Accessing CRLs and ARLs with a queue manager

A queue manager is associated with one or more authentication information objects, which hold the address of an LDAP CRL server. [IBM i]IBM® MQ on IBM i behaves differently from other platforms.

Note that in this section, information about Certificate Revocation Lists (CRLs) also applies to Authority Revocation Lists (ARLs).

You tell the queue manager how to access CRLs by supplying the queue manager with authentication information objects, each of which holds the address of an LDAP CRL server. The authentication information objects are held in a namelist, which is specified in the SSLCRLNL queue manager attribute.

In the following example, MQSC is used to specify the parameters:

  1. Define authentication information objects using the DEFINE AUTHINFO MQSC command, with the AUTHTYPE parameter set to CRLLDAP. [IBM i]On IBM i, you can also use the CRTMQMAUTI CL command.

    The value CRLLDAP for the AUTHTYPE parameter indicates that CRLs are accessed on LDAP servers. Each authentication information object with type CRLLDAP that you create holds the address of an LDAP server. When you have more than one authentication information object, the LDAP servers to which they point must contain identical information. This provides continuity of service if one or more LDAP servers fail.

    [z/OS]Additionally, on z/OS® only, all LDAP servers must be accessed using the same user ID and password. The user ID and password used are those specified in the first AUTHINFO object in the namelist.

    On all platforms, the user ID and password are sent to the LDAP server unencrypted.

  2. Using the DEFINE NAMELIST MQSC command, define a namelist for the names of your authentication information objects. [z/OS]On z/OS, ensure that the NLTYPE namelist attribute is set to AUTHINFO.
  3. Using the ALTER QMGR MQSC command, supply the namelist to the queue manager. For example: 
    
ALTER QMGR SSLCRLNL(sslcrlnlname)
    where sslcrlnlname is your namelist of authentication information objects.

    This command sets a queue manager attribute called SSLCRLNL. The queue manager's initial value for this attribute is blank.

[IBM i]On IBM i, you can specify authentication information objects, but the queue manager uses neither authentication information objects nor a namelist of authentication information objects. Only IBM MQ clients that use a client connection table generated by an IBM i queue manager use the authentication information specified for that IBM i queue manager. The SSLCRLNL queue manager attribute on IBM i determines what authentication information such clients use. See Accessing CRLs and ARLs on IBM i for information about telling an IBM i queue manager how to access CRLs.

You can add up to 10 connections to alternative LDAP servers to the namelist, to ensure continuity of service if one or more LDAP servers fail. Note that the LDAP servers must contain identical information.