SSL and TLS security protocols in IBM MQ

IBM® MQ supports both the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) protocols to provide link level security for message channels and MQI channels.

Message channels and MQI channels can use the SSL or TLS protocol to provide link level security. A caller MCA is an SSL or TLS client and a responder MCA is an SSL or TLS server. IBM MQ supports Version 3.0 of the SSL protocol and Version 1.0 and Version 1.2 of the TLS protocol. You can specify the cryptographic algorithms that are used by the SSL or protocol by supplying a CipherSpec as part of the channel definition.

[V8.0.0.2 Feb 2015]Note: From IBM MQ 8.0.0, Fix Pack 2, the SSLv3 protocol and the use of some IBM MQ CipherSpecs is deprecated. For more information, see Deprecation: SSLv3 protocol.

You can use the SECPROT parameter to display the security protocol in use on a channel.

At each end of a message channel, and at the server end of an MQI channel, the MCA acts on behalf of the queue manager to which it is connected. During the SSL or TLS handshake, the MCA sends the digital certificate of the queue manager to its partner MCA at the other end of the channel. The IBM MQ code at the client end of an MQI channel acts on behalf of the user of the IBM MQ client application. During the SSL or TLS handshake, the IBM MQ code sends the user's digital certificate to the MCA at the server end of the MQI channel.

Queue managers and IBM MQ client users are not required to have personal digital certificates associated with them when they are acting as SSL or TLS clients, unless SSLCAUTH(REQUIRED) is specified at the server side of the channel.

Digital certificates are stored in a key repository. The queue manager attribute SSLKeyRepository specifies the location of the key repository that holds the queue manager's digital certificate. On an IBM MQ client system, the MQSSLKEYR environment variable specifies the location of the key repository that holds the user's digital certificate. Alternatively, an IBM MQ client application can specify its location in the KeyRepository field of the SSL and TLS configuration options structure, MQSCO, on an MQCONNX call. See the related topics for more information about key repositories and how to specify where they are located.

Support for SSL and TLS

IBM MQ provides support for SSL Version 3.0 and TLS 1.0 and TLS 1.2 according to the platform you are using. For more information about the SSL and TLS protocols, refer to the information in the subtopics.
IBM i
SSL and TLS support is integral to the IBM i operating system.
Java and JMS clients
These clients use the JVM to provide SSL and TLS support.
HP Integrity NonStop Server, UNIX, Linux®, and Windows systems
SSL and TLS support is installed with IBM MQ.
z/OS®
SSL and TLS support is integral to the z/OS operating system. The SSL and TLS support on z/OS is known as System SSL.
For information about any prerequisites for IBM MQ SSL and TLS support, see System Requirements for IBM MQ.