Using CERTVPOL to specify RFC 5280 Certificate Validation for Queue Managers
ValerieLampkin 27000182R2 Comment (1) Visits (10015)
Do you need to have a WebSphere MQ queue manager that is RFC 5280 compliant? The RFC 5280 standard defines the current certificate validation policy for use with SSL and TLS. It specifies the rules which all SSL/TLS applications should ideally follow to reliably determine certificate trustworthiness. The WebSphere MQ Information Center has more information about RFC 5280 and certificate validation policies, see: Certificate validation and trust policy design on UNIX, Linux and Windows systems
Users who require RFC 5280 certificate validation may enable it using the new CERTVPOL parameter configuration options. This parameter is valid on only UNIX®, Linux, and Windows. It specifies which SSL/TLS certificate validation policy is used to validate digital certificates received from remote partner systems.
The certificate validation policy attribute controls which SSL/TLS certificate validation policy is used to validate digital certificates received from remote partners.
There are two possible values for a queue manager’s CERTVPOL attribute:
ANY is used for maximum backwards compatibility and interoperability with old digital certificates that do not comply with the current IETF certificate validation standards. It first applies the legacy "Basic policy" which accepts old digital certificates. If the certificate contains extensions that the Basic policy does not support then the RFC5280 "Standard policy" is applied next. The setting is named "ANY" because it allows any of the supported certificate validation policies to validate digital certificates.
RFC5280 is the "Standard policy", a strict standards-compliant certificate validation policy which enforces the RFC 5280 standard.
The CERTVPOL queue manager attribute can be set as shown with runmqsc commands:
For PCF and MQINQ, the selector is MQIA
The setting is cached on a per-process basis. Changes to the new queue manager attribute therefore take effect after any of the following:
On the client, WebSphere MQ provides three different ways to configure the certificate validation policy. In descending priority order these are:
MQ 7.1 Considerations:
For MQ 7.1 the new queue manager attribute CERTVPOL is implemented as a flexible delivery item. If you currently have 18.104.22.168 or 22.214.171.124 it does not include MQIA
The new attribute is not visible or usable in MQ 7.1 unless the queue manager’s command level is at least 711 (MQCMDL_LEVEL_711). Queue managers created with (or migrated to) MQ 7.1 will have a command level of 710 by default. Example: CMDLEVEL (710). This includes all queue managers created at fixpack 126.96.36.199 or later. You must update the command level to use RFC 5280 in v7.1:
strmqm -e CMDLEVEL=711 QMGR
Failure to enable the correct MQ 7.1 command level will mean that the CERTVPOL attribute will not be shown in DISPLAY QMGR MQSC output and MQIA
Attempting to query the MQIA
Attempting an MQCMD_CHANGE_Q_MGR PCF command will return a MQRC
Special Thanks to Andrew Akehurst for his assistance with this blog entry.