[MQ 10.0.0 Jun 2026]

Adding TLS encryption

You can add TLS encryption to the connections between the queue manager instances in a Native HA configuration.

About this task

The replication traffic between instances carries the content of the queue manager log, which might contain sensitive business data from application messages. For this reason, it is recommended to set up TLS encryption in your Native HA configuration.

These instructions show you to set up TLS in the example configuration that was created in Creating a Native HA queue manager.

Procedure

  1. On the host named alpha, run the following two commands to first create a keystore and then a self-signed certificate: 
    runmqakm -keydb -create -db /var/mqm/qmgrs/MYQMGR/ssl/keystore.kdb -pw passw0rd -stash

runmqakm -cert -create -db /var/mqm/qmgrs/MYQMGR/ssl/keystore.kdb -pw passw0rd -label selfsigned -dn CN=MYQMGR -size 2048
    These commands create the following four files:
    • keystore.crl
    • keystore.kdb
    • keystore.rdb
    • keystore.sth
  2. Copy the four files to the same location (/var/mqm/qmgrs/MYQMGR/ssl) on the beta and gamma hosts, for example, by using sftp.
  3. On each host (alpha, beta, and gamma), ensure that the files have mqm group ownership and have read access for the mqm group: 
    chown :mqm /var/mqm/qmgrs/MYQMGR/ssl/keystore.* 
chmod g+r /var/mqm/qmgrs/MYQMGR/ssl/keystore.*
  4. Instruct the Native HA configuration to use the self-signed certificate in the keystore with the strongest TLS 1.2 cipher. On each host in turn (alpha, beta, and gamma), edit the qm.ini file and add the following text to the NativeHALocalInstance stanza: 
    NativeHALocalInstance:
  CipherSpec=ANY_TLS12
  CertificateLabel=selfsigned
  KeyRepository=/var/mqm/qmgrs/MYQMGR/ssl/keystore
  5. After the configuration change is made on each host, restart each instance, for example, by restarting the mqmonitor service for the MYQMGR queue manager. 
    sudo systemctl restart mqmonitor@MYQMGR
    When a majority of the group have restarted and are running with the TLS configuration a new active instance is elected.
  6. On any of the hosts (alpha, beta, or gamma), confirm that each instance is connected by using the dspmq command. 
    dspmq -m MYQMGR -o nativeha -x

    When all three instances are connected, the status QUORUM(3/3) is shown. The AMQ3212 and AMQ3214 messages are also written in the queue manager error logs, indicating that TLS is being used and stating which CipherSpec was negotiated.