Certificate Extended Key Usage (EKU)
IBM® MQ as a Service and Certificate Extended Key Usage (EKU).
For information about how IBM MQ handles certificate Extended Key Usage (EKU), see the IBM MQ EKU documentation.
IBM MQ as a Service queue managers at version 9.4.5r1 and later
are configured with RFC5280EKUChecks=FALSE. When this setting is in effect,
certificate EKU values are not checked. If you use a custom certificate and want EKU checking to be
enforced, you can raise a support case to request that RFC5280EKUChecks=TRUE is set
in the SSL stanza of the qm.ini file.
Certificates provided by IBM MQ as a Service do not include the
ClientAuth EKU value. As a result, the default certificates are not suitable for
use in mutual TLS (mTLS) client authentication when EKU checking is enforced.
Extended key usage does not permit use for TLS client
authentication: Check the full valid CA trust chain is available in the keyring- An IBM MQ as a Service queue manager uses mTLS to connect to a
distributed queue manager at version 9.4.5.0 or later where EKU checking is enabled and
RFC5280EKUChecks=FALSEis not set in the SSL stanza of the qm.ini file. - An IBM MQ as a Service queue manager uses mTLS to connect to a queue manager on z/OS.
- An IBM MQ as a Service queue manager uses mTLS to connect to
MQIPT where
SSLClientAuth=trueis configured.
The same considerations apply if you configure a custom certificate on the queue manager that
does not include the ClientAuth EKU value.
Recommended action
Use a custom certificate that includes the ClientAuth EKU value when the
certificate is to be used for mTLS client authentication in an environment where EKU checking is
enforced.