Configuring TLS channels with MQSC

To configure TLS channels, use the runmqsc and the ALTER CHANNEL commands. You can optionally configure a channel to accept only certificates with attributes in the distinguished name of the owner that match given values. You can also optionally configure a queue manager channel so that the queue manager refuses the connection if the initiating party does not send its own personal certificate.

About this task

To configure channels in IBM® MQ Explorer, see Configuring TLS channels with IBM MQ Explorer.

To configure channels using runmqsc, complete the following steps.

Procedure

  1. Invoke the runmqsc command connecting to the target queue manager.
  2. Identify the channel you want to enable for TLS.
    Note both the channel name and channel type.
  3. Use the ALTER CHANNEL command to alter various properties of an IBM MQ channel.
    You provide the channel name and channel type in addition to the command. For example, to alter a sender channel called MQ.TEST run the following command:
    ALTER CHANNEL(‘MQ.TEST’) CHLTYPE(SDR)
    There are various channel attributes related to TLS that you can adjust on IBM MQ channel definitions.

What to do next

Setting message security

TLS-enabled messaging offers two methods of ensuring message security:
  • Encryption ensures that if the message is intercepted, it is unreadable.
  • Hash functions ensure that if the message is altered, this is detected.

The combination of these methods is called the cipher specification, or CipherSpec. Compatible CipherSpecs must be set for both ends of a channel, otherwise TLS-enabled messaging fails. For more information, see Enabling CipherSpecs.

To alter an IBM MQ channel enable TLS, specify a value in the SSLCIPH attribute. This attribute must be set to a valid CipherSpec for the queue platform of the queue manager from the list Enabling CipherSpecs.

To alter an IBM MQ channel to disable TLS, set SSLCIPH to a blank value. For example:
ALTER CHANNEL('MQ.TEST') CHLTYPE(SDR) SSLCIPH(' ')
Note: You must encase the channel name within single quotes to ensure the character case is maintained. Without single quotes, IBM MQ transforms the string to be all uppercase.

Filtering certificates on their owner's name

Certificates contain the distinguished name of the owner of the certificate. You can optionally configure the channel to accept only certificates with attributes in the distinguished name of the owner that match given values.

The attribute names that IBM MQ can filter are listed in the following table:
Attribute names Meaning
SERIALNUMBER Certificate serial number
MAIL Email address
[Deprecated]E Email address (Deprecated in preference to MAIL)
UID or USERID User identifier
CN Common Name
T Title
OU Organizational Unit name
DC Domain component
O Organization name
STREET Street / First line of address
L Locality name
ST (or SP or S) State or Province name
PC Postal code / zip code
C Country
UNSTRUCTUREDNAME Host name
UNSTRUCTUREDADDRESS IP address
DNQ Distinguished name qualifier
You can use the wildcard character (*) at the beginning or the end of the attribute value in place of any number of characters. For example, to accept only certificates from any person with a name ending with Smith working for IBM in GB, type:
CN=*Smith, O=IBM, C=GB
For example:
ALTER CHANNEL(‘MQ.TEST’) CHLTYPE(SDR) SSLPEER(‘CN=*Smith, O=IBM, C=GB’)
Note: You must encase the SSLPEER string within single quotes to ensure the character case is maintained. Without single quotes, IBM MQ transforms the string to be all uppercase.

Authenticating parties initiating connections to a queue manager

When another party initiates a TLS-enabled connection to a queue manager, the queue manager must send its personal certificate to the initiating party as proof of identity. You can also optionally configure the queue manager channel so that the queue manager refuses the connection if the initiating party does not send its own personal certificate.

To do this, set the SSLCAUTH attribute. This attribute is a Boolean attribute and can have the values OPTIONAL or REQUIRED:
  • OPTIONAL authenticates the certificate of a connecting client if one is provided but does not require a client to send one. A client is rejected if it sends a certificate that is not valid.
  • REQUIRED rejects any connecting clients that do not provide a valid TLS certificate
For example:
ALTER CHANNEL(‘MQ.TEST’) CHLTYPE(RCVR) SSLCAUTH(REQUIRED)