Configuring TLS security for IBM MQ

To configure TLS security, you set up TLS on each queue manager and each client that uses TLS-enabled connections.

About this task

For an introduction, and details on how certificates are used to establish TLS connections, see Securing channels with TLS.

Procedure

To set up TLS on a queue manager, complete the following steps for each queue manager that uses TLS connections:

  1. Create a TLS key repository for the queue manager and add the necessary certificates to the key repository.
    [MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Note: The strmqikm GUI is removed from IBM® MQ in IBM MQ 9.4.0 and cannot be used to manage TLS certificates from IBM MQ Explorer. From IBM MQ 9.4.0, use the runmqakm or runmqktool commands to manage TLS certificates on AIX®, Linux®, and Windows. For more information, see Working with SSL/TLS in IBM Documentation.
    Use the commands that are available on the system where the queue manager runs to complete the following steps:
    1. Create a key repository in the location that is specified in the queue manager's Key repository attribute.
    2. Request and obtain from a certificate authority (CA) a personal certificate with the correct label and its full chain of CA certificates back to the root certificate.
    3. Add all the certificates, in the correct order, to the queue manager's key repository.
  2. Configure the queue manager for TLS-enabled messaging. For more information, see Configuring SSL on queue managers.
  3. Configure channels to support secure messaging using TLS. For more information, see Configuring TLS channels.

To set up TLS on a IBM MQ client, complete the following steps for each client that uses TLS connections:

  1. Create a TLS key repository for the client and add the necessary certificates to the key repository.
    [MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Note: The strmqikm GUI is removed from IBM MQ in IBM MQ 9.4.0 and cannot be used to manage TLS certificates from IBM MQ Explorer. From IBM MQ 9.4.0, use the runmqakm or runmqktool commands to manage TLS certificates on AIX, Linux, and Windows. For more information, see Working with SSL/TLS in IBM Documentation.
    Use the commands that are available on the system where the client runs to complete the following steps:
    1. Create the client's key repository.
    2. Request and obtain from a certificate authority (CA) a personal certificate with the correct label and its full chain of CA certificates back to the root certificate.
    3. Add all the certificates, in the correct order, to the client's key repository.
  2. Configure the client for TLS-enabled messaging. For more information, see Configuring TLS on IBM MQ clients.
  3. Configure the client channel definition to support secure messaging using TLS. For more information, see Configuring SSL on IBM MQ clients.

Results

For more information, see Securing IBM MQ in IBM Documentation.