Another in the series of bite size blog posts about features in MQ V8. Check out the whole series here.
MQ v8 includes new functionality that allows you to specify channels to use a different certificate for SSL and TLS connections (TLS is Transport Layer Security, which is the newer replacement for SSL). This means that if you have customers connecting to your MQ that use 2 different Certificate Authorities to sign their certificates you can specify different channels for them to connect to which use matching certificates issuers.
In order to accommodate for this new functionality a new attribute called "CERTLABL" has been added to the various channel types of MQ and also the Queue Manager. CERTLABL is used to specify the label of the certificate the Queue Manager or channel should be using. It *must* match the label of a certificate contained in the SSL key repository specified in the Queue Manager SSLKEYR attribute. Once you have specified a CERTLABL value on the Queue Manager you must issue a refresh security MQSC command in order for the changes to come into effect, however channel CERTLABL changes take effect after a channel is restarted and so don't need a refresh. You are able to specify CERTLABL values that point to different types of certificate, for example one channel can be set up to use a RSA signed certificate while another channel can be set up to use a ECDSA signed certificate.
To set or alter a Queue Manager CERTLABL issue the command:
> ALTER QMGR CERTLABL('certificatelabel')
To set or alter a channel's CERTLABL issue the command:
> ALTER CHANNEL('SYSTEM.DEF.SVRCONN') CHLTYPE(SVRCONN) CERTLABL('certificatelabel2')
If you do not specify a CERTLABL value on a channel then the channel will use the Queue Manager's CERTLABL value to determine which SSL certificate to use. Also a certificate label is *case sensitive*, as such do not forget to place single quotes around your CERTLABL value. If you specify a certificate label that does not exist in the Queue Manager's SSL key repository then connecting clients will receive a MQRC_SSL_INITIALIZATION_ERROR (2393) error and an AMQ9645 message will be written to the relevant error log (For clients it will go to the client error log and when using sender channels the error will be written to the Queue Manager's error log). Additionally in order to specify a CERTLABL on a channel you must use a Cipher Spec that uses a TLS 1.0 or TLS 1.2 protocol on that channel. For more information about which Cipher Specs you can use see here.
For more information on Multiple Certificates see here. Multiple Certificate information begins on Slide 27.
Example of how to set up a Queue Manager for use with multiple certificates
In this example we will assume that you know how to set up certificates of various types and with different labels, we will also assume that you know how to create channels ready for SSL (or TLS). Additionally we assume that the clients who will be connecting are MQ v8 clients. (As a MQ v7.5 and before clients do not support multiple certificates and so cannot connect to channels using CERTLABL). Our final assumption is that MQ has been installed and configured correctly and I am completing all tasks as a system administrator and a user who is a member of the mqm group. This example will look at how to set up MQ so that we have two server connection channels where one is set to use a different certificate to the Queue Manager.
1) First I create my two certificates with different certificate labels that I want my Queue Manager and channel to use. I place these in my Queue Managers SSL key repository and configure MQ to use the key repository by executing the following in runmqsc:
> ALTER QMGR SSLKEYR('<Path to Key Repository>')
2) Next I tell my Queue Manager to use a specific certificate in the above key repository by setting the Queue Manager CERTLABL value to the certificate label. I execute the following in runmqsc:
> ALTER QMGR CERTLABL('qmgrCertificate')
3) Now I exchange my create certificates public keys with the clients that will be connecting and also ensure that I add the clients public keys or CA certificate into my key repository.
4) Next I create my first channel which will be using the default Queue Manager certificate. To do this I create it with a blank CERTLABL:
> DEFINE CHANNEL('CHL.CUSTOMER.ONE') CHLTYPE(SVRCONN) SSLCIPH(ECDHE_ECDSA_AES_128_CBC_SHA256)
5) Now I create my second channel which will use a different certificate to the Queue Manager. To do this I execute the following in runmqsc:
> DEFINE CHANNEL('CHL.CUSTOMER.TWO') CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA) CERTLABL('channelCertificate')
6) Finally I execute a refresh security command so that my Queue Manager will pick up the changes made:
> REFRESH SECURITY(*) TYPE(SSL)
Now my MQ is set up to use different certificates and my clients will be able to connect to their channel successfully.