, see Securing.

    See also Overview of IBM MQ MQI clients.

Parent topic: Securing channels with TLS


Related tasks


Related reference