TLS security protocols in IBM MQ

IBM MQ supports the Transport Layer Security (TLS) protocol to provide link level security for message channels and MQI channels.

Message channels and MQI channels can use the TLS protocol to provide link level security. A caller MCA is a TLS client and a responder MCA is a TLS server.

IBM MQ supports Versions 1.2 and 1.3 of the TLS protocol. Earlier versions of TLS, as well as SSL, are not enabled by default, but can be if needed. We can specify the cryptographic algorithms that are used by the TLS protocol by supplying a CipherSpec as part of the channel definition.

See Enable CipherSpecs for a list of the CipherSpecs supported by IBM MQ and Deprecated CipherSpecs for those that are deprecated.

We can use the SECPROT and SSLCIPH parameters to display the security protocol and CipherSpec in use on a channel.

At each end of a message channel, and at the server end of an MQI channel, the MCA acts on behalf of the queue manager to which it is connected. During the TLS handshake, the MCA sends the digital certificate of the queue manager to its partner MCA at the other end of the channel. The IBM MQ code at the client end of an MQI channel acts on behalf of the user of the IBM MQ client application. During the TLS handshake, the IBM MQ code sends the user's digital certificate to the MCA at the server end of the MQI channel.

Queue managers and IBM MQ client users are not required to have personal digital certificates associated with them when they are acting as TLS clients, unless SSLCAUTH(REQUIRED) is specified at the server side of the channel.

Digital certificates are stored in a key repository. The queue manager attribute SSLKeyRepository specifies the location of the key repository that holds the queue manager's digital certificate. On an IBM MQ client system, the MQSSLKEYR environment variable specifies the location of the key repository that holds the user's digital certificate. Alternatively, an IBM MQ client application can specify its location in the KeyRepository field of the TLS configuration options structure, MQSCO, on an MQCONNX call. See the related topics for more information about key repositories and how to specify where they are located.

Support for TLS

IBM i

TLS support is integral to the IBM i operating system.

Java and JMS clients

These clients use the JVM to provide TLS support.

AIX, Linux and Windows systems

TLS support is installed with IBM MQ.

z/OS

TLS support is integral to the z/OS operating system. The TLS support on z/OS is known as System SSL.

For information about any prerequisites for IBM MQ TLS support, see System Requirements for IBM MQ.

• The SSL/TLS key repository
  A mutually authenticated TLS connection requires a key repository at each end of the connection. The key repository includes digital certificates and private keys.
• MQCSP password protection
  From IBM MQ Version 8.0, we can send passwords that are included in the MQCSP structure either protected, by using IBM MQ functionality, or encrypted, by using TLS encryption.
• Digital Certificate Manager (DCM)
  Use the DCM to manage digital certificates and private keys on IBM i.
• Federal Information Processing Standards (FIPS)
  This topic introduces the Federal Information Processing Standards (FIPS) Cryptomodule Validation Program of the US National Institute of Standards and Technology and the cryptographic functions which can be used on TLS channels.
• Verify the TLS configuration of our queue manager with mqcertck
  The MQCERTCK command is a tool to look for common mistakes in the TLS configuration of our queue manager, and provides some suggestions for resolving problems.
• SSL/TLS on the IBM MQ MQI client
  IBM MQ supports TLS on clients. We can tailor the use of TLS in various ways.
• CipherSpecs and CipherSuites in IBM MQ
  IBM MQ supports TLS 1.2 CipherSpecs, and RSA and Diffie-Hellman algorithms. However, we can enable deprecated CipherSpecs, if we need to do so.
• NSA Suite B Cryptography in IBM MQ
  This topic provides information about how to configure IBM MQ on Windows, Linux, and UNIX to conform to the Suite B compliant TLS 1.2 profile.
• Configure IBM MQ for Suite B
  IBM MQ can be configured to operate in compliance with the NSA Suite B standard on Windows, UNIX and Linux platforms.
• Certificate validation policies in IBM MQ
  The certificate validation policy determines how strictly the certificate chain validation conforms to industry security standards.
• Configure certificate validation policies in IBM MQ
  We can specify which TLS certificate validation policy is used to validate digital certificates received from remote partner systems in four ways.
• Digital certificates and CipherSpec compatibility in IBM MQ
  This topic provides information on how to choose appropriate CipherSpecs and digital certificates for the security policy, by outlining the relationship between CipherSpecs and digital certificates in IBM MQ.

Parent topic: IBM MQ security mechanisms

Related concepts

• Cryptographic security protocols: TLS