Manage the IBM® MQ client certificates,
configure the channels to use TLS, and authenticate certificates by using either Certificate
Revocation Lists or OCSP authentication.
About this task
This task introduces the commands that you use to work with TLS on an IBM MQ client.
For more information, see Securing IBM MQ and Setting up IBM MQ MQI client
security in IBM Documentation.
Procedure
-
[OPTION 1] Manage the IBM MQ client
certificates
-
Find the location of the client key repository.
Type the following command to examine the MQSSLKEYR environment
variable:
echo %MQSSLKEYR%
-
Ensure that the client key repository contains all the Certificate Authority (CA) certificates
that might be required to validate certificates that are received from other queue managers.
-
Check your application, because the key repository can be set on an MQCONNX call.
If both values are set, the value set on the MQCONNX call overrides the value of
MQSSLKEYR.
-
[OPTION 2] Configure the channels to use TLS
-
[OPTION 3] Authenticate certificates using Certificate Revocation Lists
Certification Authorities (CAs) can revoke certificates that are no longer trusted by publishing
them in a Certification Revocation List (CRL). When a certificate is received by a queue manager or
an IBM MQ MQI client, it can be checked against the CRL
to ensure that it has not been revoked. CRL checking is not mandatory for TLS-enabled messaging to
be achieved, but is recommended to ensure the trustworthiness of user certificates.
You can set up an IBM MQ MQI client to check
certificates against CRLs on LDAP servers.
-
On the IBM MQ server, in IBM MQ Explorer, expand the queue manager.
-
Create a new authentication information object of type CRL LDAP. For
more information, see Creating and configuring queue managers and objects.
-
Repeat the previous step to create as many authentication information objects as you
need.
-
Create a namelist and add to the namelist the names of the authentication information objects
that you created in Steps 2 and 3.
-
Right-click the queue manager, then click Properties.
-
On the SSL page, in the CRL Namelist field, type
the name of the namelist that you created in Step 4.
-
Click OK.
All the LDAP CRL information is now written to the client channel definition table.
-
Make the client channel definition table available to the client, or, if you are using Windows Active Directory, write out the information from the
client channel definition table to the Active Directory.
See the
setmqscp command in
IBM Documentation.
You can add to the namelist up to 10 connections to alternative LDAP servers to ensure continuity
of service if one or more LDAP servers are inaccessible.
For more information, see Securing IBM MQ in IBM Documentation.
See also IBM MQ MQI clients in IBM Documentation.
-
[OPTION 4] Authenticate certificates using OCSP authentication
You can set up an IBM MQ MQI client to check
certificates against an OCSP responder. Some client environments do not support OCSP revocation
checking, but all server platforms support the ability to define OCSP configuration which will be
written into the client channel definition table file.
-
On the IBM MQ server, in IBM MQ Explorer, expand the queue manager.
-
Create a new authentication information object of type OCSP.
-
Repeat the previous step to create as many OCSP authentication information objects as you need.
-
Create a new namelist and add to the namelist the names of the OCSP authentication information
objects that you created in Steps 2 and 3.
-
Right-click the queue manager, then click Properties.
-
On the SSL page, in the Revocation namelist
field, type the name of the namelist that you created in Step 4.
-
Click OK.
-
Make the client channel definition table available to the
client.
Only one OCSP object can be added to the namelist because the socket library can only use one
OCSP responder URL at a time.
For more information, see Securing IBM MQ in IBM Documentation.
See also IBM MQ MQI clients in IBM Documentation.