To configure TLS security, you set up TLS on each queue manager and each client that uses
TLS-enabled connections.
About this task
For an introduction, and details on how certificates are used to establish TLS connections, see
Securing channels with TLS.
Procedure
To set up TLS on a queue manager, complete the following steps for each queue manager
that uses TLS connections:
- Create a TLS key repository for the queue manager and add the necessary certificates to
the key repository.
![[MQ 9.4.0 Jun 2024]](ng940.gif)
Note: The
strmqikm GUI
is removed from
IBM® MQ in
IBM MQ 9.4.0 and cannot be used to manage TLS certificates from
IBM MQ Explorer. From
IBM MQ 9.4.0, use the
runmqakm or
runmqktool commands to manage TLS certificates on
AIX®, Linux®, and Windows.
For more information, see Working with SSL/TLS in IBM Documentation.
Use the commands that are available on the system where the queue manager runs to complete the following steps:
- Create a key repository in the location that is specified in the queue manager's
Key repository attribute.
- Request and obtain from a certificate authority (CA) a personal certificate with the
correct label and its full chain of CA certificates back to the root certificate.
- Add all the certificates, in the correct order, to the queue manager's key
repository.
-
Configure the queue manager for TLS-enabled messaging. For more information, see Configuring SSL on queue managers.
-
Configure channels to support secure messaging using TLS. For more information, see Configuring TLS channels.
To set up TLS on a IBM MQ client, complete
the following steps for each client that uses TLS connections:
- Create a TLS key repository for the client and add the necessary certificates to the key
repository.
![[MQ 9.4.0 Jun 2024]](ng940.gif)
Note: The
strmqikm GUI is
removed from
IBM MQ in
IBM MQ 9.4.0 and cannot be used to manage TLS certificates from
IBM MQ Explorer. From
IBM MQ 9.4.0, use the
runmqakm or
runmqktool commands to manage TLS certificates on
AIX, Linux, and Windows.
For more information, see Working with SSL/TLS in IBM Documentation.
Use the commands that are available on the
system where the client runs to complete the following steps:
- Create the client's key repository.
- Request and obtain from a certificate authority (CA) a personal certificate with the
correct label and its full chain of CA certificates back to the root certificate.
- Add all the certificates, in the correct order, to the client's key
repository.
- Configure the client for TLS-enabled messaging. For more information, see Configuring TLS on IBM MQ
clients.
- Configure the client channel definition to support secure messaging using TLS. For more
information, see Configuring SSL on IBM MQ clients.