Certificate validation policies in IBM MQ

The certificate validation policy determines how strictly the certificate chain validation conforms to industry security standards.

The certificate validation policy depends upon the platform and environment as follows:
  • For Java and JMS applications on all platforms, the certificate validation policy depends on the Java Secure Socket Extension (JSSE) component of the Java runtime environment. For more information about the certificate validation policy, see the documentation for your JRE.

    [MQ 9.4.5 Feb 2026]From IBM® MQ 9.4.5, you can customize certificate validation for HTTPS connections used by IBM MQ classes for JMS to retrieve CCDT files and JWT tokens. You can set a validation policy for each endpoint and provide your own SSLSocketFactory instance to manage how certificates are checked. If you provide a custom SSLSocketFactory, the IBM MQ classes for JMS environment uses it to handle the HTTPS connection. This provides more control when working with internal servers or environments that do not use standard certificates.

  • [AIX, Linux, Windows]For AIX®, Linux®, and Windows systems, the certificate validation policy is supplied by IBM Global Security Kit (GSKit) and can be configured.
    [MQ 9.4.0 Jul 2024][MQ 9.4.0 Jul 2024]Three different certificate validation policies are supported:
    • A legacy certificate validation policy, used for maximum backwards compatibility and interoperability with old digital certificates that do not comply with the current IETF certificate validation standards. This policy is known as the Basic policy.
    • A strict, standards-compliant certificate validation policy which enforces the RFC 5280 standard. This policy is known as the Standard policy.
    • [MQ 9.4.0 Jul 2024][MQ 9.4.0 Jul 2024]A certificate validation policy which does not authenticate the TLS server certificate, available only for client applications.
  • [IBM i]For IBM i systems, the certificate validation policy depends on the secure sockets library provided by the operating system.

    For more information about the certificate validation policy, see the documentation for the operating system.

  • [z/OS]For z/OS® systems, the certificate validation policy depends on the System SSL component provided by the operating system.

    For more information about the certificate validation policy, see the documentation for the operating system.

For information about how to configure the certificate validation policy, see Configuring certificate validation policies in IBM MQ. For more information about the differences between the Basic and Standard certificate validation policies, see Certificate validation and trust policy design on AIX, Linux, and Windows.