Configuring SSL or TLS encryption for MFT

You can use SSL or TLS can be used with IBM® MQ Managed File Transfer to secure the communication between agents and their agent queue managers, commands and the queue managers that they are connecting to, and the various queue manager to queue manager connections within your topology.

Before you begin

You can use SSL or TLS encryption to encrypt messages that are flowing through an IBM MQ Managed File Transfer topology. These include:
  • Messages that pass between an agent and its agent queue manager.
  • Messages for commands and the queue managers that they are connecting to.
  • Internal messages that flow between the agent queue managers, command queue managers and coordination queue manager within the topology.

About this task

For general information about using SSL with IBM MQ, see Working with SSL/TLS. In IBM MQ terms, Managed File Transfer is a standard Java client application.

Follow these steps to use SSL with Managed File Transfer:

Procedure

  1. Create a truststore file and optionally a keystore file (these files can be the same file). If you do not need client-authentication (that is, SSLCAUTH=OPTIONAL on channels) you do not need to provide a keystore. You require a truststore only to authenticate the queue manager's certificate.

    The key algorithm used for creating certificates for the truststore and keystores must be RSA to work with IBM MQ.

  2. Set up your IBM MQ queue manager to use SSL.
    For information about setting up a queue manager to use SSL using IBM MQ Explorer for example, see Configuring SSL on queue managers.
  3. Save the truststore file and keystore file (if you have one) in a suitable location. A suggested location is the config_directory/coordination_qmgr/agents/agent_name directory.
  4. Set the SSL properties as required for each SSL-enabled queue manager in the appropriate Managed File Transfer properties file. Each set of properties refers to a separate queue manager (agent, coordination, and command), although one queue manager might perform two or more of these roles.

    One of the CipherSpec or CipherSuite properties is required, otherwise the client tries to connect without SSL. Both the CipherSpec or CipherSuite properties are provided because of the terminology differences between IBM MQ and Java. Managed File Transfer accepts either property and does the necessary conversion, so you do not need to set both properties. If you do specify both the CipherSpec or CipherSuite properties, CipherSpec takes precedence.

    The PeerName property is optional. You can set the property to the Distinguished Name of the queue manager that you want to connect to. Managed File Transfer rejects connections to an incorrect SSL server with a Distinguished Name that does not match.

    Set the SslTrustStore and SslKeyStore properties to file names that point to the truststore and keystore files. If you are setting up these properties for an agent that is already running, stop and restart the agent to reconnect in SSL mode.

    Properties files contain plain-text passwords so consider setting appropriate file system permissions.

    For more information about SSL properties, see SSL/TLS properties for MFT.

  5. If an agent queue manager uses SSL, you cannot provide the necessary details when you create the agent. Use the following steps to create the agent:
    1. Create the agent by using the fteCreateAgent command. You receive a warning about being unable to publish the existence of the agent to the coordination queue manager.
    2. Edit the agent.properties file that was created by the previous step to add the SSL information. When the agent is successfully started, the publish is attempted again.
  6. If agents or instances of the IBM MQ Explorer are running while the SSL properties in the agent.properties file or coordination.properties file are changed, you must restart the agent or IBM MQ Explorer.